b5a10f8d385bb9c879dfed2d952439ca11cc9657afa81b2bf5063449754f0356

General

Target

89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe
Size

12KB
MD5

89cac77108584710e33661b9cd4c9cb0
SHA1

a9e3b4e6ccd7fef25316149cc9f3021b1caf686c
SHA256

b5a10f8d385bb9c879dfed2d952439ca11cc9657afa81b2bf5063449754f0356
SHA512

8202064c019e641d9ce85528bc62c5a8c05bbe7b36e3fbd68cc51ce6428675c7821e2023554d1257bcde1cd757d9eb9be08425036852d777cbbb385866f8eda1
SSDEEP

384:2L7li/2zcq2DcEQvdQcJKLTp/NK9xaPR:wYMCQ9cPR

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2652	tmp209C.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	tmp209C.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1992	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2852	1992	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2852	1992	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2852	1992	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 2852	1992	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	28
PID 2852 wrote to memory of 2500	2852	vbc.exe	30
PID 2852 wrote to memory of 2500	2852	vbc.exe	30
PID 2852 wrote to memory of 2500	2852	vbc.exe	30
PID 2852 wrote to memory of 2500	2852	vbc.exe	30
PID 1992 wrote to memory of 2652	1992	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	31
PID 1992 wrote to memory of 2652	1992	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	31
PID 1992 wrote to memory of 2652	1992	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	31
PID 1992 wrote to memory of 2652	1992	89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jhgwic5v\jhgwic5v.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2202.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F5BE1C02AB94A838DD6878B8B5FF04F.TMP"
    3⤵
    PID:2500
- C:\Users\Admin\AppData\Local\Temp\tmp209C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp209C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\89cac77108584710e33661b9cd4c9cb0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4a0ad59927914a24c2683d2e3d3d550c

SHA1
a8c0ef86d7b4abc8738a7aa1d7f3492811cf47c4

SHA256
cf78c81629dbbefbe8cb9940b3e1f5f88b97c7eb303613447be41c16e935e94e

SHA512
db454db9d8d8ba2fc1953f89b8b911c2cc16d54ee7752b34741754c882ade0753b07742f73fb154c9a7384146c4f40d4e0917af4be16fc06ba53805df63fecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2202.tmp

Filesize
1KB

MD5
f91aa2f5327b90470f2a23884cc55d59

SHA1
69ba43d4bc2bc9668635193928149a83983bb15c

SHA256
36b9a55b60a698fc635717768a99ca6a736dfbfebee3b95685d065955bbc4083

SHA512
d61c00aa4ae93169412da0648cbcbe8040df87d5739d9a13e5f6c9f59797ba3a10f998dd070746254cff9678bcc467e0670717ed14187e8208ea9048aee31812

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhgwic5v\jhgwic5v.0.vb

Filesize
2KB

MD5
951bbf616245ffe083632ae320104e82

SHA1
be2b84820b70a3740342309f6d6413c34256179c

SHA256
6f9aab0d12c289938ef61a7f8df1721981cc6276b7ae5f4185f00eddbafa4c8f

SHA512
6d19f9475cec1687260efb46e335eadc8c5e0bd61f60cb48563895d5ce18b062730b8f10512ce9204f76382c0dbedaf663c9420aefaf1efe8ebc87331c483e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhgwic5v\jhgwic5v.cmdline

Filesize
273B

MD5
67b39f96b0237a7aa84fff88e04282d1

SHA1
a0e7732cb1710d78a9ceda91a3391059da8932c0

SHA256
003a576d9c6f2c74e1c7291c4df33d0300c24fb7f6e2e55a48e7ba30f3f1a224

SHA512
ce8433d57a42fc0d053e8b1841eabbee13be533774f713be0c76795386bb12e2f87107285282753c8dc70134fb034990c0bd464413807bcc7dcf86009d6d1ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp209C.tmp.exe

Filesize
12KB

MD5
3eb7af3fc6f6636c374a4e9c31f10e9c

SHA1
ebd7e8c8634ea275ac616fdcb9c4ce10c4289680

SHA256
3c3b12ed236d0341260c661dc8cac89d11da6ae667d9ebbaa34f40e183b24459

SHA512
1fbe69d55b6531a874a537288915b7c22a14c33fd145335d34a08a1699f7ef4787458695264ff8b5c5e2eef6e9b02d1944e9b06af14f726688687eae6c30a0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5F5BE1C02AB94A838DD6878B8B5FF04F.TMP

Filesize
1KB

MD5
ce4c202f2e1eda09b3586d07a0cd30e8

SHA1
8f2c7e3f15fbb994d04e4f9a44122fc0e92bbcdf

SHA256
a0a158e73f16429bb9007159e401d3dc2b5aed2723e39be9f46d23a62d3954d2

SHA512
545e670b4dce995c501e02bf5e72c7799ee9147b1fdad93d79ff12f1effdc57fdc1680dab678a27b68c8c2a02aaa65cf4a2a505f6ea022233eee62390cdefbd7

Download Submit
memory/1992-0-0x000000007406E000-0x000000007406F000-memory.dmp

Filesize
4KB

Download
memory/1992-1-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

Filesize
40KB

Download
memory/1992-7-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/1992-23-0x0000000074060000-0x000000007474E000-memory.dmp

Filesize
6.9MB

Download
memory/2652-24-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing