Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 06:21
Static task
static1
Behavioral task
behavioral1
Sample
652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
652132d22858cf85b4cbf387f759abf0
-
SHA1
f6f050cb751575ffbd04c43fb104f3776d05a49d
-
SHA256
2368452b449f64cc18419028e1c42ae095e4af3f3ff729d0600b4adf0b52c4e5
-
SHA512
efbe671dedc2d1e2000e03918f239a46cdb900700a83877b91692413d77e10d4cd62388437360dc09bb17ba3d44c295e177848d229afa50d52d1e4dd4bb344e8
-
SSDEEP
384:BL7li/2zAq2DcEQvd2cJKLTp/NK9xa1V:hMM8Q9c1V
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2560 tmp1601.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2560 tmp1601.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2420 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2420 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2988 2420 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 28 PID 2420 wrote to memory of 2988 2420 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 28 PID 2420 wrote to memory of 2988 2420 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 28 PID 2420 wrote to memory of 2988 2420 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 28 PID 2988 wrote to memory of 1648 2988 vbc.exe 30 PID 2988 wrote to memory of 1648 2988 vbc.exe 30 PID 2988 wrote to memory of 1648 2988 vbc.exe 30 PID 2988 wrote to memory of 1648 2988 vbc.exe 30 PID 2420 wrote to memory of 2560 2420 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 31 PID 2420 wrote to memory of 2560 2420 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 31 PID 2420 wrote to memory of 2560 2420 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 31 PID 2420 wrote to memory of 2560 2420 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uxu53i2e\uxu53i2e.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1777.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33B99B868A73441A8797CCFF7BC48.TMP"3⤵PID:1648
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1601.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1601.tmp.exe" C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51d3f11c643def34e7d4c8e4663f10077
SHA1e565753e2edf2ddfbb5371f27c5a71be80b2f992
SHA25642f660f95cfdc0ce6a35bea6407b05c61d1566b7a91018333bd80e662317a0c4
SHA512bfc2d75da3bd7c4c23c89fa7787cc3242b6e1747c06e76bca0e7c93c1acf676e9b734ea8ac3f7e73daf5addbff2b533415b013bf6b58256151a171c54a1fccd4
-
Filesize
1KB
MD53147c01fc75f52ad3d7867007dea1e01
SHA15b47d616a96a5eb11ce79de7042925e6acaf81ac
SHA256deb83b9fee4e3886c72c68381ed157c79091fd2c7b21f1b7c1bc45243ec94846
SHA5128f81da34d711204814719676d3bf2006e95ef94f43d5b48d41813a8a82e512b8fc294587b547071d7c5a853c0eae124c191cd69f0ec1bc28eaa57393a55b19a6
-
Filesize
12KB
MD5f7b63a05c48889856360d55b2e482e3b
SHA1f27927c93fd90d3f535ce1790c592b010f5a5aed
SHA2563d7979b86b451752a6d5f8449073ce98cb8725ab797f00405ad0aba9c426df0e
SHA5120136694cc34c1705fcc11737c52f53c79d2dcc0550bed0d9af16dc07189a077fe017c9aa575d237b8e48ff2f7c2a9a21de7827812ff81503c80c9515cda744e4
-
Filesize
2KB
MD5e8eb8fce0625d85d1174e05aa91fbafa
SHA166bc46142bba3342397aec47404823643e290e31
SHA256998f5baa833b49f0c0dc4f3cb7b5cfac4266f8068e2aab9328d56c74a9243cec
SHA512c491e51ef04f6fde989254901fec12b9029529f0731cd74791488c1628f1c05a035cfa6324200e35625b1db3b9270b91ad4d9417ffcef32992f2046eb10d9816
-
Filesize
273B
MD5c2d79c3b0a02b4a87bca272272ffe93d
SHA1b03f15cf8bb6b1557dadfc695319ed79792b5883
SHA25619fbedcdabd68193b5dc6e752b47502e3c77518c5f023c53b4529dbef2b7b79d
SHA5125cb2b5c95de3f1bd85476127d6af5a3bb31467af7e337b2c872b7cc85c755f1e6e14a6a46638936d68e43e16886748caa4aee481b2017fe3c3790c0af72f7ba4
-
Filesize
1KB
MD5f37a21c77550a6929e4c752d83f4de46
SHA1ce47432f650042e6b16052ca70d23d5fb195e9c3
SHA25604d2ba9c2f23596fb8ecfa5520db737a694cacbf3903b30cbdbac8819afbcd64
SHA5124ca47cdcb073f3043a6043be2835faf8b097ca7329ea6b986d304221edade3345944cdd30f4eba9e13b720927fc264aad9cd0a88ab3007b4af600f4da7ecda1d