Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    13/06/2024, 03:41

General

  • Target

    5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    5b8124efa3870bf2ca1af51ca7bec250

  • SHA1

    2997343e5d15fe6adb8fec6786dcb7cce1c59092

  • SHA256

    556b8d92546fa667f592c958ec2575e2d4a9702faa7e480effe433fe92d06b53

  • SHA512

    334b6ca2a7b6b6b66c8da58b8e545d1a902f3ac832735f3066843d9575776074ab65cb309344d9b2df298a0df5fab0da740e6a57902e3657140e820cfbaf9ea9

  • SSDEEP

    384:BL7li/2zcq2DcEQvdQcJKLTp/NK9xaz1:hYMCQ9cz1

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jus1lxfg\jus1lxfg.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc76F0052D22784AB5B4D9EE5D3577110.TMP"
        3⤵
          PID:2668
      • C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe
        2⤵
        • Deletes itself
        • Executes dropped EXE
        PID:2780

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RE.resources

      Filesize

      2KB

      MD5

      1b6736e61cd284bd9ed369317ddf2816

      SHA1

      c5d90259f796ef5f5273d8bc2e33e56b75718a44

      SHA256

      c1c4d1cad7150ae8e4cc8673387428e5ea02656e1ac169225d717be1d17e9eca

      SHA512

      b4a6b37e4e8bd630bc93bd77b5b8c9c43e76d41e4aa61d61062e34fc7bf60ca38e86ec55d7d8777df958da28d52040fa5be656323ebb412837863506d8e72e18

    • C:\Users\Admin\AppData\Local\Temp\RESD59.tmp

      Filesize

      1KB

      MD5

      8ffa307646f918f6218506cbbf3ea70e

      SHA1

      38f3744f7cd4523598c311e60e6dc48a14da101f

      SHA256

      95c28ff73388b1f853a70a59dcfb1ff35357aa3f101f7e0ee184b255bb10a235

      SHA512

      7a8cc8b52108a22f230931dd2bd0188b73b14acc620e612f19288673abc847fca8bf35e32d722e5259859a7a584c147f2ab9e888c584e1e3eb43b104baeec9fc

    • C:\Users\Admin\AppData\Local\Temp\jus1lxfg\jus1lxfg.0.vb

      Filesize

      2KB

      MD5

      f821b7ca619fee37cbc116055abcebcb

      SHA1

      8448e4196effb57a6fa810bcb419c6583fd0b104

      SHA256

      f10a7e38e43e6e8b572428e42208ddb552489ac1bdcac1c74ed22ffa406b142b

      SHA512

      1ff90c3d515031b6670e2d00373065fbd086bf040358b6a633846ff2cac28670c5d17a2cc6fab3fe39d1e85ef82b3d6c48903964841fa32f5db3e19aeffa40a2

    • C:\Users\Admin\AppData\Local\Temp\jus1lxfg\jus1lxfg.cmdline

      Filesize

      272B

      MD5

      25e72d4a2faf375db8f11e0c67a0ce39

      SHA1

      8b2dfcc42cffdbc9ab274b91e325bbf5c7e8ca42

      SHA256

      21dff971bcd2e9da3998bb965d6324c3ecbef6bb9e861b93ed941fa812911d66

      SHA512

      f7effcb5009a600e338062c17e4b79181e311796a90e6d4b9040965514113fdb0d0536a7f8b95dbd0aab35f0f269d0b3dd22aace86bf783902259e5959dce578

    • C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe

      Filesize

      12KB

      MD5

      0d3ee78f91418a90c48b3441a7275497

      SHA1

      0309a4ccab2bfa037e734ba5539c87e3294d28bb

      SHA256

      43a30032b95d02405dcdb0a2483b88ae161eca7e3f15098f7b889f9f454da117

      SHA512

      116dc2d3919822b41cfbdc0d40a7f108e70aeb9b9828c608e9fb03eadc8c72d5ccc194d1fa8e54c25d85b6c027ee1b34e13a9913091217527481b2b5e8399d89

    • C:\Users\Admin\AppData\Local\Temp\vbc76F0052D22784AB5B4D9EE5D3577110.TMP

      Filesize

      1KB

      MD5

      71f791b532227a4760c9ce341c608a3f

      SHA1

      b45defc005268a4e48b8218254e83c29568aae83

      SHA256

      426dafda13629bb50668cf84fbf767fd91ce6f7abe9b291c09631a7909c04d72

      SHA512

      fac752982d241d29cad46279a53f6651144147f667499f625bf72d5cb3222092f736fbf28fb60693fb44e95922bd9bd575581788a1465baf04e04494f45a1cb3

    • memory/2176-0-0x00000000741CE000-0x00000000741CF000-memory.dmp

      Filesize

      4KB

    • memory/2176-1-0x00000000000B0000-0x00000000000BA000-memory.dmp

      Filesize

      40KB

    • memory/2176-7-0x00000000741C0000-0x00000000748AE000-memory.dmp

      Filesize

      6.9MB

    • memory/2176-24-0x00000000741C0000-0x00000000748AE000-memory.dmp

      Filesize

      6.9MB

    • memory/2780-23-0x0000000000E40000-0x0000000000E4A000-memory.dmp

      Filesize

      40KB