0083fe8ef5fa529b7cb67fdd3927d91ec3d8736beb405db8612e9aee10864bf1

General

Target

0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe
Size

12KB
MD5

0a623403cd3a136d7a11530348715f00
SHA1

7b656d6e6a1732f8656969ae0f84c29d3615cabb
SHA256

0083fe8ef5fa529b7cb67fdd3927d91ec3d8736beb405db8612e9aee10864bf1
SHA512

a78912d7fb9881258dc5bdd57aa29c7ab644953b7df4650a8ba3d0dda407d28fd242d8140b44ff0f88282270efef355c920213e3bd6232b02b5c32b8af899d6c
SSDEEP

384:BL7li/2zjq2DcEQvdhcJKLTp/NK9xaLk:h/M/Q9cLk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2104	tmp8306.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2104	tmp8306.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
3000	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1296	3000	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 1296	3000	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 1296	3000	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 1296	3000	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	28
PID 1296 wrote to memory of 2864	1296	vbc.exe	30
PID 1296 wrote to memory of 2864	1296	vbc.exe	30
PID 1296 wrote to memory of 2864	1296	vbc.exe	30
PID 1296 wrote to memory of 2864	1296	vbc.exe	30
PID 3000 wrote to memory of 2104	3000	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	31
PID 3000 wrote to memory of 2104	3000	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	31
PID 3000 wrote to memory of 2104	3000	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	31
PID 3000 wrote to memory of 2104	3000	0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uiddiiac\uiddiiac.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES864F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF71C141BBD5E421D89521B7722D47F80.TMP"
    3⤵
    PID:2864
- C:\Users\Admin\AppData\Local\Temp\tmp8306.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8306.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0a623403cd3a136d7a11530348715f00_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
2614c138e04369b4fb8e0a524e001b07

SHA1
e4bfa1e2f32a499a12622965396cdd2afcdf6c43

SHA256
811aea1f23e3abb6ba92a5cc567310366265eeb9c87ec053efb098f9e1c28dc3

SHA512
3a9ae86cb83cf33ab443a79d935515910f0fd276f257b4fbc56e11f17be0479b8e49ec8272dd8825131feabb5bf9a8d473f42f4a28d6b7eb83900d19a4bf93f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES864F.tmp

Filesize
1KB

MD5
7d6c8b5f44509e869ab44d04ff9d267a

SHA1
a29504898b0f59d22ce276739029ba9de5677a76

SHA256
248ee08c9e844bbf594d22cf71fa08101b294aca3742f4099f26c643bd146ae4

SHA512
ca2ee264286ed42c3275699c5dd09ba4b60d09c0d090d93e181f932544c941ef1190f09fb124194e934824050faf4f1509d35ce1391091468cadad8aa1174101

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8306.tmp.exe

Filesize
12KB

MD5
7f4e594b66afb315b290606b32e6f011

SHA1
875d96c78f8abd6311d4d5626e53ddf3dc546c1d

SHA256
be951a02ead25808c39a387cb73f84e6fc1bde6c60f01d7bbaf8315e2dcad0ba

SHA512
0ccd9d73485a4173747b0c6b94f6a724c53d27be232a4fc7862ede63126c88e466cf805bb33a79b5a9c0c36c55fb894a78fd371759c76c0deb779b133964cb0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uiddiiac\uiddiiac.0.vb

Filesize
2KB

MD5
517059a9d790b3e6cc3b6cec6414e7a7

SHA1
8ff2f18f3d2deee71528fbb2be50900cb7167515

SHA256
db5a336df757c48ab0c8718a6d712ef0971e7a292f8e3c0b412ac73be2ed59bb

SHA512
035a77d0b090870d53a309f3bc2872be62be6755f39eb24e3e90b5e36686cc3a5ef6c07f6818567cd32331c4c73c44386d89cf2fb94578e2d61c0ea0ab3aa42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uiddiiac\uiddiiac.cmdline

Filesize
273B

MD5
d464c1526948c759082d12d20abfde72

SHA1
bfab20263ad660fe1570e491da8431b17a203be4

SHA256
a80ccb8bce8858ef9240d93ae8fc784fcb119c6f4f5748ee66099c0f1dbb242e

SHA512
f30f264219c88a256c9b1e7a5c519cbf14a46fc8f76003ad2433ef8864272aabe8cf1ccfdbe8f4e0269fb399b0c6beb94edc7461d6da7453aef3cd5b5d82b387

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF71C141BBD5E421D89521B7722D47F80.TMP

Filesize
1KB

MD5
10c89b3bfbc4e40e0cd014d9049a998c

SHA1
7bc13b77d901ccc39533e3439b413fde4128942a

SHA256
58365336108ac5db0909f69161b2cad04ecf7e6813c399106807dec51f6c21cc

SHA512
694adb07eb34577f10ce4933423b7dbd3da1fa93f3d0762cf98c4ac1535f8819625e36c7c52fbfc88c3705c1b9b1ce975db08ac532bbe30c43a4943763d13699

Download Submit
memory/2104-23-0x0000000001220000-0x000000000122A000-memory.dmp

Filesize
40KB

Download
memory/3000-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/3000-1-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/3000-6-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/3000-24-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing