3bc00e9d70cfcd19138a478250f41e17c028ae55b160a54c76af9f76530c701b

General

Target

88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe
Size

12KB
MD5

88dbe12faa2d3a3ebe2fc6dbef00b960
SHA1

d06b20e13fb571ed9d7fdf51ef3c958019c3f9cd
SHA256

3bc00e9d70cfcd19138a478250f41e17c028ae55b160a54c76af9f76530c701b
SHA512

f8b1bfd87d30f2b69211e51d8ebc561d1e62f96cb811c772baae9c4afe84c9c485c18c0349426462ec159264e27f0243bf9edfd81d4395d897d1e343c6ad6e7f
SSDEEP

384:HL7li/2z1q2DcEQvdhcJKLTp/NK9xaOf:rlM/Q9cOf

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2740	tmp364D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	tmp364D.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1284	88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2180	1284	88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe	28
PID 1284 wrote to memory of 2180	1284	88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe	28
PID 1284 wrote to memory of 2180	1284	88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe	28
PID 1284 wrote to memory of 2180	1284	88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe	28
PID 2180 wrote to memory of 1272	2180	vbc.exe	30
PID 2180 wrote to memory of 1272	2180	vbc.exe	30
PID 2180 wrote to memory of 1272	2180	vbc.exe	30
PID 2180 wrote to memory of 1272	2180	vbc.exe	30
PID 1284 wrote to memory of 2740	1284	88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe	31
PID 1284 wrote to memory of 2740	1284	88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe	31
PID 1284 wrote to memory of 2740	1284	88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe	31
PID 1284 wrote to memory of 2740	1284	88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1uyrs1hy\1uyrs1hy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFADC3C2414674AE68B6E51EC3794C1.TMP"
    3⤵
    PID:1272
- C:\Users\Admin\AppData\Local\Temp\tmp364D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp364D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\88dbe12faa2d3a3ebe2fc6dbef00b960_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1uyrs1hy\1uyrs1hy.0.vb

Filesize
2KB

MD5
44f4e37e82306b372df790282d7c588b

SHA1
18756b087d72bc29ae9795c65ebd1d483faa7ac2

SHA256
7ded6796f11d2549c3a9c28e8d71d0afd940822028154cba91cb8e1cf9d6f158

SHA512
03a874361ead4fffde526a65a43ebdad0573a188df6e30beb04eadadefb514071340e225d2daff2f05e8d808d8ad6dd39f21b237b710cc216367bbab0c96f7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1uyrs1hy\1uyrs1hy.cmdline

Filesize
273B

MD5
626561e78d9544d4c3d32ec8bb862dc3

SHA1
c3a52a6b0607ec23ed1cf3803408e6db06dde2c3

SHA256
ea754d273af1886162b92327738d84071bf2ecb99e5b97a2e8245f196e878351

SHA512
6a8583ae0a2cba525d076a03da2bca1584a30fc7cce3d60654c04c02f93876c768cae4af259105e41e87dd2b18f91b79ef5ef76f2c6f7ae01e0f7a06a534bf36

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
5a9672964ade6afe248aa1e9cc31d0f6

SHA1
13f1762a874b311e288d2052cc17fad51c389908

SHA256
73277a4050310ca5dc35d635e3e23a478a86c8feb05c2cfa9195631f5bd013d6

SHA512
8a6da96f84be8f3418194c9fb05a65cd604ae2e5047def8859594c71b9020b2b56e3647f68894d7813b7a9f591658f6dfad0c4841fd3e9bf6312b835bd86e56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES37F2.tmp

Filesize
1KB

MD5
cdfb4a96ab478e00e8173023d79f23bf

SHA1
2a292709d11ce9b188ef8b3dc139695e143de761

SHA256
dd94c2d6ab743197c4b7fc386d7d0f40912317e7ec58084de78d6671354888f5

SHA512
3f75b7d3c5028eb8d30c25f1795060138f3c273bb6e43c48b5d3cb52d4c816195bb9c12f35b18f29bad0f719525cfbf91a0506cd267c41d48f8abbe4fc560cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp364D.tmp.exe

Filesize
12KB

MD5
a0b70c764b486609d3b371a32590f3ab

SHA1
31221519ac7227d04aaf70ec98c4807796186d84

SHA256
c3c507f6638f81e94bedd9f605a356e665ec344eadc2d66d3d03822aebfe0a4c

SHA512
97c0369a0d9b9d57bd60fd60a074318ee6fa8dc42287108faf69eb9cf4ef1cad37e81c04383280fc40c7cec73753c4bb5193280a34ec17aa4378c14eb6bcfbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFADC3C2414674AE68B6E51EC3794C1.TMP

Filesize
1KB

MD5
a9dfe1a3c71003adeefe35b75421b94e

SHA1
a59c2314aa4ec65d7b76e3fc10f879e980efd094

SHA256
e8e896933aada7adff7b8b6bf574a525a8e2dae6acf5a89418d994f73251b7bc

SHA512
1ac1d518e2d33286509eae0e7045212e2a2fbc9842178b7f9063c294777c1e2f1b844c17504eaaf6435479c4fab66335a66e8c5ac9e7a7cc912cea4ae31c3653

Download Submit
memory/1284-0-0x00000000746BE000-0x00000000746BF000-memory.dmp

Filesize
4KB

Download
memory/1284-1-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/1284-7-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/1284-23-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-24-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing