Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 21:04
Static task
static1
Behavioral task
behavioral1
Sample
1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
1b5988196ba6f923121dff0bcb7b0bf0
-
SHA1
339a2ed582b4eb9cc133caf2335e0bbdcb8c7ba1
-
SHA256
23c77cdc3cc09a94df9a30f9894a403c2ef2667a4f62d8fbe8f8de93192c75d6
-
SHA512
cc58f7e8b683a03cf9c873f712dbbe9e74d2ed7390a9a695416abc9ff5ab177e89885ef7f9117afeb1fc0c367ef7f0a0faf78a0979f4ae6ad7a22656432d9404
-
SSDEEP
384:HL7li/2zBq2DcEQvdhcJKLTp/NK9xa03:rxM/Q9c03
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2952 tmpB1F2.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2952 tmpB1F2.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2236 1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2236 1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2296 2236 1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe 28 PID 2236 wrote to memory of 2296 2236 1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe 28 PID 2236 wrote to memory of 2296 2236 1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe 28 PID 2236 wrote to memory of 2296 2236 1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe 28 PID 2296 wrote to memory of 2464 2296 vbc.exe 30 PID 2296 wrote to memory of 2464 2296 vbc.exe 30 PID 2296 wrote to memory of 2464 2296 vbc.exe 30 PID 2296 wrote to memory of 2464 2296 vbc.exe 30 PID 2236 wrote to memory of 2952 2236 1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe 31 PID 2236 wrote to memory of 2952 2236 1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe 31 PID 2236 wrote to memory of 2952 2236 1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe 31 PID 2236 wrote to memory of 2952 2236 1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0jitczgd\0jitczgd.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB70F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA39BFB46BAB5436DAA6D6020207F964D.TMP"3⤵PID:2464
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB1F2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB1F2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1b5988196ba6f923121dff0bcb7b0bf0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53dc9c58f0c2eddf0672a2653fc79f713
SHA1756fe2e35d6d13aa662d15ed88b63764be0adb22
SHA25696b96d23f1e4a524b1f3469f47f858ccfe06164ef8bb339f515aa45f9ea7cb88
SHA512581b2c64f358d92d56c8362b826c2cc4a808b15a81ae69a5a5bfa9c6dbc3edc4ca54ce0798b0fd2d99d18431f7f42c79cd8b2a3f2f2319188af37f001912e29d
-
Filesize
273B
MD507b2b7d89a69c223ef01bcb2421ef470
SHA1dd3bb124c2dd1ae38e78e0342a5caab0660f7ec7
SHA2562236f00670881d250028e1c11c258d123dffb94b905cf89cac6d42ffc7695022
SHA512072691252bdb15165782fb4e374631d154dbd22cf419c495b9feabcff80772b0427100c4cd547a1727e4679470b62fbe8fecf82232bb1d6ab8c8ba2fd5091984
-
Filesize
2KB
MD5670c1d5cdbc7c0688f74c4fca344a31f
SHA1d6c8ceb7ed0f71623c54b0446bac2bb718495c26
SHA256827cd36c484108fe2f6856128b01004abdd1095f680389dda3a8c1a1d7d46272
SHA512a11472f2a47a5eb00c98bc90a9edcc7f2abacbd2e9b8c7c366a86ae3757e6c3e883db465d5a72d89b9fe25dcb3a44ba36bd4f2690e8a46936c9cba949a145176
-
Filesize
1KB
MD5d3a215e6a4aa62bec707ea63d1e57ebf
SHA1211dd77cdd1d15d7b9d0c4a8c990f41c52cad52e
SHA256ba03d2453351eca3c8a717ca9da3afcbac543aa6aef56f19599f4bf6a7842f28
SHA512fa85005a604e9376c19b56fcec2dd4e2da233865d69fef8537bf3e24d04ecd624fba41cd15aacf5b41528e3d986931b008dda92874f22d984af655dcc13a5f9d
-
Filesize
12KB
MD5a2cc7029702427030df3f38956406bf7
SHA1676a92d7dffa98a1a58eb7caa40489f6466e51ba
SHA256deb2e14e93d9f814396cb17765469d98c79c104cea558d08dc8f86103abf6729
SHA5128ae5dab1ed38a3e9b91dabccfc07359e7fadfad5e97f15404d209b2e660b7887b37470ff3f4fd72b0272bb20ea7b764f478342ddb0f451b690d2f6d3d651eb65
-
Filesize
1KB
MD5ca1aeb6ee7952363d3172b236cd3bfea
SHA18d31ceb1b59036d5cfd93fcaf516bd2b7fc99ea3
SHA256a6a92adc7c080230d687e0c0ffa2f87444dfb191838d794b2328b28f6ff9c70f
SHA5127e3d9475f9d82cf43a45423cd9f9dd0eb05d89521a4630780778f6faced25b9f0b378ddadacc0e5d2540daca4d8b03ef05f9b36e5de0f23a7529184c4997ae82