2027e74e4cac3737206305e6f9e305135e3deccccbbd857eb1fbcf92a94dc35c

General

Target

1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe
Size

12KB
MD5

1389bccf738605baf932b69d7da47480
SHA1

18eb54e43446d1466c844d1163f407931e6be481
SHA256

2027e74e4cac3737206305e6f9e305135e3deccccbbd857eb1fbcf92a94dc35c
SHA512

b6a1f8f72f1b4d758cc53292275ee34f880d344889d7538b4b8acd5e1132c6de876246777718ed992da57e290a61ab8b6426c7b6df91bcde4904ab0fa3c9d998
SSDEEP

384:GL7li/2zeq2DcEBvdacJKLTp/NK9xare:guDIQ9cre

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2664	tmp1121.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2664	tmp1121.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1044	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2984	1044	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	28
PID 1044 wrote to memory of 2984	1044	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	28
PID 1044 wrote to memory of 2984	1044	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	28
PID 1044 wrote to memory of 2984	1044	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	28
PID 2984 wrote to memory of 2676	2984	vbc.exe	30
PID 2984 wrote to memory of 2676	2984	vbc.exe	30
PID 2984 wrote to memory of 2676	2984	vbc.exe	30
PID 2984 wrote to memory of 2676	2984	vbc.exe	30
PID 1044 wrote to memory of 2664	1044	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	31
PID 1044 wrote to memory of 2664	1044	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	31
PID 1044 wrote to memory of 2664	1044	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	31
PID 1044 wrote to memory of 2664	1044	1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i3cgo30c\i3cgo30c.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES121A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7CA187793242407B9E422ED0D848C7A7.TMP"
    3⤵
    PID:2676
- C:\Users\Admin\AppData\Local\Temp\tmp1121.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1121.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1389bccf738605baf932b69d7da47480_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
03e8d322ffb6b1e2afdb9621adfeaa98

SHA1
8c67d7a65430f36c79b822ed14845c5285575ab7

SHA256
e293901673b887fb47db45ca31509d1c6c19874fb66cfe472f91f4d43ef9c053

SHA512
a6139cd3ff088726db963335b4c9afc3955a90a14ce32a3d1778d6f0f29024c39a81e367befeb77e190a6ca8320a9477666cb822743a74a68e5e718303c2db20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES121A.tmp

Filesize
1KB

MD5
f191a8229c283d0f9515ecab399c8552

SHA1
f5c7b153bad26ea52b83a760cd5fe96fbda3bcf9

SHA256
ee41bb0fe138b332ab7354e5ff9d0733efb22570eca7c364376f00858ccb7178

SHA512
e5afee546498ac3a94a56af8559f039267ccaca3c1ef5a12f4dae36c1bd1c4b3180fee06983a3955a3809c477fb82f20a2d4afcb07d5af3e9b6198dddfd568a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3cgo30c\i3cgo30c.0.vb

Filesize
2KB

MD5
561a2170930f18efe16d3ade5f75171a

SHA1
65dccba4047804afd5a8385d30d510a2cf6f70fe

SHA256
ffb9b46ff4f61e24c225c28e50e4581febec684a87314a81eefb9b9e9916787e

SHA512
005db3d1a087bd604c0cd714e6769105d6e8aa34055b541a2db4ae6d0a088f52890dbab0ee1baf021bb8540c654e1dfef87e43c14c626e906c4cb3ffa94bb797

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3cgo30c\i3cgo30c.cmdline

Filesize
273B

MD5
1c016d63331411d548bd78c9992660b4

SHA1
78323ed7aaad7939786d373cb1ebd4dab1de4d9d

SHA256
8f3b51923b175a38ca371ad2d04ea0acc26d616300ceabededf4bf3edb1047df

SHA512
d6970af08f659eb4ce69b6030739dfb4fdbe56847071d8bedfc2dce359ca710aec1b6d718be341da77ee631ac962ad10197e50d3a67dfd4dd98fd80545443532

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1121.tmp.exe

Filesize
12KB

MD5
d3e54b4fc09ecdce3a7f82be3c9a1a9e

SHA1
0a8adab006a95263812a2ee302b11b08b776d654

SHA256
33157de8d871ccdd994ff792e16e4ddd43876077510c3c800c7c4e946d9356c6

SHA512
f636b79112e897446c36c8013c0773497e41ea4275a883e2aaf403bd4eed8a22bb6c6da102ed7aabab5c621115326318b7806ed1294db5596d0d6990225f03c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7CA187793242407B9E422ED0D848C7A7.TMP

Filesize
1KB

MD5
b07ee6533feb46329a8ef8ecc2b69f8d

SHA1
066104f43880849fc6805205aa598714006c0d7e

SHA256
0cc383165447feccc1f61da5dffa778808804778a036907f9c89a003fb400da7

SHA512
2c7d3fb67dcb25504fc1e02e4695556659ae2edfb5bfc561837374a33841df6a51804abb46327e8448b3b23f3194c4a6589280e0ed8f0464f3a1e1e695f356f5

Download Submit
memory/1044-0-0x000000007420E000-0x000000007420F000-memory.dmp

Filesize
4KB

Download
memory/1044-1-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/1044-7-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/1044-24-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2664-23-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing