8f3aa9fffa1c5bf95985363b7d7ac43d6833886c765c31a1980462b01ea332ce

General

Target

10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe
Size

12KB
MD5

10f2a22d4a71a472382bf4e7bbef6150
SHA1

3558289bc9522485515301838869c808d35c1133
SHA256

8f3aa9fffa1c5bf95985363b7d7ac43d6833886c765c31a1980462b01ea332ce
SHA512

cd139cb79977c1f487d726e4586ecf924ffd5642bac7cce512248b54107ba3360e94ea0f3d8d361bcae1990b130580bbfa09709c45a04b4b3ed9874022fe0648
SSDEEP

384:sL7li/2zOq2DcEQvdQcJKLTp/NK9xano:qWMCQ9cno

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2592	tmpBC5.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2592	tmpBC5.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2356	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2224	2356	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	28
PID 2356 wrote to memory of 2224	2356	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	28
PID 2356 wrote to memory of 2224	2356	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	28
PID 2356 wrote to memory of 2224	2356	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	28
PID 2224 wrote to memory of 3012	2224	vbc.exe	30
PID 2224 wrote to memory of 3012	2224	vbc.exe	30
PID 2224 wrote to memory of 3012	2224	vbc.exe	30
PID 2224 wrote to memory of 3012	2224	vbc.exe	30
PID 2356 wrote to memory of 2592	2356	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	31
PID 2356 wrote to memory of 2592	2356	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	31
PID 2356 wrote to memory of 2592	2356	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	31
PID 2356 wrote to memory of 2592	2356	10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hmutqzfn\hmutqzfn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB74F9A267DD4326A768AB5CA448DB97.TMP"
    3⤵
    PID:3012
- C:\Users\Admin\AppData\Local\Temp\tmpBC5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBC5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\10f2a22d4a71a472382bf4e7bbef6150_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7cda4f1e1c87a4a9186a8319b51dec21

SHA1
8f9a0b2aced055feb0b11a0e59c6de6b7bfb1dca

SHA256
1465ae6fbaa739c9259b15d0e24f9db044be37e5376bb9884d557ee81cbad406

SHA512
051be94feaddfd8837b3b35379db8b4c081ddd0e99d7ec83e2160c90eef3ca0b012c5ad791e70847c1c827ff39cdde02b252da0c84983b073cd7a9494fc8b294

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBD.tmp

Filesize
1KB

MD5
d8682aed02843b4465cf6877fafd87bb

SHA1
cc0cf760f984ebf819d1be01fecc3b09e4bd49ef

SHA256
0b0d9df4e140cc426311236d3419296f2a098da0edb51fb4c5ca033448d4df2e

SHA512
096b3770083af65064baeb91982881cc4b7bbe927118aa98e4ecfb117ded4bb2489ef6b1bdc0b14dd5beb00edb41ee93e1d46a8b8e39b21a38db8df96fec5bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmutqzfn\hmutqzfn.0.vb

Filesize
2KB

MD5
ddfab4870285bbf170148183c8d52957

SHA1
0be6047ab77a128b960a295f2324840796858ee7

SHA256
bcfb88edd8ac87019bdf557c2eeddd338aefdd23cbcb067e13845c8d1d1c5a5b

SHA512
39b31140b52b537f0d3074757c925511688b001f2ea7893ae8dcf2fd65647cb725fbea81493fc967362f9d547d83eb5e4fcdd33ee4bc7769d9f5d0234806b8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmutqzfn\hmutqzfn.cmdline

Filesize
272B

MD5
b64ccaba323405e328d7f9a80562e6c6

SHA1
5c2102d1ddf552b4d9b8094a19c09fe92178d5b8

SHA256
a930151d788ad310d2314e6fac45530a484109b08b4f37688df2650eb41be059

SHA512
59bad10581779cb28fae99c4b2434ad2cc423e32f472438fbe0606539179d97d664b5dc12c7c2777a09fc5cf0f73bb44dee587aaff9aa53f0cebf87d55910d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC5.tmp.exe

Filesize
12KB

MD5
f8918dab382a9b8f6b1fb2b0dafaf6e4

SHA1
679a3962441029d06e52d2285b7d97bf4a5bc894

SHA256
4ffba08fa8a5a6b3099545b70fa20922842b8d2d0cb38bb4f677a8a221d08700

SHA512
d1c7b5a8220bbc7b3e4671a10d9d945d5bbede8c2b679b65c35427544287e2a9dc4ea71be218798ed8e261e1bd88bf4cbe979fe93bdc0f2a2216648120a4ad67

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB74F9A267DD4326A768AB5CA448DB97.TMP

Filesize
1KB

MD5
277ff4fb1ce71256f7b1e40f05cec2cb

SHA1
bee99a193a8c954cb09365269a4f86eba8e6e86c

SHA256
a05a4b6993e63dbb7adc2db21c486bab05f2920235cbfa88da10b06cee3c8c36

SHA512
6c61b4566224ed874c45719ce8b15e40412561067a839851bce54c8947a5c97e0f81b1ad50915cfcdbdc52f67c96e75fe84ba3fad2967f200b1dc4e7069cd24b

Download Submit
memory/2356-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/2356-1-0x0000000000F60000-0x0000000000F6A000-memory.dmp

Filesize
40KB

Download
memory/2356-7-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2356-24-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-23-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing