a54cb8ad2c79b23a6155ab200b5a48e024bd66019f89229ea8b8a3c13efe75b8

General

Target

132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe
Size

12KB
MD5

132759bccbe8ce3489eb4253b77b3950
SHA1

cc747cf1e8b64dd0d138083d0e59b01f41447432
SHA256

a54cb8ad2c79b23a6155ab200b5a48e024bd66019f89229ea8b8a3c13efe75b8
SHA512

b26870f285260f172cfbae16f79befd4c0b9e03697e0e8ec3ffa502ccd79b30ee3fdee5af62e8bfd08f0e2ed721cc6f35bfbd2fc927fba198952bcd559731826
SSDEEP

384:yL7li/2zAq2DcEQvdQcJKLTp/NK9xa71:s8MCQ9c71

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2660	tmp1508.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2660	tmp1508.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1484	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2664	1484	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	28
PID 1484 wrote to memory of 2664	1484	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	28
PID 1484 wrote to memory of 2664	1484	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	28
PID 1484 wrote to memory of 2664	1484	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	28
PID 2664 wrote to memory of 2616	2664	vbc.exe	30
PID 2664 wrote to memory of 2616	2664	vbc.exe	30
PID 2664 wrote to memory of 2616	2664	vbc.exe	30
PID 2664 wrote to memory of 2616	2664	vbc.exe	30
PID 1484 wrote to memory of 2660	1484	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	31
PID 1484 wrote to memory of 2660	1484	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	31
PID 1484 wrote to memory of 2660	1484	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	31
PID 1484 wrote to memory of 2660	1484	132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v3ywvy0z\v3ywvy0z.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES162F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0BF34DB1D414C45BC611E58988F3AF7.TMP"
    3⤵
    PID:2616
- C:\Users\Admin\AppData\Local\Temp\tmp1508.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1508.tmp.exe" C:\Users\Admin\AppData\Local\Temp\132759bccbe8ce3489eb4253b77b3950_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4fdc7cd2dc255d25c6c6740ec448456e

SHA1
bc15f8614cf5de61b303cce90ab019f7d24e857c

SHA256
aaffe7b8e57b49c9d87de43e2e366e8feb88d82eadbdcfbd39aa8e73b5a8b2d6

SHA512
82f40eae993b7cd3780ffea3c6a084e238dd298d022174742409d76a9e5201880df7256798ed2ba1c049ebf924ac8720ee5069682e5ea3055e1c82d457ed9092

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES162F.tmp

Filesize
1KB

MD5
1865a57d7deefd47efbe89f6156b6a28

SHA1
c9b9e85ae949c06d96c2b57b9ef4492dcc47c674

SHA256
f1cac3f223de1a2ddba76219a15bfc03e6f590d7cb2ba54d83e1ac62e6138e89

SHA512
f5dcffdb8011d1079cc9058f7bade449fa70300155ad16fdb383a43c6468c273f596efac4d0b239d6fa46fa0f92303a763f3c56ae87add0dd1094ecbfd96f012

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1508.tmp.exe

Filesize
12KB

MD5
1debab40c452d20b91a7c9fa0e9fa1e9

SHA1
409b9ab6ca7eba21cef2495ccc19123a522982dd

SHA256
6df99a865b38d3c63140d87d7612900264d5ba3eff1f4d4ff752f21282decc51

SHA512
4ec232e7d09f2b71be4fe0e1d15b6f8f478d3e899adc947ab42753755d9a9ed0e612cdc4a010a249524e940bd50ef26ebe123c344bc2ea5fe09152ac6211791c

Download Submit
C:\Users\Admin\AppData\Local\Temp\v3ywvy0z\v3ywvy0z.0.vb

Filesize
2KB

MD5
cb101c09a776ab3cd20716c099b0768f

SHA1
7a7d28db1cb2992133f071db5aa1bd3a450f1a19

SHA256
b0f7d476624d6e952c2bf91d12b048af08d09409af9c9d4061276ee7b3e2248e

SHA512
a0a267ba081c3193c91cd23427484ca8b0d978f89007754ae43505c5819be97eb41d6d9d09c205911788bbf0a30690787b0a6c557e636f0b0df5e785577d6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\v3ywvy0z\v3ywvy0z.cmdline

Filesize
273B

MD5
c7e1bc621a95df33c6fbf686bf385780

SHA1
c1c70756682d83709d87d451d0b72738b02359ba

SHA256
e38a2fe8e84b428e2b53f92ec9609fc6a8f9ce4f33c7e12b25566e0682b020a5

SHA512
656d0d46222eaaed6c48ae0377e25b6e59c3853b751b3f1468b356de10d2d61832cc9478af84d22b0d2591f76e503621f5b3c023b5341dc73c47d877c841d90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC0BF34DB1D414C45BC611E58988F3AF7.TMP

Filesize
1KB

MD5
79508113d090d0d25bc33035d4dd00b3

SHA1
707e9b377f2517c448f484108c79c6103aea3d89

SHA256
8f28d6c5ea9bcf4b6429649f2587a28ff0546fab6bfe4fe0cddcc7ad2fa99aae

SHA512
831dc766a5dfabb03eee950aaa7371890107e429ad50f56a19bb9ffceea836c7fdca83f11e613b90476dcb5b994c0379b192373b896c52929306d14c06bd2730

Download Submit
memory/1484-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/1484-1-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/1484-7-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/1484-24-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/2660-23-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing