21bca88c8878a76974e07a11a2e2029435bd338c7e3a426acd44bfe9fecd9a3a

General

Target

51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe
Size

12KB
MD5

51db9117e929df68091d2c31dbec7f20
SHA1

1d20df7c4f2a229ac20203f08392b208e5432601
SHA256

21bca88c8878a76974e07a11a2e2029435bd338c7e3a426acd44bfe9fecd9a3a
SHA512

0f0cd07b7b408ac0529acc3360687c01830e6d2616511f22993583735b4970f36413850712cc7f928807df50084cb1a70a341b71a5da759829854bdc0ae4a005
SSDEEP

384:+L7li/2z4q2DcEQvdhcJKLTp/NK9xaqR:okM/Q9cqR

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	tmp17E5.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	tmp17E5.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1848	51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2592	1848	51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe	28
PID 1848 wrote to memory of 2592	1848	51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe	28
PID 1848 wrote to memory of 2592	1848	51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe	28
PID 1848 wrote to memory of 2592	1848	51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe	28
PID 2592 wrote to memory of 2652	2592	vbc.exe	30
PID 2592 wrote to memory of 2652	2592	vbc.exe	30
PID 2592 wrote to memory of 2652	2592	vbc.exe	30
PID 2592 wrote to memory of 2652	2592	vbc.exe	30
PID 1848 wrote to memory of 2732	1848	51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe	31
PID 1848 wrote to memory of 2732	1848	51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe	31
PID 1848 wrote to memory of 2732	1848	51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe	31
PID 1848 wrote to memory of 2732	1848	51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qat3yau2\qat3yau2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES190C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C317EEDCE5546DFB06F1C1D63DAB0C8.TMP"
    3⤵
    PID:2652
- C:\Users\Admin\AppData\Local\Temp\tmp17E5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp17E5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\51db9117e929df68091d2c31dbec7f20_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
a16191d65ce63b5548cb91af4e4aa02c

SHA1
1e3182db9213cb613850daba570dfe6501b2f6ef

SHA256
b503b45e8fdbbaaa73b07c025c998d6c852aa1945b788ada345fd293f7467811

SHA512
9b7f606dd1ad9102201810bc5a1463a1b6137bd2ad69bfeae32263024df1c98946007074f89a7e0b3d44916da44dea21b538c4b231492fb60820e134fe42e8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES190C.tmp

Filesize
1KB

MD5
c50e543dba16c56ed9675d51267c3bf8

SHA1
13921ec4db4e3082f47b85957fe123ec9c8c328a

SHA256
3f8179d77f56be5d09011ad1005bad90e4c25fd86d8b4bd65ed32c972953a7cd

SHA512
5655c7a6cfcdd3d44d55527ef99df73f58960d76b08541621ba971ce24bd2ed8f984bca5e1981946cf47debd36ad2d3d0a95b60b08d5e98882262868b977b9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\qat3yau2\qat3yau2.0.vb

Filesize
2KB

MD5
29c62f31f826a1b21f5686bd8dd48c2a

SHA1
c9c2b05371a0f95c42ed25209ac37facf854c37d

SHA256
9006fc5e469b5b7a1a2490c32972e18c22fca1fe6bb24a19a04cc5d12db4eabe

SHA512
902c8aa7f089e430829dadacf61b6f41efdfd62ac2fc753b83557be2ab55d4ca3e5213ca0f3efa4a32bc893148f14cccc1b440169ddcfbdf333f535da0440eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qat3yau2\qat3yau2.cmdline

Filesize
273B

MD5
ccde38289728be1c158538b5d9bc846f

SHA1
7ba0cd1e13a050e98b6d33a608fe476703be21ec

SHA256
aaa7401fe8c76c23808e637d0acd66f2cc8b18e91237416049ea2d08300f8066

SHA512
bc1128b2f0ec3418e58eda48e0cba74c97655417ae5b96fbee243b72e39719cbc68c189aefcf1d12bd5df9e381bbd42e9d840c02f20081dd6fb8b76a6b9f54cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2C317EEDCE5546DFB06F1C1D63DAB0C8.TMP

Filesize
1KB

MD5
d19dcacb157d87d29146b200f6f1e8f9

SHA1
42b1f0862bf8361832e738f50d2898b5f1582e11

SHA256
2e2d541352f76df1fb04d663d2403d421bcaf4c5476f79f57764e3c258159ed5

SHA512
1dd8bc090dc426872fe05e3f4ee1c841b6dbbc7235834c42b9b6c1ec37a4565748f9a587fb3874859a2c448788649e1680f9fb48aede590d2bda19d0f573623e

Download Submit
\Users\Admin\AppData\Local\Temp\tmp17E5.tmp.exe

Filesize
12KB

MD5
7f737215f77740bbe2aa65754b9a1f10

SHA1
4ac3678ce4d1215f988eb185b80c1b875d5c587e

SHA256
451b87903a5877f16cb1ff4df2da10b01741b360ca603818313a582d166757d2

SHA512
bb60b1418498bdeea2ccca363c7b8cc975cae84a5e75817bcfe3ed80eafc2ceaf03076a2d8329366cc5b377646a8e7dd8db1111fc36999fe44bb1757525838d2

Download Submit
memory/1848-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/1848-1-0x0000000001190000-0x000000000119A000-memory.dmp

Filesize
40KB

Download
memory/1848-7-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/1848-24-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2732-23-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing