27696229bb185afbebc52ed0ae50cb6818172124349cd13631c23176f3db62b2

General

Target

8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe
Size

12KB
MD5

8f00afee02a7c89b8801cb7749aa0420
SHA1

e3f1470c91dfa81988e6da22c8c9907d5d5b85c9
SHA256

27696229bb185afbebc52ed0ae50cb6818172124349cd13631c23176f3db62b2
SHA512

45da161dea217377b75a7eb28777a78cdb41cfdf53e01c27cc5b0c284bc47301990bb4290fbae38ac1dc60090d429cda94e3f048644e3ddb47780134417f5746
SSDEEP

384:pL7li/2zhq2DcEQvdhcJKLTp/NK9xaD3q:ZZM/Q9cLq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2000	tmp2695.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2000	tmp2695.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 3064	3024	8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe	28
PID 3024 wrote to memory of 3064	3024	8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe	28
PID 3024 wrote to memory of 3064	3024	8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe	28
PID 3024 wrote to memory of 3064	3024	8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe	28
PID 3064 wrote to memory of 2776	3064	vbc.exe	30
PID 3064 wrote to memory of 2776	3064	vbc.exe	30
PID 3064 wrote to memory of 2776	3064	vbc.exe	30
PID 3064 wrote to memory of 2776	3064	vbc.exe	30
PID 3024 wrote to memory of 2000	3024	8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe	31
PID 3024 wrote to memory of 2000	3024	8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe	31
PID 3024 wrote to memory of 2000	3024	8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe	31
PID 3024 wrote to memory of 2000	3024	8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\trzagvlf\trzagvlf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2829.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC1B92504194148C7B6E8D812CB943AE.TMP"
    3⤵
    PID:2776
- C:\Users\Admin\AppData\Local\Temp\tmp2695.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2695.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8f00afee02a7c89b8801cb7749aa0420_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b99342218f4eca7ebd2698f98afe9440

SHA1
1bc52502d53ce1339fe3088a6b33f47dfc31a212

SHA256
30b540912b5025d9c342f4bab6a7479e82e0894bd29066b45b3b834a6bf6d2a1

SHA512
cf21489fe2e3fc7b02800fa231a86c0ad51f7d625d5e96c0bb57adddb91736e74019873aae4ddd91dea4bdcfd169c84b6a5695eb333498e1f815ddc397f3cc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2829.tmp

Filesize
1KB

MD5
e3824063c5a7b1d3b9e47d6d4f79342d

SHA1
d26b7855db6305b3c2bbf63897b2375936fb3d4f

SHA256
a8faa983b385478ba652a046165a6136b2a3849b884957fe26c9ff7cf348c6fc

SHA512
ded838088634c7184c13207c974e8784f0376a3c69477a711a475b8e8bb69b1591faaf3967302eae80a22696b834214ddda1be3e9969b8aad8d89720afe6f2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2695.tmp.exe

Filesize
12KB

MD5
b71c59b2e2098c8f4ae16902c6135f1d

SHA1
66d63c13257670c3ad875cffc92e3f982b6435c5

SHA256
e4784ca66e88ea492e43701395b1ff21fc2c027349a1003f791073a74411ddf9

SHA512
d72a97083e003a87868748469ec5374063e8fee4fe3a47d82e725e728791c147cdf9f50387949d71fddf99e3a9d1c3e4e721522e4f281010b4df5ab5203be644

Download Submit
C:\Users\Admin\AppData\Local\Temp\trzagvlf\trzagvlf.0.vb

Filesize
2KB

MD5
ab20e599c4bb502bfdd9285aa97cf785

SHA1
3178c1ac1c1f73c70a8d74c5296963938680a973

SHA256
aaf76bc6fe7a10f5b4cd923cb229f8d31c17d2910a8e5da239090b66b50304c9

SHA512
dde0459ba23b5e83702f77e1aa0adf5207ca4a0a19f384303eb2db0ebd11ffc2cfe556765050bb0b010c6f1959d445b951c88bd60f869ab5f272e4b58e52bbf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\trzagvlf\trzagvlf.cmdline

Filesize
273B

MD5
f1892f797580edc18d1ca0dd0e327ee7

SHA1
52ea9354df361531127eb85ce00b854237e37aa7

SHA256
308e3ea53bc2718e88f11b76c68c65c3dd4fa5c4c50f49c72ecd03e73cd2e1cb

SHA512
5fca20c19e25978fe260c75ac1f69ccb31af8f3ee2983dccca0cefe3914c041f3c86e79721b5bf1017a25959c34e8c892b0f670c0cac80b78ac9bf86a995fe22

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC1B92504194148C7B6E8D812CB943AE.TMP

Filesize
1KB

MD5
6b501ec65ec0f3787c98c4e28d5dd96d

SHA1
46c342f4ab436e5da7fd975c4403ee2b58fa50d5

SHA256
aec33e6319141e60ad94bc5a7ed019d8a72bc710331cd8bc0d61e9b63269c675

SHA512
3eb400289bdd8ef53bc49ff1f6e1dbeab58a07b902a5dbf9aaaae44849963ae54f2430e7783bc57b248ae1cda3000e4f663d26d28921a972a2c2030fd3ea0aae

Download Submit
memory/2000-23-0x0000000001120000-0x000000000112A000-memory.dmp

Filesize
40KB

Download
memory/3024-0-0x00000000740FE000-0x00000000740FF000-memory.dmp

Filesize
4KB

Download
memory/3024-1-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/3024-7-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/3024-24-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing