f90de71aea8c8fda873c2927dc600759ac522117a45555ef90692fc7d75c5a7f

General

Target

86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe
Size

12KB
MD5

86e8244acaa39443c0ec3fb493e1b6d0
SHA1

68f614c411b79626e333c4cf12a66ef7c4002031
SHA256

f90de71aea8c8fda873c2927dc600759ac522117a45555ef90692fc7d75c5a7f
SHA512

0977613ab7427a616eb5680c8505c5e4ac12b9c0cfd720ffb08ed26ffa5204873da3e3f9ae90be08316b369c84e69e489dfdfc6708f681644358f54eedbd77d5
SSDEEP

384:AL7li/2z4q2DcEQvdQcJKLTp/NK9xaBA:ecMCQ9cBA

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2640	tmp2176.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2640	tmp2176.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
360	86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	360	86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 1700	360	86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe	28
PID 360 wrote to memory of 1700	360	86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe	28
PID 360 wrote to memory of 1700	360	86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe	28
PID 360 wrote to memory of 1700	360	86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe	28
PID 1700 wrote to memory of 3060	1700	vbc.exe	30
PID 1700 wrote to memory of 3060	1700	vbc.exe	30
PID 1700 wrote to memory of 3060	1700	vbc.exe	30
PID 1700 wrote to memory of 3060	1700	vbc.exe	30
PID 360 wrote to memory of 2640	360	86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe	31
PID 360 wrote to memory of 2640	360	86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe	31
PID 360 wrote to memory of 2640	360	86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe	31
PID 360 wrote to memory of 2640	360	86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u5v32cix\u5v32cix.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES232A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5EAD0A08342B4A67B8B41D51A84F1FF4.TMP"
    3⤵
    PID:3060
- C:\Users\Admin\AppData\Local\Temp\tmp2176.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2176.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86e8244acaa39443c0ec3fb493e1b6d0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
5a479f1c7e8ab9c694320a47d287a5c3

SHA1
4cfb0a0d61acac5ed4f4205e3a6881c9a05a1543

SHA256
9092cd07f379cb3876f46abcca77572294328942df0e3621474af543a005523d

SHA512
3bdd0c2deba15d273bc86c4d3b60fd488d216034302ac747e34b7c7de9174417742902ba913e136bee99b5595cd5a68b17d7b7f6f79ce8b41740300b911edec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES232A.tmp

Filesize
1KB

MD5
14c310416c1a8dd37969be992045cdb9

SHA1
70f4181c7261c0d77e38a38e0419dd8cda8de5d5

SHA256
f3ff43defb31472d382fd4026f3a236ee485ae6114d8d33e83990fa648073657

SHA512
b4dbfcacf22e932af461673843820f76568c74635b7369046df49921105747fb2d53002dca0d97a86234eb3a0cc1001dbe4f324e3c23ca095c2098e9eed6b901

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2176.tmp.exe

Filesize
12KB

MD5
939f21ecb2dbb2ecb5cd8d612840b13c

SHA1
521a4513657b17864e30e6331d4fc10536c53037

SHA256
497504bf098fef791d762116c7309d06aa1cf52e474a585b12731b599f7f16be

SHA512
5d221a0800dcff32cbb6e562df3ac31e9abf0a6e56560964e63bc3f3460bea42f7a84f37d1a511ee6fe4775a4e191c498858ba96390c317fe7c4a87d26b6e3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\u5v32cix\u5v32cix.0.vb

Filesize
2KB

MD5
0efbb8a33fb6872c0eecfae5cc5ebbcd

SHA1
7aff65935f9e83e931dc02ff29b992f2b9189f85

SHA256
e3d8e0bb8883076876555d521c9abe4cf0936277dc3c9d1d49eaaa72490f5dea

SHA512
d7e1f9296b5eb9b1b017aa1e91b877763c2b2fd59c44dc9dc97d07615fec04f42be1796da5a352f945ea2d7f750c3f31656e5c3d4e625dd952789cdc33e38ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\u5v32cix\u5v32cix.cmdline

Filesize
273B

MD5
0f09484839d1e3e4117fbfee3959edcc

SHA1
7a782292f37f7745dc0ede21a6da9de5c6971e5d

SHA256
1f2d8717dd916907bb4a3f799671b9d51d096e5d8b0ce064d7a78ad48b4f156d

SHA512
4566a44fa3e7cc4a118b69531d6808835a9f1231a8fcaf3c129a8236d4ad2030df46fd2405c573016724f58970ecd1f2dfaa7b04da6636ed7a837db14fcace5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5EAD0A08342B4A67B8B41D51A84F1FF4.TMP

Filesize
1KB

MD5
1921a15820bddf0b4ffc7e6c425cf69e

SHA1
a8b284646d2e16a81f885c0b55cde662aa0d2397

SHA256
824ae2ebf6051d2235f365c1eec5c0637653a8efc82d4e0d35ccf33638df8372

SHA512
37f76e0a67e630f2761c2259d16760fe0222c02327c08d07004867552d47941e463d4c2414402d2e321fe8e678a5d7834c64e912088ce341c64f4f3bca810ec4

Download Submit
memory/360-0-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/360-1-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/360-7-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/360-24-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-23-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing