fc7e137e45f630faca84818104f47c67c08f679d38e6babc884c1fd1f8415a29

General

Target

635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe
Size

12KB
MD5

635996e383d97876b7060247b0e94db0
SHA1

fb0f63f203db6f014738db82986ae47e0edd97d7
SHA256

fc7e137e45f630faca84818104f47c67c08f679d38e6babc884c1fd1f8415a29
SHA512

1424e757c4bc222753c9fbff58ec81e1a188d0128cc38f2cdc3ac77cbb0acd3949a2c2cdf88e2dc7b6809d25f9061100c975787b2ffbbdfc05df65302288d856
SSDEEP

384:RL7li/2zPq2DcEQvdQcJKLTp/NK9xa1i:RjMCQ9c1i

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	tmp2981.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	tmp2981.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2752	635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2880	2752	635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe	28
PID 2752 wrote to memory of 2880	2752	635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe	28
PID 2752 wrote to memory of 2880	2752	635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe	28
PID 2752 wrote to memory of 2880	2752	635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe	28
PID 2880 wrote to memory of 2552	2880	vbc.exe	30
PID 2880 wrote to memory of 2552	2880	vbc.exe	30
PID 2880 wrote to memory of 2552	2880	vbc.exe	30
PID 2880 wrote to memory of 2552	2880	vbc.exe	30
PID 2752 wrote to memory of 2712	2752	635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe	31
PID 2752 wrote to memory of 2712	2752	635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe	31
PID 2752 wrote to memory of 2712	2752	635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe	31
PID 2752 wrote to memory of 2712	2752	635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1ydsyldh\1ydsyldh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6D3C1E9D24D4968A94DBA95DA19F86B.TMP"
    3⤵
    PID:2552
- C:\Users\Admin\AppData\Local\Temp\tmp2981.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2981.tmp.exe" C:\Users\Admin\AppData\Local\Temp\635996e383d97876b7060247b0e94db0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1ydsyldh\1ydsyldh.0.vb

Filesize
2KB

MD5
0bd436e762011ec463c4751f1a3412e0

SHA1
572f02663ba8b3b09ba91fccc793b3576c8841b6

SHA256
b09b3b98a667f38b42c8d8a16df3518bcd8add34270fdf1cd022c65a67db67f1

SHA512
1c85176f5ad52637e4a0f1927c0a50cda306d3e0c173b150b6b037b4f4999a2932a758c77eb8782dd355dc2a5f7287da55f54425d3e43b37c362b701e9b753df

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ydsyldh\1ydsyldh.cmdline

Filesize
273B

MD5
bd09c6ef68c2478be14466747901b656

SHA1
eeaf88e0be221c14b31d621875f53ab0b33fdeb2

SHA256
186c7061d12dadc560243845e971bef44bcb0dcf2ceee451cb589c8c92c50bde

SHA512
6d2342d7856ecb5da9b65313587d438404a41f3486384fb4d266c1f6ff6c33ee837f4ac69e6504c2060e7cc7c2983acd5aa7fa6927b8008bd8e27899765c6550

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
0b6dc7e9722c5372b5401904b99b04a8

SHA1
da6fe540e9de4455216324d9f2de27b764ecf84e

SHA256
a00cf2c83b30798ab90e1d9e148fd11081c62e175b8233b9117412b0674a8aef

SHA512
15baef39de3564779acf3c6ebaeabb2bca5a40d52cbac0c6402730fc172f89487178bbd2556248c60f79f09f6eadcff71f555619e07681fd77815b7bbb17a04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2BC2.tmp

Filesize
1KB

MD5
22a904e4c2e0721e1d73fe68ff37665f

SHA1
d54c324f7b9b438ece5da4269921eef0d34fee58

SHA256
6a879926a502c52963af7e6650bbdd2303f96123f876c46d03b7d147e229f7e7

SHA512
8e79d604cd7b92477581856f87d4db6f43a1eda816af8161feb2f1b0ddd03e84d4a0d8bed4031d3482e2f634ed07fc9a285156ba517ccb7d275452ce203859e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2981.tmp.exe

Filesize
12KB

MD5
583a2ae31b83d3375f742281b621da7c

SHA1
7ad8a00a1c71025c6677a0c615db13a802469d4f

SHA256
e8a2722a106112747acfe077183b46cd626b5151f8d8fb2917a3304db08de52e

SHA512
2624a387d8df51cddbacdb4956511931ab021e70ea81897faa53980db0a1c771614dda7f7db6bd403fc20e270148df6707e10b61b5105acadaf57809b22e2a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF6D3C1E9D24D4968A94DBA95DA19F86B.TMP

Filesize
1KB

MD5
8ec8b40d1e356e59c7488351f5792d1d

SHA1
4809146c281cdea8f2548070cff1dd599eb71846

SHA256
8a68cc8f8f3311cbf53d4be7c9fddec6d06835b681945b06a1ec2efc56c7ad86

SHA512
8efe33b4ad127baf24a9a2f438960ca7c1b16c79aa3856306171421db1d1334a2a843e9dcebad358a6a92ac14bcdcc8dd73c5862b98c1ec8906a9e27242e62b6

Download Submit
memory/2712-23-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/2752-0-0x000000007406E000-0x000000007406F000-memory.dmp

Filesize
4KB

Download
memory/2752-1-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/2752-7-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2752-24-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing