f3e4cfc3f347d1feff2019072d06c342c89f6b8fa712eabd16d07395f101fbd1

General

Target

bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe
Size

12KB
MD5

bf4c8e250602dbd4b327ad48c7680880
SHA1

7b4d6196f0492f7e6d763eb8cbfdbb8869015466
SHA256

f3e4cfc3f347d1feff2019072d06c342c89f6b8fa712eabd16d07395f101fbd1
SHA512

fc9c62013975078833602eb0bdd911c5569b8c2f1d7f7461976438b3a9839ecd82be768f050690d6213b2a5c6ca1f203521225590ba84057ee5d5d64357c2f63
SSDEEP

384:oL7li/2zgq2DcEQvdhcJKLTp/NK9xaX/:WkM/Q9cX/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2648	tmp10C4.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2648	tmp10C4.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2276	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2080	2276	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	28
PID 2276 wrote to memory of 2080	2276	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	28
PID 2276 wrote to memory of 2080	2276	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	28
PID 2276 wrote to memory of 2080	2276	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2632	2080	vbc.exe	30
PID 2080 wrote to memory of 2632	2080	vbc.exe	30
PID 2080 wrote to memory of 2632	2080	vbc.exe	30
PID 2080 wrote to memory of 2632	2080	vbc.exe	30
PID 2276 wrote to memory of 2648	2276	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	31
PID 2276 wrote to memory of 2648	2276	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	31
PID 2276 wrote to memory of 2648	2276	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	31
PID 2276 wrote to memory of 2648	2276	bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2k5ehqbp\2k5ehqbp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES119D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA9B50389C2A411A998F39DB69C2419C.TMP"
    3⤵
    PID:2632
- C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bf4c8e250602dbd4b327ad48c7680880_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2k5ehqbp\2k5ehqbp.0.vb

Filesize
2KB

MD5
a5442b9c08165666a1cf8ee3790ad0a2

SHA1
c33cfa1b97e6f0f21455882f73ecb38d9318a246

SHA256
dfa24b613b574698345085cbc65a0651268fb625cadeedc26cabff59da5f21b1

SHA512
5a092ac08c212a8dd46a8ec7ff03ee855f80c1522595d0c5aa4a69f0b8b1d20059eaf578dc09ee7157bc5f604aec0b557d4fad8d5e14fbc9f8af10952fe3873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2k5ehqbp\2k5ehqbp.cmdline

Filesize
273B

MD5
8235956a2c3f02223667776067ee6d38

SHA1
d384bfdd46f76c9777af07e604e6eb592870514f

SHA256
f7274a7a1eb5abf155aac6981f32eee1b05e10861590e60e843898f725d730e8

SHA512
89dd4dbd388b223e781bfc0f70c651affbddc98fbd79f9acaba89554f0a24b38293a20aa8a4e32b0ab3b3b6fe1a52997c8ceade58aa13b7422f15ed05afe5482

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ac8b851ef8b0ec7664bd387faea83373

SHA1
38fdd49b7cc1afe9429ff078ffbd38feadf16063

SHA256
2e2fc845a35b69e0166a155f885c30a98fe21b05d3d543b2fb1a3ba7830d4a9e

SHA512
4c7eb282db3c387e1001ba542d4c38c92bb9260470db8497126e62e24b39c0c362feba7865ff64494e093391b8e0528d14ac93b021e60910508d591032ec7623

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES119D.tmp

Filesize
1KB

MD5
023cad6cc4bcffdf2a7b3e7ada22cad4

SHA1
29a2d8cf8f2e52dce78fc9ff6bad9c6e90cd6c96

SHA256
e21deef1ddfe2c3dccccb8113f766dd85a7f9c9f1e6529526b80851106034970

SHA512
02f53b987fc9540ff7a87be47ca474c92530ac386528634f98269fa302f0bc506fb97eaadf14a337e691ebc5ae8ab1cff510b1395e74cdde06eb69f1c24a5cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe

Filesize
12KB

MD5
d8b68fa9c0c4151b7b7188480385ff31

SHA1
ee3d25aad21ccc52653606908ebdded3fdd8cb9a

SHA256
6b0d6d0eabb03f094918756de98b1d24c302777059e270620054f1379f27ae3e

SHA512
4b5127070986111b767722b63119d8ab8ddcbc160917b904e2dea63724e66bc002b578c69c6af303c2fe0a4784332f5ad73393d9372dbf7a15d28503ec0b0790

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCA9B50389C2A411A998F39DB69C2419C.TMP

Filesize
1KB

MD5
3d523a7ca352cd9b3392057cc24bd71a

SHA1
0cc78731740bace987eb46f2a30f38eda00e1544

SHA256
7200a053db21fb86a702fcf5e7bbb9a35c332275c31d660e894c990d7ec0ec68

SHA512
a83c40e37824380bd0fc9e085e92e3233f62891f7359051b76889fa01b48ad622dce0e264f92ebd6fbff75ddc96d95d0657bc4c27618a67210f26b26ebb2332b

Download Submit
memory/2276-0-0x000000007420E000-0x000000007420F000-memory.dmp

Filesize
4KB

Download
memory/2276-1-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/2276-7-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2276-24-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2648-23-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing