fc9c4c22d6b9b6d33c7c7c290b67562835a0e884f3e4f186c9c4abf326b4c437

General

Target

5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe
Size

12KB
MD5

5d1bb8529b16b6062830573ba0bdb810
SHA1

2393b4c194b888f21dfb7670bf9844b64c873bd5
SHA256

fc9c4c22d6b9b6d33c7c7c290b67562835a0e884f3e4f186c9c4abf326b4c437
SHA512

b415d37612a82d8ad22eec54d1ca15a815f3619040bd977af5573ed5a45bf94071fb654b2e76da90c0ac0e27ef90105e38e2ebd1ee616f8c1a65bcfa2e0be6c9
SSDEEP

384:xL7li/2zOq2DcEQvdhcJKLTp/NK9xa+M:xmM/Q9c+M

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2780	tmp2981.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2780	tmp2981.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1924	5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2332	1924	5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 2332	1924	5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 2332	1924	5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 2332	1924	5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe	28
PID 2332 wrote to memory of 2544	2332	vbc.exe	30
PID 2332 wrote to memory of 2544	2332	vbc.exe	30
PID 2332 wrote to memory of 2544	2332	vbc.exe	30
PID 2332 wrote to memory of 2544	2332	vbc.exe	30
PID 1924 wrote to memory of 2780	1924	5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe	31
PID 1924 wrote to memory of 2780	1924	5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe	31
PID 1924 wrote to memory of 2780	1924	5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe	31
PID 1924 wrote to memory of 2780	1924	5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f1uyqnsc\f1uyqnsc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB543EAF3F9B4433091A4E923C754356C.TMP"
    3⤵
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\tmp2981.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2981.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5d1bb8529b16b6062830573ba0bdb810_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
cbd7b57c2280f69333a82d3a6fdfac69

SHA1
6ec39946ba6595b1412838a83776e08fd3c8f8f0

SHA256
d63c8e287a291be58e64bd94dbb64de4f85b456cdcc1715b1655090f16bf1271

SHA512
6f27cd58226e3816fda51cf1594ae571a491530e80fcfb18ff3bba887085dbd46d0f642660b48b5fa32d3f80cd27835bb0373a3251d73a60ff1ecbb66b81ed28

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2AD8.tmp

Filesize
1KB

MD5
8ef2ebccb840e5a8059583b1f2a85d62

SHA1
65a98c118a0120f1306578d74395c2e64a6e9603

SHA256
33f4610aae15fe479482453ffa872ec71e900802df470d722020e19d9a696e7c

SHA512
20542f522388cf86d95e9b4ca09e3e8081179e050733d43634be98892c8cf1b0d727f4d2c8e566335553af7e1d27e4b9ab1ba22236cc9af6ac18d19889608bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1uyqnsc\f1uyqnsc.0.vb

Filesize
2KB

MD5
7613f4ab6c7f5ed05598bc32b3ffd345

SHA1
1b3ba08066d5dd8bc15c67d2572154d3da841aca

SHA256
d282dfae22a0a3521428b731d2c3dbd7b4f1b700033fa40f494773291aaa88e2

SHA512
0167c5e71d795e24cb862d6a0e3318cb3bb73a4842246152bfbaf45b3b4502da434884eca00a4c28dba947a2af9f1075174a586185037316289a6a878ecbda85

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1uyqnsc\f1uyqnsc.cmdline

Filesize
273B

MD5
24dad8c022f50c1bd48cc31aa4727c44

SHA1
c01ce4ab23e061d945a0ad162672a122fc023fec

SHA256
196c22f1893862e3c8be12021d8b536aca0be37195346227a5a7d34ffddbe857

SHA512
01f6005a13d184e6d151bedd87adad395b9a372427ea082b687d872fc4716c012272b90fbd0baaa9eb6bd4a9fbb3263bcb4238dc87c2a851fc681440ac1e6a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2981.tmp.exe

Filesize
12KB

MD5
9c2107110f75771a3029fa918fa7715e

SHA1
ea640c50bb6e6833d997139749cc18819a3647ae

SHA256
7c35dae056f7d0feba77c4f7f607e8ac609668d8ffa2f398924b86d6a4e74662

SHA512
4c12d7b1eb0e479a3c99858a04ae8a013c48aba297420d4f354665a697b82ea675b89a373b1cb821ca0af47d1cc44ea13c347ec618e0755d01fdcbd2890c8f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB543EAF3F9B4433091A4E923C754356C.TMP

Filesize
1KB

MD5
8ec8b40d1e356e59c7488351f5792d1d

SHA1
4809146c281cdea8f2548070cff1dd599eb71846

SHA256
8a68cc8f8f3311cbf53d4be7c9fddec6d06835b681945b06a1ec2efc56c7ad86

SHA512
8efe33b4ad127baf24a9a2f438960ca7c1b16c79aa3856306171421db1d1334a2a843e9dcebad358a6a92ac14bcdcc8dd73c5862b98c1ec8906a9e27242e62b6

Download Submit
memory/1924-0-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/1924-1-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/1924-7-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1924-23-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-24-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing