61a36de2ffd8b6569adaacd8a2099b7384112ddd207435e53851bfe51c4ee3ce

General

Target

e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe
Size

12KB
MD5

e13f6e357bc501f1292193f8d0e25e90
SHA1

e1c8a987ee8644deb205704ab737dc9930b509ef
SHA256

61a36de2ffd8b6569adaacd8a2099b7384112ddd207435e53851bfe51c4ee3ce
SHA512

f3dc3156bd577d16d89898f3f5265c517f2e6e2202c60e29a9fec5414424d016a0cea444092afd8d718646d54088ee7d6d2f190a4db67a3e02a83ef8223575a6
SSDEEP

384:dL7li/2zbq2DcEQvdQcJKLTp/NK9xaZX:NfMCQ9cZX

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2868	tmp250F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2868	tmp250F.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2932	e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 3056	2932	e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 3056	2932	e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 3056	2932	e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 3056	2932	e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe	28
PID 3056 wrote to memory of 2676	3056	vbc.exe	30
PID 3056 wrote to memory of 2676	3056	vbc.exe	30
PID 3056 wrote to memory of 2676	3056	vbc.exe	30
PID 3056 wrote to memory of 2676	3056	vbc.exe	30
PID 2932 wrote to memory of 2868	2932	e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe	31
PID 2932 wrote to memory of 2868	2932	e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe	31
PID 2932 wrote to memory of 2868	2932	e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe	31
PID 2932 wrote to memory of 2868	2932	e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mnpnbvol\mnpnbvol.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2694.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94CECB7D4F444A669161CACA6ADCD393.TMP"
    3⤵
    PID:2676
- C:\Users\Admin\AppData\Local\Temp\tmp250F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp250F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e13f6e357bc501f1292193f8d0e25e90_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ec5a42f2c4b2b14ed037b68a22e717ff

SHA1
4d843951c157ce945d7da2b1329274d652e7facb

SHA256
44f67769b880eea97b602280ab0b14115c6931ca71961fd2954f1a73af036e05

SHA512
2ff06d8201573b4d7c560b262142e8a588f82d96dc00c27290f4cacd501a4adb524c44db51fcbe12b34939475a6fca88db98bd948f3a8a811a72eca1adfb023c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2694.tmp

Filesize
1KB

MD5
91facfa9cb8c4bfc79f4f770aa949a87

SHA1
815d2c2d9a78795d3480fc41dae4d8ffbdd8957e

SHA256
8a92b4fb3ff11b9c3b2abf6c74f5b1eb07b857f7328515fe837356b41588c305

SHA512
00ef908a04a103d35b7b841e368a1138774098667954483c0123617576cbc164826607e1947f17dc67ada9095da61a5f6b71f4edb691c0e757b184cfb0cadca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnpnbvol\mnpnbvol.0.vb

Filesize
2KB

MD5
a5804d90f99c38d4755893fbc2a942af

SHA1
32f2d4d498955536dbc1bc871bd0272ec9c49610

SHA256
ccaf4c3a6d08526bc58a0917df0095af4edbb3a625f3f471f3f6f6cba531da0b

SHA512
5e50f4e056c885f6209103def0619c5927de6f34aa490660d02ab64c223c2d69ed4bb6c9697c3673d82bbbbdf66c107d75d438da79dd696ee21259986ee7ad48

Download Submit
C:\Users\Admin\AppData\Local\Temp\mnpnbvol\mnpnbvol.cmdline

Filesize
273B

MD5
5866cf74b39711b58d1f7db6072f01ef

SHA1
7db334b7f4b47f584487fa79b4bbee18f771b5f3

SHA256
218c99c5046bc67d6d4b42924e95648651ebc7440d1e3c3874a0bfca61c40b60

SHA512
605ef71fa16dcb77def548b920b99280a4f48688d052b05dc33ba545bfa356434b0e4cba518edd91e66871cf977e905df87db4e8d73d55235c748682c3675191

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp250F.tmp.exe

Filesize
12KB

MD5
7385ef0f2bb4306895831ca44a6d0b9b

SHA1
0bbdddfb603100f780f7b91cced705a5deaf74a2

SHA256
c07aa558a6818ad94163b42c2eb8daddfb9e214e9e45632c238d84e5319fc6c8

SHA512
22fb85839bb7efdcfe7d8951f2c59d2f3a82eb6a1c48fe1c485eb4759f258a34a859eb60f6bc06931fe640a623faefe28cce60488eb3598595ab08d4fac0083d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc94CECB7D4F444A669161CACA6ADCD393.TMP

Filesize
1KB

MD5
c4383683b76915a9acb94a065ed0a63d

SHA1
d5e99efa7f7f6de24d44ca878db3a93cdf796074

SHA256
eb3cf90dc114cff963336a20595198af635a34a64c586b49c2ca8146cd6db8c7

SHA512
73569fe0adae49b24dda6651478d9a0afd23bf8c0b87e93c62256cd4d9ca78f17aaf356ceb4e3830323b7200bbe72509f75b8920757274d7094373fd892a0a89

Download Submit
memory/2868-23-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/2932-0-0x00000000740FE000-0x00000000740FF000-memory.dmp

Filesize
4KB

Download
memory/2932-1-0x0000000001370000-0x000000000137A000-memory.dmp

Filesize
40KB

Download
memory/2932-7-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/2932-24-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing