Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
06/06/2024, 20:35
Static task
static1
Behavioral task
behavioral1
Sample
96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe
-
Size
12KB
-
MD5
96ebdd4a73ae3b37ce3d048681a48f60
-
SHA1
ea1792921f99d943a6b9567a45561c157534f7db
-
SHA256
0f7f9480172c6da790f19d065cab92249b91bec5b101622879bb0facdc9fceda
-
SHA512
b8e88401add52b8fcc49167bfe8045d467955469a660ae96cd760544526dd11912251a1e2cb763cfbd66c6c1451dbb58485b956bda7acea05dda62f6b9a66e4e
-
SSDEEP
384:cL7li/2zYq2DcEQvdhcJKLTp/NK9xaNp:6UM/Q9cNp
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2604 tmp19C9.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2604 tmp19C9.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 3028 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3028 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2812 3028 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 28 PID 3028 wrote to memory of 2812 3028 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 28 PID 3028 wrote to memory of 2812 3028 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 28 PID 3028 wrote to memory of 2812 3028 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 28 PID 2812 wrote to memory of 2664 2812 vbc.exe 30 PID 2812 wrote to memory of 2664 2812 vbc.exe 30 PID 2812 wrote to memory of 2664 2812 vbc.exe 30 PID 2812 wrote to memory of 2664 2812 vbc.exe 30 PID 3028 wrote to memory of 2604 3028 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 31 PID 3028 wrote to memory of 2604 3028 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 31 PID 3028 wrote to memory of 2604 3028 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 31 PID 3028 wrote to memory of 2604 3028 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tciv1ktg\tciv1ktg.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7141BAF496924431919328C38547CEDF.TMP"3⤵PID:2664
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2604
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56d558f3fc85a41c2079c819ce28efb8d
SHA1e4ae283500c17f4094848c7d1a4b8df8b67d0188
SHA256c07dd490d8e14b0f2d99580dee0ff50048807fd061d8912c721c4087e2decff5
SHA512d5da9384f15d9be0de74b36ee0537aac3fa62b81d87439e890d05b6258778369d8f00de06a198ca1dd837f2c2aed816ab02a212b94197db34c9f0e15809ee9df
-
Filesize
1KB
MD5dc6ed6594d0befb7d1e7260d36f6059f
SHA13785c1f867e9fa164c99ee3f32c9fee8a36c49c9
SHA256aa36f922cbef69863c368faca315e5cf7b56aa6c510d0dd8a9aea84a2c42309a
SHA5127919e91d5bf97c9ada87018455f95e081ca4be509505394fad2c99445df48e75572f73eb28aa63473c7a42e5f25cebcdf3996585052558aa5c436c6ecab50b73
-
Filesize
2KB
MD5bbf2720d5823d8dc4dc3827422a3ed1a
SHA1e33937437dd521e66857bd35c9f23a3120718a9c
SHA256e49441288b84392b0c23ed81dc98af050297763673f887c2a978bf970f8c991c
SHA512416a405e2bb90d4cd0a4f8a154dbc6163d14997a54710453515126d4d32033d6a6c12afbf7c0cf41f03d2fe0f238e9066735ba9cd895ba89db3ada22b0d833ea
-
Filesize
273B
MD5728712e04c961cda3e49d3c08d6c7d9a
SHA1668093e2df9ef830b7803653f2cabeda07de3cb3
SHA25676ea6cb21ddf0b6ce8e985170f95fd6fb932fc2abd773793bfa3cb7c611aead0
SHA512a071edc5cef693ea2bc99d68047a992deecf60d57049269c5a77a4544888082ec05f736aa7c7ec222afe1612b9a65fc5dae69eea3b2f6dadae7083af5f55d822
-
Filesize
12KB
MD5cd38fea6032ecfc04b7e03e68dd733d8
SHA16078dc36846c31e1e68708544ef18f03ce0f679c
SHA256f30986951c1203cf43b2743a1f373798ab48bdc0f51e9a11e1a558c5703ae4c4
SHA5121cbe41b8305a9263e5343089850b2fcf193b942b27e7911d25ac60fb41f6e49175519bfe79d936efc4f7b3073da6644422b296e0225ae2b9eba9cc5150771a87
-
Filesize
1KB
MD5b78b2d324216b0b3fa4bc9694bd4c958
SHA17cb531df5925b23cd8d2334b86e9bb9fcecb35f5
SHA25693225621ac3704c63bce3e6b7dd4b32f6f596083b724b6960deba0a55ad361fd
SHA512afc3082ff9e8a240fd35cacdea4fcf5140890daa7b2c08b5522935c25851b81edc6102a56ff9633810aa27cf27506b95a98ac6031d80686aca0ef6a3c0eeaee1