243bd42b2a883ba51b44cd90d5648ed4b149f58ff1ba4d8eb5df2bbc5721e379

General

Target

1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe
Size

12KB
MD5

1bab34f9317220f9877519d8f32b3600
SHA1

2c1e7b8835d1654811ccbcbe3c82df237364ffad
SHA256

243bd42b2a883ba51b44cd90d5648ed4b149f58ff1ba4d8eb5df2bbc5721e379
SHA512

c4c2c48aa360db23d1d4e2efbebd84f778d2da3f34c909626ad0afa1209a14286d3c653dd0a3d217d81a9b8ab4dcac83c7b58f9a322c78c08824ad7c9cd21666
SSDEEP

384:PL7li/2zBq2DcEQvdhcJKLTp/NK9xaG7:jpM/Q9cG7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	tmp140E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	tmp140E.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2236	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 3004	2236	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 3004	2236	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 3004	2236	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 3004	2236	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	28
PID 3004 wrote to memory of 2732	3004	vbc.exe	30
PID 3004 wrote to memory of 2732	3004	vbc.exe	30
PID 3004 wrote to memory of 2732	3004	vbc.exe	30
PID 3004 wrote to memory of 2732	3004	vbc.exe	30
PID 2236 wrote to memory of 2692	2236	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	31
PID 2236 wrote to memory of 2692	2236	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	31
PID 2236 wrote to memory of 2692	2236	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	31
PID 2236 wrote to memory of 2692	2236	1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3exvkpcd\3exvkpcd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1555.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC724F3AD3B404C7B9C786DD3F206263.TMP"
    3⤵
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\tmp140E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp140E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1bab34f9317220f9877519d8f32b3600_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3exvkpcd\3exvkpcd.0.vb

Filesize
2KB

MD5
015de1b039da2f6db35ac94d83290bcf

SHA1
478d1eae654ab1c2a84b61fbf5b93419fba6ce21

SHA256
263423d2eb78bb9b41b127006479d3022a6f6f55eafce009e55453ed0339bbe1

SHA512
7f821806b344704dbbc5df5c8a514bf49081a4a8078de67e159e690cb8a050576ddfb389e7f21840aa759bbf6b4a8b82a4f3050ce3040e7355874809cc8a0ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3exvkpcd\3exvkpcd.cmdline

Filesize
273B

MD5
0d8606cd0e41f24d6791f7c081a9ad93

SHA1
e64035d9dacce7cff661b60a91d30e6d90bd9998

SHA256
6c4fc2fd800fc59cc66c137ffcf0515ec5c0aab4eb08141eb2ade4d38229b884

SHA512
3d7bcd936e962d1da634bad40b12722dff47026c652eee17a9c46507060b4de077e2643f34bb4e873a454a001f38d15a9709b7562c2f4d2546b195d264af41f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
82eefbf2f80eb2224c65493e7847dab9

SHA1
ee1f67ccd6e69d424bee459d8aecd7a27c40e954

SHA256
d812b8d44e1ccbb7ca9afe7250547e6c57b26e7da47cf76138bef3446bdda116

SHA512
f5ed9c5b917bfb31396082cfca0ae9f1805e6c27e1afb389f0d1be67cd79e694efcea743aee9a5da81043430f86244777a1700024b87cec9f2d590d64a8063ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1555.tmp

Filesize
1KB

MD5
d1b0bb5ea0406cf422e5adea4b14e4ca

SHA1
cda32325270c70f442d4b670b086edcc7060d017

SHA256
0a4920f66bdd5359089e9ce65207091d402b8bb0d5f4a03154cc6c1e7dda6d32

SHA512
2690ea1b7a6fa4318a6a8a37a735ab6e13217c33b57d296d4d8805dc30cfcaed0d6a0d17fe764d7af366125422a011c357fffffe9e763a08e7fa1eff97dd803b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp140E.tmp.exe

Filesize
12KB

MD5
16da70abb4e6f663c11f206e14b3cbe2

SHA1
cca776e49f0272c572264a06242a16e9c6a1b44f

SHA256
e6ca30821a67bebd184a6b22e10b48966dd374ec6a3407bc1fcb14202e019278

SHA512
7ac5ccca26e35395ec59f2beac07ff230b11d9f2b878da47559dae0939aadf4d330919712828c3a39265cbf07fb98b64ee0e87325b52f7102a2140c724968e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC724F3AD3B404C7B9C786DD3F206263.TMP

Filesize
1KB

MD5
8e18bda319dfd10b091a7b67c40d8d0f

SHA1
63d2412da78a59805b4b07b4d79995566875f9b5

SHA256
1f09a1ee6d35ad7c40bad2485153461e944001cecef343720446af293403e049

SHA512
0b4d5a80e8d410e73504d9cf8f34eb2e6c2745c88d93b2b802068fef6fcdc22a9487b04580887433fe502b4c91b54024050908030fc65b0e61275e3063b1efd5

Download Submit
memory/2236-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/2236-7-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-24-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-23-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing