Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2024, 20:35

General

  • Target

    96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    96ebdd4a73ae3b37ce3d048681a48f60

  • SHA1

    ea1792921f99d943a6b9567a45561c157534f7db

  • SHA256

    0f7f9480172c6da790f19d065cab92249b91bec5b101622879bb0facdc9fceda

  • SHA512

    b8e88401add52b8fcc49167bfe8045d467955469a660ae96cd760544526dd11912251a1e2cb763cfbd66c6c1451dbb58485b956bda7acea05dda62f6b9a66e4e

  • SSDEEP

    384:cL7li/2zYq2DcEQvdhcJKLTp/NK9xaNp:6UM/Q9cNp

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tciv1ktg\tciv1ktg.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7141BAF496924431919328C38547CEDF.TMP"
        3⤵
          PID:2664
      • C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2604

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\RE.resources

            Filesize

            2KB

            MD5

            6d558f3fc85a41c2079c819ce28efb8d

            SHA1

            e4ae283500c17f4094848c7d1a4b8df8b67d0188

            SHA256

            c07dd490d8e14b0f2d99580dee0ff50048807fd061d8912c721c4087e2decff5

            SHA512

            d5da9384f15d9be0de74b36ee0537aac3fa62b81d87439e890d05b6258778369d8f00de06a198ca1dd837f2c2aed816ab02a212b94197db34c9f0e15809ee9df

          • C:\Users\Admin\AppData\Local\Temp\RES1B5D.tmp

            Filesize

            1KB

            MD5

            dc6ed6594d0befb7d1e7260d36f6059f

            SHA1

            3785c1f867e9fa164c99ee3f32c9fee8a36c49c9

            SHA256

            aa36f922cbef69863c368faca315e5cf7b56aa6c510d0dd8a9aea84a2c42309a

            SHA512

            7919e91d5bf97c9ada87018455f95e081ca4be509505394fad2c99445df48e75572f73eb28aa63473c7a42e5f25cebcdf3996585052558aa5c436c6ecab50b73

          • C:\Users\Admin\AppData\Local\Temp\tciv1ktg\tciv1ktg.0.vb

            Filesize

            2KB

            MD5

            bbf2720d5823d8dc4dc3827422a3ed1a

            SHA1

            e33937437dd521e66857bd35c9f23a3120718a9c

            SHA256

            e49441288b84392b0c23ed81dc98af050297763673f887c2a978bf970f8c991c

            SHA512

            416a405e2bb90d4cd0a4f8a154dbc6163d14997a54710453515126d4d32033d6a6c12afbf7c0cf41f03d2fe0f238e9066735ba9cd895ba89db3ada22b0d833ea

          • C:\Users\Admin\AppData\Local\Temp\tciv1ktg\tciv1ktg.cmdline

            Filesize

            273B

            MD5

            728712e04c961cda3e49d3c08d6c7d9a

            SHA1

            668093e2df9ef830b7803653f2cabeda07de3cb3

            SHA256

            76ea6cb21ddf0b6ce8e985170f95fd6fb932fc2abd773793bfa3cb7c611aead0

            SHA512

            a071edc5cef693ea2bc99d68047a992deecf60d57049269c5a77a4544888082ec05f736aa7c7ec222afe1612b9a65fc5dae69eea3b2f6dadae7083af5f55d822

          • C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe

            Filesize

            12KB

            MD5

            cd38fea6032ecfc04b7e03e68dd733d8

            SHA1

            6078dc36846c31e1e68708544ef18f03ce0f679c

            SHA256

            f30986951c1203cf43b2743a1f373798ab48bdc0f51e9a11e1a558c5703ae4c4

            SHA512

            1cbe41b8305a9263e5343089850b2fcf193b942b27e7911d25ac60fb41f6e49175519bfe79d936efc4f7b3073da6644422b296e0225ae2b9eba9cc5150771a87

          • C:\Users\Admin\AppData\Local\Temp\vbc7141BAF496924431919328C38547CEDF.TMP

            Filesize

            1KB

            MD5

            b78b2d324216b0b3fa4bc9694bd4c958

            SHA1

            7cb531df5925b23cd8d2334b86e9bb9fcecb35f5

            SHA256

            93225621ac3704c63bce3e6b7dd4b32f6f596083b724b6960deba0a55ad361fd

            SHA512

            afc3082ff9e8a240fd35cacdea4fcf5140890daa7b2c08b5522935c25851b81edc6102a56ff9633810aa27cf27506b95a98ac6031d80686aca0ef6a3c0eeaee1

          • memory/2604-23-0x00000000003F0000-0x00000000003FA000-memory.dmp

            Filesize

            40KB

          • memory/3028-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

            Filesize

            4KB

          • memory/3028-1-0x0000000001230000-0x000000000123A000-memory.dmp

            Filesize

            40KB

          • memory/3028-7-0x0000000073F90000-0x000000007467E000-memory.dmp

            Filesize

            6.9MB

          • memory/3028-24-0x0000000073F90000-0x000000007467E000-memory.dmp

            Filesize

            6.9MB