14653d8261bce4c0e8cb96d101cc8c1298509dc81814805eeae30308994ab934

General

Target

47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe
Size

12KB
MD5

47c389a4e194f1b139176b9b3ea6a650
SHA1

befbd505bfd56c6e1d4bdcdad58c3079ffb4483c
SHA256

14653d8261bce4c0e8cb96d101cc8c1298509dc81814805eeae30308994ab934
SHA512

ab02d0cb85cf6cf018ccae9e81ebaca04545f91bae766511c12b11e04c70a7991704e306cdccd96e3b235ec40dcf9d59d358c9f7994dcf4e00107ed22872e20b
SSDEEP

384:AL7li/2zZq2DcEQvdhcJKLTp/NK9xarU:e5M/Q9crU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	tmp6DC2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	tmp6DC2.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2996	47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2984	2996	47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe	28
PID 2996 wrote to memory of 2984	2996	47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe	28
PID 2996 wrote to memory of 2984	2996	47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe	28
PID 2996 wrote to memory of 2984	2996	47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe	28
PID 2984 wrote to memory of 3028	2984	vbc.exe	30
PID 2984 wrote to memory of 3028	2984	vbc.exe	30
PID 2984 wrote to memory of 3028	2984	vbc.exe	30
PID 2984 wrote to memory of 3028	2984	vbc.exe	30
PID 2996 wrote to memory of 2692	2996	47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe	31
PID 2996 wrote to memory of 2692	2996	47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe	31
PID 2996 wrote to memory of 2692	2996	47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe	31
PID 2996 wrote to memory of 2692	2996	47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhqf5mwt\xhqf5mwt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6ED9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc35D67BEDF1F043548F7151BACD21F14.TMP"
    3⤵
    PID:3028
- C:\Users\Admin\AppData\Local\Temp\tmp6DC2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6DC2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\47c389a4e194f1b139176b9b3ea6a650_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
81ae919be612c9c280613cc42ae11314

SHA1
a17d776b3a36e53e6d4c7383c06fc741dbd736fc

SHA256
ccd71015232f1ef523c1d8d1e6fe4ed66c0f1aeca49cbdf63efdf5bcce4a3a8b

SHA512
44cc3646b7c6d3b56480cb4e2818e738083192264673e4fb6632c500ee46fb5657e1d66d81aedc3448af4e8f08482d9be09f393b2e5a054168edeb0193577d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6ED9.tmp

Filesize
1KB

MD5
af0b3cfe99bb4252738c6882c365e95d

SHA1
4c9f9b903fe7de90e7e8d84e561b6b8569294a29

SHA256
2679741cabd0daae2d44555828603114c8c2345b608eaf01614eb571dd669594

SHA512
f9bfdb730e05d599077cff8b8e1304fdd40cf5b742ec021cfe6b8c6fce10d839615d648fbdec6bf10d4cbc3de3c86dd7487b1b01f5c4a228c629795af94870b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6DC2.tmp.exe

Filesize
12KB

MD5
29457cab0201f5a3c48dae1969b4c176

SHA1
a10733d8fe37cc4df207e782e9b60a6b57ecd036

SHA256
12018b66365741b6066d95d13ae0d4e67a1cb653deb1032d0dec84a7e5491ec7

SHA512
78b23f8c3616b824094c5affcabb02c6e470f2f0a55051085e7aae25e7446c657ad97df81999041fc328d3fa591068a7749ea80bcf0d35cf48f52293a01c6e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc35D67BEDF1F043548F7151BACD21F14.TMP

Filesize
1KB

MD5
ecbe9cd9cd152d6990b060afcfc05288

SHA1
f6a713d2ea90f0fb00767c902a3c42a5d2569435

SHA256
332794f88cf921eb9f7a07c76fdbfc3f44fbf5b0bd08a7cac33b1cabf702885b

SHA512
104a923f46e922e6ab47e6c9ecbe45277264c16d5a278965aca27e302c63aeb560aed6a6d2eb42fe0b0c38ab6ea5e0eec40f14855b70bab7d79455dddcd917d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhqf5mwt\xhqf5mwt.0.vb

Filesize
2KB

MD5
505e50cc6b5dc186e8cb0108271de118

SHA1
f17f943a7fa4d72cda40f40567725cf2888ae165

SHA256
bf8ced5e71a18e7fd5af74c3b8a032dcf749d22acf66a6650815c9ce97c305fe

SHA512
d9737378f831d70b63303a6923c772e18667acb822a3bcdf570ad7f44769435c682b99869b1a04a466ac8f4590f919f8bbbb5d35eb15f0764a9074804d8bc1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhqf5mwt\xhqf5mwt.cmdline

Filesize
273B

MD5
a8f956d86b536466d29f626ffcf5e5bf

SHA1
1e64504d3fe89413e5da2c6425c59740f39739a4

SHA256
7ad9e588b7b136921c343b68749a0c2fd76716a986ffa281b7f5b3ed280c627c

SHA512
2b4bd7dd4e3725d5822797281371d65abed1f835be28ee467769a18b5bf5599748b08551ad8c0d8318415478661f329827c84f00a1b48ac5be70fe19cad3de17

Download Submit
memory/2692-23-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2996-0-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

Filesize
4KB

Download
memory/2996-1-0x00000000010C0000-0x00000000010CA000-memory.dmp

Filesize
40KB

Download
memory/2996-8-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-24-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing