8729f378d82d49e7ceb8fa78e9381368989d9e4466bda9e21d77b3200e74a268

General

Target

0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe
Size

12KB
MD5

0f58e5efc5f95e4c40b54f9d69ec4780
SHA1

9f893b687de2f5b439076025e1281e0995aa4862
SHA256

8729f378d82d49e7ceb8fa78e9381368989d9e4466bda9e21d77b3200e74a268
SHA512

1139417479a64169c40ec1f4a9a7ede00af70e98ed032614ce9ddf95d067da04fd80a3ce45340aa5072c9eb501e458a5e61b60e2d4c49f8d678b28c8ed164532
SSDEEP

384:rL7li/2zUq2DcEQvdhcJKLTp/NK9xaqg:/AM/Q9cqg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2648	tmp16AD.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2648	tmp16AD.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
624	0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 2224	624	0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe	28
PID 624 wrote to memory of 2224	624	0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe	28
PID 624 wrote to memory of 2224	624	0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe	28
PID 624 wrote to memory of 2224	624	0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe	28
PID 2224 wrote to memory of 2316	2224	vbc.exe	30
PID 2224 wrote to memory of 2316	2224	vbc.exe	30
PID 2224 wrote to memory of 2316	2224	vbc.exe	30
PID 2224 wrote to memory of 2316	2224	vbc.exe	30
PID 624 wrote to memory of 2648	624	0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe	31
PID 624 wrote to memory of 2648	624	0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe	31
PID 624 wrote to memory of 2648	624	0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe	31
PID 624 wrote to memory of 2648	624	0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gy1fmtrd\gy1fmtrd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1803.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB471C9B528244AA7A79F362ECFEE71A7.TMP"
    3⤵
    PID:2316
- C:\Users\Admin\AppData\Local\Temp\tmp16AD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp16AD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0f58e5efc5f95e4c40b54f9d69ec4780_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b89a3d7ba4895d6be3ce9cd6f43b767d

SHA1
216a917459ad9876624dde29030a271fc3ebea7c

SHA256
32f7bb9375f4f22f1cf2f6009c92fe9765bc2b87698ae9f9c522497e21637ba7

SHA512
90fb0e58d2cd40e8712d32c3361e07e2203c17cc8ae7ed6bcc585ff0bbcfa3b03aeaf54716625729a0dadcb6dc5540df986fabf23ef1f90b782b406b3ce1d81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1803.tmp

Filesize
1KB

MD5
05653c55d75ede9d28619620ffd2f168

SHA1
c24fe384e5786be224f6b04fcd7d312a98bbbc19

SHA256
b8450a19485f7de8a5c50407c70346960c1630eb2cad2b381fdd118e81dc9c1c

SHA512
e3ca489639e495883af8a8ae74a2a3d9add6da3d743041ff98166852836c93bcd666d285f3e5fdbc39ae1c1a3d923a7f01fea1640c24028f8a280da631e59a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\gy1fmtrd\gy1fmtrd.0.vb

Filesize
2KB

MD5
8cbb1be2a88a41330948b9e4801573da

SHA1
7000736573285e26289024cb1dd9a4616385f09b

SHA256
04ab59e0987792bf1634b904235a2ddeb7edf78bc751ce4e9182aa1de93e3643

SHA512
0bfe11fd625c6c73c73e7d5ce104bb787df33b3bb2121b213b152179cc1c946ab8b7c5843207c90be20045a8fda5dde8122229b64586bb2e1ff17c953053433a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gy1fmtrd\gy1fmtrd.cmdline

Filesize
273B

MD5
796e9efc3858b6085310751dfe9a34b0

SHA1
514978ca8ee50c5904f94b049606496c396842e4

SHA256
b11f4404f7d3df1bdbe5d019b32358ae51d6cc319e17fc29bb2aaaef08d153e8

SHA512
37aa0ad99a3ca1086f33adc6004c3222086ad7098777d63f4a7bddbbd1fc2b393d65463269e75ac884a1b891160c13f2504fb0c6beb0e2ef2414af0aff50058e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16AD.tmp.exe

Filesize
12KB

MD5
0a7868a9c9e1d209f701c596dd21b83d

SHA1
49fb4db3d2dc51f369cc3d767a9d853de5cfc5c5

SHA256
16e982c7bd6ce2c36281d6faf40772492ac71fdc3c4b402f5d15c8018f967b01

SHA512
0c37e4692719e764090f3f0361f8df27104baa854f543862b989139203c31bdadbd261bf6acc75290fe90bb688d4e09257f4ff19be31cc120ccdb92df0c14d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB471C9B528244AA7A79F362ECFEE71A7.TMP

Filesize
1KB

MD5
81d6e771342c8cc4342f4c08e5f9e1c3

SHA1
244a9f9ab32206412eb358edb967957f2ff37dcd

SHA256
8512ec840e16b42bf40748085e49de5e5e164184bf7d2306d454859021ae34dc

SHA512
970a10ab2d9d17f27a7e86c87d4f5872453523195e897f5087bf8a44c6d3ea9464a70cd112a37f411f1b4d4fce99acfe006fe751289e08ebaf1ea2688134e7e6

Download Submit
memory/624-0-0x000000007447E000-0x000000007447F000-memory.dmp

Filesize
4KB

Download
memory/624-1-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/624-8-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/624-24-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2648-23-0x00000000012E0000-0x00000000012EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing