c01b66cfbdc345a0ed3b5e22a2c69020c166abbd4232201bb01d4d50ef3a4e7c

General

Target

016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe
Size

12KB
MD5

016e9f4c44a3a88eaaea58c98dac6a90
SHA1

e412fe408142719bb8e41378a75134c45574792a
SHA256

c01b66cfbdc345a0ed3b5e22a2c69020c166abbd4232201bb01d4d50ef3a4e7c
SHA512

670db0f083e689e06993b92702c77b0633d55e1dce431e0c6329b56c2b855c85f05b250a6080e90342148995b4eefcaed2a4bc932184e110ce9e7253e15a8e23
SSDEEP

384:iL7li/2zg7q2DcEQvdhcJKLTp/NK9xaov:8YM/Q9cov

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	tmp1102.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	tmp1102.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1684	016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2480	1684	016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe	28
PID 1684 wrote to memory of 2480	1684	016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe	28
PID 1684 wrote to memory of 2480	1684	016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe	28
PID 1684 wrote to memory of 2480	1684	016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe	28
PID 2480 wrote to memory of 2528	2480	vbc.exe	30
PID 2480 wrote to memory of 2528	2480	vbc.exe	30
PID 2480 wrote to memory of 2528	2480	vbc.exe	30
PID 2480 wrote to memory of 2528	2480	vbc.exe	30
PID 1684 wrote to memory of 2676	1684	016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe	31
PID 1684 wrote to memory of 2676	1684	016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe	31
PID 1684 wrote to memory of 2676	1684	016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe	31
PID 1684 wrote to memory of 2676	1684	016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z0mznmnh\z0mznmnh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD06417DA857445D99DE25716FE28E9.TMP"
    3⤵
    PID:2528
- C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp.exe" C:\Users\Admin\AppData\Local\Temp\016e9f4c44a3a88eaaea58c98dac6a90_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
336b0a634de76358b3247ea97a79d08d

SHA1
7e44e9856556235b96e2db8b03e9544ad1cbf5cc

SHA256
2335f0c17303f7ab5f1099532a122af7d3498de78ea827a5a5d226a757f24365

SHA512
83988508860724076b9a9d4bd5d98c258554f8450021be6ff4474e8a3a652c931848bf3e45e60d962bce7facc629b20e285fbfddc87b4730ce24c33eca2adce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES11DC.tmp

Filesize
1KB

MD5
7c4d44b03f52a27876b7bfaf0160dc36

SHA1
3f1626ba1ada17ec9dc19ca406f1c46fb946296f

SHA256
f5c5a42807954355396bf5d4a0128cd3e6cc5712389735b151f4dd2497018949

SHA512
cedff30c555696c70492cc6defa02e3261c8c2f0a35c4eaee7d9d3c5d6fcb7c87e114624d878d956dee915ef4620610d021b717871ba5c0b1be42f7ad857e401

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1102.tmp.exe

Filesize
12KB

MD5
e225ae56d6783189e92f3eadaff7d585

SHA1
11c5e2a3cef12f2469ac1a6c9a955714ac738d1b

SHA256
697eb4c13a225d46397d01fb362d8dada68fea656065968ee25b747665740aee

SHA512
afbd052bf1093ec6f67d242fe20203a15816aecbc1d4911d691e5aa3dcfac8c9b3cb845fb5c9d15dafbe53433efb1199a1dd75daa1f0a72e93f37d0fc02a025c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD06417DA857445D99DE25716FE28E9.TMP

Filesize
1KB

MD5
a70e998f6e0531823637f72a6baf1c6f

SHA1
8f27c0d36911d11163468c904fa3477852873b72

SHA256
d928a551101095029b258cb566227b1100108a2414eb110a93c5ba03de2bbb79

SHA512
2adfb69041eb01c1a86370351453826f954118bdec6a30fee79a07e0e4fbbdd544b7d4b016a4b85f1cd10a02d3edbf17c986c62338540b53a11055ecafebf665

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0mznmnh\z0mznmnh.0.vb

Filesize
2KB

MD5
a44f8426c48dc2fd34a15993c1521684

SHA1
8871f0c4dd17c61b671eca81d8a7297880dde9b9

SHA256
1e3aee8ae912848224c892d703afa499370d0f8f85b64d01861d8bf03934a5be

SHA512
a81717814e0cb477fbae88479ba91b962a4b06508c30065696d95f5f9bca7595152617ba3dcf791b651d15c7a44743311a8e8678fa27d4fb5c718d2d5e20faac

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0mznmnh\z0mznmnh.cmdline

Filesize
273B

MD5
51ec33b4a5455fec9cf6227097e166ac

SHA1
db46da7efa20dc055360489b0000cd8b2bf786dd

SHA256
40205d30c47d73c3bc3c72a108ff1b401abb687b80a70b686d4210aa7550f1ab

SHA512
0595c614db8db908f66990c09d9c83184c6af28024468dce7fa952acd72e8ddef1e63a588ef554dd21d05548ef821cb9ce249739a6cb00a50e9e95ac09ebf626

Download Submit
memory/1684-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/1684-1-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/1684-6-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-24-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-23-0x0000000001250000-0x000000000125A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing