64c922a3c65dd308d01f3645ae1130232977edf15cdb78161b6c970e75057e58

General

Target

6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe
Size

12KB
MD5

6bf774975ae31a31d05c2ef0fa287e60
SHA1

21339fdb144f33499be80b667ce8a0e601a64f2e
SHA256

64c922a3c65dd308d01f3645ae1130232977edf15cdb78161b6c970e75057e58
SHA512

e9ca6e7c5754b88c0bd89399496399f28f0eb0b6b59dab9d3aff34cb7b4139f16f5fb7207df44c8a0357050625674b03d085e55da2e6be21840d62ee04c7ed07
SSDEEP

384:8L7li/2zbq2DcEQvdQcJKLTp/NK9xasH:a3MCQ9csH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2696	tmp2463.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	tmp2463.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1596	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1800	1596	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	28
PID 1596 wrote to memory of 1800	1596	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	28
PID 1596 wrote to memory of 1800	1596	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	28
PID 1596 wrote to memory of 1800	1596	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	28
PID 1800 wrote to memory of 2256	1800	vbc.exe	30
PID 1800 wrote to memory of 2256	1800	vbc.exe	30
PID 1800 wrote to memory of 2256	1800	vbc.exe	30
PID 1800 wrote to memory of 2256	1800	vbc.exe	30
PID 1596 wrote to memory of 2696	1596	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	31
PID 1596 wrote to memory of 2696	1596	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	31
PID 1596 wrote to memory of 2696	1596	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	31
PID 1596 wrote to memory of 2696	1596	6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\plrqworg\plrqworg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8527C2CCCC5145AFAEF1973766D33031.TMP"
    3⤵
    PID:2256
- C:\Users\Admin\AppData\Local\Temp\tmp2463.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2463.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6bf774975ae31a31d05c2ef0fa287e60_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
71b7df11cb5d2142da017bd1c19f1910

SHA1
9f19afb7ddace40f88abdd6caba3c962cd55ace0

SHA256
533a7a2285c070e7f0d6b6231fa828140ef0659205ec287dd8300eb3cfcc06f7

SHA512
cde7bdc76393b8a0a0579268a661ea465f1f9e748a5535dbaa11d52fccc798c30e346021f26878b6102d56d0f4f4034c3ae2ff490b3df9bf70b7dd9c2e4658a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES25E8.tmp

Filesize
1KB

MD5
373f4f9ee855152af9eec29ac1e03cba

SHA1
7512b136c82d14cd4f0fd02fbf55f3f5ac78cf52

SHA256
d94329c8c81a6b386bd7d0c622e3858b0e752b568f9b54a79b0465109e66985b

SHA512
04a9bdd3217c1cd8021289d9d134fadc672e876e6a62a91429e786b5fe15c0fc3c9fde04680a659af3f7236122700a26810c2f2fd3e6cdc2453b3d5793aee125

Download Submit
C:\Users\Admin\AppData\Local\Temp\plrqworg\plrqworg.0.vb

Filesize
2KB

MD5
dc33e80a3a777c6747787ae44bf67456

SHA1
921489cfe33408b6ea09284765f9c161eb321541

SHA256
93a9d5527b695a7a3b13c5fac9a17beddce08907f41b3c5cb9d0517351c5658b

SHA512
1bdd72c5f229df503239b67ca61a393eabaf674eeb5601fb5a7dc0e38c28cac47ae1f66b809f8fbec955b17ef684bec974919e2605b1258ed92e67ed79d8c101

Download Submit
C:\Users\Admin\AppData\Local\Temp\plrqworg\plrqworg.cmdline

Filesize
273B

MD5
2932e06feca66c32fb6693faa191fdf5

SHA1
7b42968a967b7ed23f30dd47a8e7e568031f6734

SHA256
fdbc7cc8d42e407d53ce0e4e6a6c100b2c2f04fb378d2f3ccd1433edb819f4fa

SHA512
ede19248b1409a2e85990f99ac1312d311a6d1d511f336318957888ea121fab01916b23137e59828c3e451796fb2ce008d91ba4523381283521a78f8561d17da

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2463.tmp.exe

Filesize
12KB

MD5
1cfcab432e97f2d409c30e179840a45a

SHA1
99c7fdab6401e3fa074826d74e89df2374f03a51

SHA256
330abc1f40962415f1e9cb9799c2b5f7f5eb644852e327186a81bddfaf881a48

SHA512
1fdb8bb1d56c268dfdc85a26c20207b440d19330b0a549664fd88dba601572b256c3e20f2e7e72a9480b2faa2a95d74aba4ab21ae8ebbdcffa6dd4060209ee17

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8527C2CCCC5145AFAEF1973766D33031.TMP

Filesize
1KB

MD5
a41ad334813b3574f109a2029dcfda2b

SHA1
734d4bf844345d2d227787fc896c8064eadac67e

SHA256
79181ec24aacb92a541b2bb42e07906afa41c2e602134e05664c13be978d46bd

SHA512
ceb0bb886a2271341f946eb1d4419122e0738286044e1fde91dd47be0be3a8398c5453ef9714407a0bb042cac6fadfe877a5d31e93339157027ee5478fb924c0

Download Submit
memory/1596-0-0x000000007473E000-0x000000007473F000-memory.dmp

Filesize
4KB

Download
memory/1596-1-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1596-7-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/1596-23-0x0000000074730000-0x0000000074E1E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-24-0x0000000001180000-0x000000000118A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing