Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13/06/2024, 03:41
Static task
static1
Behavioral task
behavioral1
Sample
5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe
-
Size
12KB
-
MD5
5b8124efa3870bf2ca1af51ca7bec250
-
SHA1
2997343e5d15fe6adb8fec6786dcb7cce1c59092
-
SHA256
556b8d92546fa667f592c958ec2575e2d4a9702faa7e480effe433fe92d06b53
-
SHA512
334b6ca2a7b6b6b66c8da58b8e545d1a902f3ac832735f3066843d9575776074ab65cb309344d9b2df298a0df5fab0da740e6a57902e3657140e820cfbaf9ea9
-
SSDEEP
384:BL7li/2zcq2DcEQvdQcJKLTp/NK9xaz1:hYMCQ9cz1
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2780 tmpBF3.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2780 tmpBF3.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2176 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2176 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2296 2176 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 28 PID 2176 wrote to memory of 2296 2176 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 28 PID 2176 wrote to memory of 2296 2176 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 28 PID 2176 wrote to memory of 2296 2176 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 28 PID 2296 wrote to memory of 2668 2296 vbc.exe 30 PID 2296 wrote to memory of 2668 2296 vbc.exe 30 PID 2296 wrote to memory of 2668 2296 vbc.exe 30 PID 2296 wrote to memory of 2668 2296 vbc.exe 30 PID 2176 wrote to memory of 2780 2176 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 31 PID 2176 wrote to memory of 2780 2176 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 31 PID 2176 wrote to memory of 2780 2176 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 31 PID 2176 wrote to memory of 2780 2176 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jus1lxfg\jus1lxfg.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc76F0052D22784AB5B4D9EE5D3577110.TMP"3⤵PID:2668
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51b6736e61cd284bd9ed369317ddf2816
SHA1c5d90259f796ef5f5273d8bc2e33e56b75718a44
SHA256c1c4d1cad7150ae8e4cc8673387428e5ea02656e1ac169225d717be1d17e9eca
SHA512b4a6b37e4e8bd630bc93bd77b5b8c9c43e76d41e4aa61d61062e34fc7bf60ca38e86ec55d7d8777df958da28d52040fa5be656323ebb412837863506d8e72e18
-
Filesize
1KB
MD58ffa307646f918f6218506cbbf3ea70e
SHA138f3744f7cd4523598c311e60e6dc48a14da101f
SHA25695c28ff73388b1f853a70a59dcfb1ff35357aa3f101f7e0ee184b255bb10a235
SHA5127a8cc8b52108a22f230931dd2bd0188b73b14acc620e612f19288673abc847fca8bf35e32d722e5259859a7a584c147f2ab9e888c584e1e3eb43b104baeec9fc
-
Filesize
2KB
MD5f821b7ca619fee37cbc116055abcebcb
SHA18448e4196effb57a6fa810bcb419c6583fd0b104
SHA256f10a7e38e43e6e8b572428e42208ddb552489ac1bdcac1c74ed22ffa406b142b
SHA5121ff90c3d515031b6670e2d00373065fbd086bf040358b6a633846ff2cac28670c5d17a2cc6fab3fe39d1e85ef82b3d6c48903964841fa32f5db3e19aeffa40a2
-
Filesize
272B
MD525e72d4a2faf375db8f11e0c67a0ce39
SHA18b2dfcc42cffdbc9ab274b91e325bbf5c7e8ca42
SHA25621dff971bcd2e9da3998bb965d6324c3ecbef6bb9e861b93ed941fa812911d66
SHA512f7effcb5009a600e338062c17e4b79181e311796a90e6d4b9040965514113fdb0d0536a7f8b95dbd0aab35f0f269d0b3dd22aace86bf783902259e5959dce578
-
Filesize
12KB
MD50d3ee78f91418a90c48b3441a7275497
SHA10309a4ccab2bfa037e734ba5539c87e3294d28bb
SHA25643a30032b95d02405dcdb0a2483b88ae161eca7e3f15098f7b889f9f454da117
SHA512116dc2d3919822b41cfbdc0d40a7f108e70aeb9b9828c608e9fb03eadc8c72d5ccc194d1fa8e54c25d85b6c027ee1b34e13a9913091217527481b2b5e8399d89
-
Filesize
1KB
MD571f791b532227a4760c9ce341c608a3f
SHA1b45defc005268a4e48b8218254e83c29568aae83
SHA256426dafda13629bb50668cf84fbf767fd91ce6f7abe9b291c09631a7909c04d72
SHA512fac752982d241d29cad46279a53f6651144147f667499f625bf72d5cb3222092f736fbf28fb60693fb44e95922bd9bd575581788a1465baf04e04494f45a1cb3