81c764e55a6536314ccdc7247e9084f38c3cfea8108784f62f6db2bb13189bd5

General

Target

5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe
Size

12KB
MD5

5529224042ed82eb529d376b89bce8c0
SHA1

c7c8123b66f94d376601fdf229eb61efb0a341f2
SHA256

81c764e55a6536314ccdc7247e9084f38c3cfea8108784f62f6db2bb13189bd5
SHA512

c958e37d4843e17815f1e3953ab43f9471bbeccc092f38f4c4953b840fd68b6631234165d81926f3cadeb30fa46584879e1bbc11a7ceef18a7ff8b78b9627f85
SSDEEP

384:oL7li/2ziq2DcEQvdhcJKLTp/NK9xaef:WqM/Q9cef

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2616	tmp386F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2616	tmp386F.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3044	2172	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 3044	2172	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 3044	2172	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 3044	2172	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	28
PID 3044 wrote to memory of 2704	3044	vbc.exe	30
PID 3044 wrote to memory of 2704	3044	vbc.exe	30
PID 3044 wrote to memory of 2704	3044	vbc.exe	30
PID 3044 wrote to memory of 2704	3044	vbc.exe	30
PID 2172 wrote to memory of 2616	2172	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	31
PID 2172 wrote to memory of 2616	2172	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	31
PID 2172 wrote to memory of 2616	2172	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	31
PID 2172 wrote to memory of 2616	2172	5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dbgr0zlf\dbgr0zlf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc312B870E7E964AF3BC1B4F493685B45B.TMP"
    3⤵
    PID:2704
- C:\Users\Admin\AppData\Local\Temp\tmp386F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp386F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5529224042ed82eb529d376b89bce8c0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
d7d0a1944123b9db12378a224f0f971d

SHA1
718d5e016fba744511d612f7b9a71f424c124cac

SHA256
7f29161502b371ef8508d6c0caed8900bcd932b4fec999bfcc900b17023b2eef

SHA512
cc8c64352ae68c0d89d96528c674750ad0f8394b38dbd9e48ff96899b5e8c9f81528c1a7c7e6b39c36584ab4d4245aad6d9fe4b83706e2cc8e733cbd39ad66da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES39B6.tmp

Filesize
1KB

MD5
74ede1b3cd4966da2adb24ff132e6093

SHA1
ab4213734a6f0c356335dea5ae51bd95d7a84d97

SHA256
2945a35a79abf0d41b812050695e2ed55641b52aaba052243687a9f6e37d8eaa

SHA512
5a4fb0f06783f386cd6e8e7c6f0610250fc4e9c6b4a287c665136aeb672c793665c8960fd6dfa6af1d76ffea3c989b5ad4de9b5bbff86a5c9b36d18dc03537be

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbgr0zlf\dbgr0zlf.0.vb

Filesize
2KB

MD5
1ac4123cfbb1238c351a19e08a1813cc

SHA1
e2a7fbe19b49ced8c450ca74a7fb38004d978b6e

SHA256
57442dffc9f154bf53d21dbda21a9228e547dbf7925b34da7525c4ffee7d922e

SHA512
98e8bac4071067f7e6c4dc24c58bf1604443a0a0294a0f976a9084c2e5aae5dc9ef8a28dddb16055322dd2b51e3bfcb1fa25e73422b80ed229efc6c1f29b46b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbgr0zlf\dbgr0zlf.cmdline

Filesize
273B

MD5
23ab1a2c6b4a38df412efff801e5f4c5

SHA1
fd715f09ce5d6a73d5a59d8fbff69dd43b7a4e3b

SHA256
0d906530f444c26af237831e7be023260d2a9f0fbe731dd23d9c1f05a269961c

SHA512
1c047c0a07685ea7f38df83b5f90dd9fec92def72e73e318f648770551686314dd926760d8a05de12659de5d32cecbd9d5541bdea453ddc31963dc2244c7214c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp386F.tmp.exe

Filesize
12KB

MD5
b668f6549b92f2f9f486a0c66644f7a2

SHA1
1febf3e3c8388c74762e5e0fa08194ebb64249ac

SHA256
f5a3dccbc95b5e4331737652e49a477c4c4ea04ce42bc621aa322cbd4f3f5f40

SHA512
f1bed8bf04f7dd4e418708b687fae2a86a46066d5db4ab18ab8425529f987eb5b0019dd2fa92c385f18dcb7648f3fdf24f8b4679f79509d5c816351803e4847d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc312B870E7E964AF3BC1B4F493685B45B.TMP

Filesize
1KB

MD5
16e02a06ee875aa749e19b88673de258

SHA1
e7bce8f541c68391aa27ecf3e2d1c3540f1fdbd9

SHA256
23131e03e3931d4f1cb04ab8046dd7e26aa82bfd15547571cfcacf42eca40964

SHA512
d4eca4eaabbd99d0032b8223c46faa86d4b3d69b170a880e0ab226ee3fb4b559f53215f91550e40109fa26c9b707001fd44ea9621bff2b780efd8f6f40ff64a9

Download Submit
memory/2172-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/2172-1-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/2172-7-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-23-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2616-24-0x00000000012F0000-0x00000000012FA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing