7e09f3a3afb083991a5a3c5cbc9a85d8f2a6f08ff555c55d391c16194a4a3948

General

Target

a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe
Size

12KB
MD5

a495330e156d736c6684d5dc97166880
SHA1

f28df3c1532e6e473317336d1f382409646e14b7
SHA256

7e09f3a3afb083991a5a3c5cbc9a85d8f2a6f08ff555c55d391c16194a4a3948
SHA512

73b38467eef0063111e4ad608f9f939988675c364afeca0176ec492d69f658077d5da421e8eb4aaf93e1503e064fc103723c2c520d2956300ca366ae0e4aab2b
SSDEEP

384:BL7li/2zDq2DcEQvdhcJKLTp/NK9xabo:h/M/Q9cbo

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2516	tmp31FA.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2516	tmp31FA.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1928	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2784	1928	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	28
PID 1928 wrote to memory of 2784	1928	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	28
PID 1928 wrote to memory of 2784	1928	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	28
PID 1928 wrote to memory of 2784	1928	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	28
PID 2784 wrote to memory of 2584	2784	vbc.exe	30
PID 2784 wrote to memory of 2584	2784	vbc.exe	30
PID 2784 wrote to memory of 2584	2784	vbc.exe	30
PID 2784 wrote to memory of 2584	2784	vbc.exe	30
PID 1928 wrote to memory of 2516	1928	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	31
PID 1928 wrote to memory of 2516	1928	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	31
PID 1928 wrote to memory of 2516	1928	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	31
PID 1928 wrote to memory of 2516	1928	a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2yux0wzl\2yux0wzl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES338E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE98A43B9B33479BAD7E69395F21B198.TMP"
    3⤵
    PID:2584
- C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a495330e156d736c6684d5dc97166880_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2yux0wzl\2yux0wzl.0.vb

Filesize
2KB

MD5
feab9c65be48d72d964c8b55ae1178f7

SHA1
1ab705d6fbc0022d13ee195e87ffa0baa9262d3e

SHA256
de36ec4e8acf252d4819a89c59b074d608081dbfa80506c964706520025622c0

SHA512
64a1a1fccd1273b9aa946d385211310b0adcecf0cc0b607d183324e9cb784e43c366045b5cb223a5fc3599869bb63457c1b13f01e4bb11c19b420150bfe71893

Download Submit
C:\Users\Admin\AppData\Local\Temp\2yux0wzl\2yux0wzl.cmdline

Filesize
273B

MD5
4bdbd3136b2879d3901ff33116f4f543

SHA1
c3255a3c9427a643abeb911b3e843b438452d9cf

SHA256
db3852fb06455670311835973d8170d18b5cc06f6ff7cd9102606c3d1b8285f8

SHA512
e106fddae4dfc56ef33b314812a95f26f3146c02042c6fceb039df755b1ae4ff7dd4f630fd8554ea0d57029661c392fc7c20418c63e41919799dbf986fb18e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
76b3832fde0525cf4d96ce867b27f006

SHA1
cd57f2c68abf969c01e5b91b6af8725b5ffa70e1

SHA256
483019579c634e6621cd0bceea27d5955a32c5b8246d8889dfa1c9d29f1804d6

SHA512
297d8f152baf75b454de5f59093f50205d5d91e619ca759ea1a016e131ac99bee1418208126a4be769d04134252f850e81663cd880b804a5962b60e1493a73f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES338E.tmp

Filesize
1KB

MD5
ca9df0fc68afc609422223842e15320f

SHA1
1f60b0c2934deed4d52a52640b2236d2c0613a5a

SHA256
20d26d1fa74f0226cf6ef42ca2494761aa5ca553b18fa4955e31603fe5019195

SHA512
b8ff215cc71f86968a7d61ce323e90c95f3c16b942fd94b40f182c79ac902f38286bcdedacec243cc33d6bd98e920658bfabaa39218ff52d5ae528f5331cc249

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp31FA.tmp.exe

Filesize
12KB

MD5
213b4c648c79b2aeaa5faaa676936efb

SHA1
d5e9abfc0324802ca87dc64d116502b6f724ee4a

SHA256
122b2f0b626067d63155d94b1f49ab93462ee4e584ddcc1e2893f1b0ec93ef70

SHA512
84d33bab35cf6ae4ed0077722d5afa9e109f5c9dbadcce61583be4dcd01c848fb65cb2d1be2b68b4173034477efa4178966af775173686e7a0f05c4bffa07a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDE98A43B9B33479BAD7E69395F21B198.TMP

Filesize
1KB

MD5
1aeaa13d14e7add5f97a7e287374fd84

SHA1
cae8bfcab890aad255d68640e62650fb31c2571e

SHA256
22ae0d7239857811edd7d112fac636f3d1dcb04c291994f1eafeadb114e30538

SHA512
2038dd521c0018b395c7796c7a2a5c3217cbdd5e9c8b0692dbb2014fa6fa690331eabd272a5f4f4aed3991336198b09325e34015c558c0433c4853e49a09173d

Download Submit
memory/1928-0-0x000000007439E000-0x000000007439F000-memory.dmp

Filesize
4KB

Download
memory/1928-1-0x0000000000A60000-0x0000000000A6A000-memory.dmp

Filesize
40KB

Download
memory/1928-7-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/1928-23-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-24-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing