ead751f3bf2e22918c913b45db9f51ca28d21936d0b8a409ab782c9f770a4cb3

General

Target

d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe
Size

12KB
MD5

d3b7a962aefddc89bb220bf6b8e36240
SHA1

774a6e9ffbfe851cd8c4a3d3ae19449c3d3da9e3
SHA256

ead751f3bf2e22918c913b45db9f51ca28d21936d0b8a409ab782c9f770a4cb3
SHA512

600a9d97595360377374e99e00630942fad69c74ac0b8a20d7a04670b8afdc8128c8d023f213c22c5de9636c17cd1b03dba464c581f278e5abe497c429d46398
SSDEEP

384:yL7li/2zvq2DcEQvdhcJKLTp/NK9xakV7E:srM/Q9ckV7E

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2496	tmp3850.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2496	tmp3850.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1972	d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2440	1972	d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 2440	1972	d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 2440	1972	d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 2440	1972	d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe	28
PID 2440 wrote to memory of 2536	2440	vbc.exe	30
PID 2440 wrote to memory of 2536	2440	vbc.exe	30
PID 2440 wrote to memory of 2536	2440	vbc.exe	30
PID 2440 wrote to memory of 2536	2440	vbc.exe	30
PID 1972 wrote to memory of 2496	1972	d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe	31
PID 1972 wrote to memory of 2496	1972	d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe	31
PID 1972 wrote to memory of 2496	1972	d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe	31
PID 1972 wrote to memory of 2496	1972	d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e5asbryv\e5asbryv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13D9F404AD934299B81EF1C26827A3.TMP"
    3⤵
    PID:2536
- C:\Users\Admin\AppData\Local\Temp\tmp3850.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3850.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d3b7a962aefddc89bb220bf6b8e36240_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
05b3a31f8079c93ca44261e24b1f8bb9

SHA1
628ed628eefa60f78699f3e0e306ca9b17b0dcb4

SHA256
f9ad4d374bc13cf9cef2cb3bdfe335cd912e4298f0d031af567d54936d6e8e65

SHA512
20c73e7cea6dc38049776185c60086ede96ac2cd2bd93d37dbd356e50147989a48d34d6a70c3dc260cde6ffb979cfe668e7cf3f1878a5dc32f023a6f019e9f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES39F4.tmp

Filesize
1KB

MD5
3d0a7392c9164d1abb5f1c69aa657e5b

SHA1
5adb80a4ca13da3e9408aee036d5a8960a84dd17

SHA256
c6e172d18c5edfb75ff4e4c637ab51a389073917178d112dcfa29cd8b80425c9

SHA512
1ff8b2fe01f2e70abb8e0ddb03d657cc0d5ec07877af9ef706d44f9ef90a15ad7a953d649abb8d345b1e275cb5f04bc55155a21b46279044e4eebf886716b011

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5asbryv\e5asbryv.0.vb

Filesize
2KB

MD5
58d4920332793542b4bdc09e172600b7

SHA1
d4b637da69932588db58d55a8cbbabd9c68f04e7

SHA256
44550eebba9f8aa92d9c72255ccb1e0a52bc25abc1d103664fbcabb71797003c

SHA512
fd6085382a715f9671b44eae5880582a36a8f9d0c8604ce5e11d79cf4aefc7df5452180325c0eb2be36cc90072c76449d0897a373634b526b2edfe246a433384

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5asbryv\e5asbryv.cmdline

Filesize
273B

MD5
ef25ea9044a49d6f264498be79b529ae

SHA1
d3f638527fe15a6f2529e6f9860a48f80aa33c39

SHA256
3e19df2c7f672d238941ba544ce7a184e482f10a2ba6ba1f86f1765df9a3c111

SHA512
4c65367666aa1c4cbea49b1517da95d04ede20203f54c13ed9888fb086acbdd94efd5c8cfe93c727c629f6cf246b49010c2754090250497e706170b401fba8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc13D9F404AD934299B81EF1C26827A3.TMP

Filesize
1KB

MD5
520b7a0e617497e432338f35404433ca

SHA1
27bd7c65d3fe00d77c9f135512fd06985a5e33a2

SHA256
75d0f2fb3d47039b1b431be1a77982e1d5b353df326c9c141c544a8d4525500a

SHA512
d65dff41367c483270f6fc3d81bedc1dfd18b4058ee13e66357132d671c1c892d34151fe61f7c0bc892a20b6f8601551a1c17367e7e53173faf2ab75cbe2a408

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3850.tmp.exe

Filesize
12KB

MD5
de74e4c484ca3086a7327e66f0ab5f1e

SHA1
4e02bfa0ffabb78410a4ff4e745a890a3ba390a5

SHA256
d16fc77642b17a4784427c1a993262568ef2db08c3fff5dba37e44dcfd1d6ef5

SHA512
86f6e483dc05f39d929dbce91ac6069ac6c02dd2f2355724b5ecbc1375448bdc00edb3e587349190833a8c2ddd3cab1c9e13cd4cf7ed692b93b1cba183aa88c4

Download Submit
memory/1972-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/1972-1-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/1972-7-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/1972-24-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2496-23-0x0000000001290000-0x000000000129A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing