e9229d328373c8c01ad68ebf81f72fe64c7e93a1728f11d13e2e3ce90a68c2c0

General

Target

2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe
Size

12KB
MD5

2e7adf1d541f263e48978764067027b0
SHA1

626b0d6930094dc168c9f2da08d44080f2171dcc
SHA256

e9229d328373c8c01ad68ebf81f72fe64c7e93a1728f11d13e2e3ce90a68c2c0
SHA512

dd26b90a471a151bacaa99f5b6fb2316e23de7441f3c589ed62cfef35c331a1e0ea18f4f20ec7a72a5125168bc031b2b2d1713b178810245cfa08c1820a1942b
SSDEEP

384:RL7li/2zkq2DcEQvdQcJKLTp/NK9xaQb:RQMCQ9cQb

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2704	tmp92AF.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	tmp92AF.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1308	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2920	1308	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	28
PID 1308 wrote to memory of 2920	1308	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	28
PID 1308 wrote to memory of 2920	1308	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	28
PID 1308 wrote to memory of 2920	1308	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	28
PID 2920 wrote to memory of 2724	2920	vbc.exe	30
PID 2920 wrote to memory of 2724	2920	vbc.exe	30
PID 2920 wrote to memory of 2724	2920	vbc.exe	30
PID 2920 wrote to memory of 2724	2920	vbc.exe	30
PID 1308 wrote to memory of 2704	1308	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	31
PID 1308 wrote to memory of 2704	1308	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	31
PID 1308 wrote to memory of 2704	1308	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	31
PID 1308 wrote to memory of 2704	1308	2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uitodacp\uitodacp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES977F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17DE3710DC5C4924A5F65538E24198D.TMP"
    3⤵
    PID:2724
- C:\Users\Admin\AppData\Local\Temp\tmp92AF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp92AF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2e7adf1d541f263e48978764067027b0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4b7e4b8f99ff6e92dd7a45250037373f

SHA1
1d5c1cfec0dfa7160748a4d208005a74d7557a68

SHA256
38a5141fb78803eb8b2ab5ea1654d6add882ecf481e62f218a28e2d6e977906d

SHA512
3bf714819a9a8336648f69538ffe8522ce77e2d3892864481a65b8916d47f64e1409001847798270065ddfdf9539328532b5f469b0f4dfd5dd1b82fa8dd7aac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES977F.tmp

Filesize
1KB

MD5
c14ba45fbebe3bd0600c86fdbe2e9765

SHA1
82291db19f75edb8dfa25820e6d5f6dd232aeddd

SHA256
e4bb28a2516b3fa587dff0d4a55d6ba8ac7785e7aff8acb4ee0610868e8919b6

SHA512
213bdd18c85c4e895859edde784bbfc1884e4fe441b5c474acdf9880f0444e88f978af7f8fd5d18515bd555b4e44712467587d8e75b3f614ee2032ffc04d7897

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92AF.tmp.exe

Filesize
12KB

MD5
6f9fd393cdb379b5254c4d7651d721f3

SHA1
e85aa8fb4f3aa71988269067c80069d22321631c

SHA256
066bc59472688d2df72e3400a90c8be34b3d992d137297fee94889c80e2944f6

SHA512
cdb9aa69337395da514469fdc417cdf2df5a70b0e5dab73eb9f4845c1b704868d297e5179fdf603a6f013aaaa710f043ac2c169f99df80bc08ad57fd53b980e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uitodacp\uitodacp.0.vb

Filesize
2KB

MD5
af5e8edeb95469d462d11d790857380e

SHA1
6172209cdd86f2fddca3f2bea8fe46ab55716224

SHA256
aacb73763c3e7c117c5897923c5f4526a3b7cf00c46d7d936b93d7284c9aa661

SHA512
0d27f7b213c7881add92cbd9ae3d600c11398cb019661aefcc0b6172de52ac2b621f46692d325915b2e721c701bd6df39079c99258894a1ac7f8c848bca40d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\uitodacp\uitodacp.cmdline

Filesize
273B

MD5
ac356e9e54d11a2c151b7086b5736500

SHA1
24bc7f767c02c9a67ed89a7359b9ad01e03bbd37

SHA256
90fd8959174c15f67ca04f3dd238176afc5f984a506bae099eb9cabc62490f43

SHA512
b63a09400d8f19ab19730049343eed15bde8bd324a84ef25ad323b849b7af109b3ad33243009897ffefaed13c0d7f137338be72f9f88d348653c543dd2632142

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc17DE3710DC5C4924A5F65538E24198D.TMP

Filesize
1KB

MD5
33a25decc5830a1036de4b3715b4d29f

SHA1
27646b4f49357414cdd5df93e14e351a7a1d301e

SHA256
2520be3616371d83bc5a74730facd3423d7cb28b60f503217088e423174afcda

SHA512
23a8afa94b8776d2a565b7e649655085a8bbfeb06dd6775afeaa3b3c2ec78604d5851fb6927f9fcbf67c04d826f0d00838e60da2340a946caa1cfb9977abda91

Download Submit
memory/1308-0-0x0000000073DEE000-0x0000000073DEF000-memory.dmp

Filesize
4KB

Download
memory/1308-1-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/1308-6-0x0000000073DE0000-0x00000000744CE000-memory.dmp

Filesize
6.9MB

Download
memory/1308-24-0x0000000073DE0000-0x00000000744CE000-memory.dmp

Filesize
6.9MB

Download
memory/2704-23-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing