68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e

General

Target

68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe
Size

12KB
MD5

11f8330106870e9cd61a5d2bdf627020
SHA1

5cd149a2f52b6fc0cf24cac7649556b2d0a75ca2
SHA256

68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e
SHA512

3b4f31a8a4ac929be2c57f479db29db8949313c89bc3a4d3e2fde61555d6720f2c1d2e8a8bd3d3d47910935384a9c911ef61029e494ca08021427856932ff806
SSDEEP

384:DL7li/2zIq2DcEQvd2cJKLTp/NK9xahH:HMM8Q9chH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2792	tmp23C7.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	tmp23C7.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2208	68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2252	2208	68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2252	2208	68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2252	2208	68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2252	2208	68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe	28
PID 2252 wrote to memory of 2536	2252	vbc.exe	30
PID 2252 wrote to memory of 2536	2252	vbc.exe	30
PID 2252 wrote to memory of 2536	2252	vbc.exe	30
PID 2252 wrote to memory of 2536	2252	vbc.exe	30
PID 2208 wrote to memory of 2792	2208	68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe	31
PID 2208 wrote to memory of 2792	2208	68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe	31
PID 2208 wrote to memory of 2792	2208	68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe	31
PID 2208 wrote to memory of 2792	2208	68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kfhozjrf\kfhozjrf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES252D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc63755D698B6B4C4AA62DDE935E7A5E76.TMP"
    3⤵
    PID:2536
- C:\Users\Admin\AppData\Local\Temp\tmp23C7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp23C7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\68a5a6e704bab5dcfe12f949137ef3f51154a9f49cc10593879d7f74631bef9e_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
184c3e202ef9c8b1cdd311b10e16a29b

SHA1
75afea4b4b277625c11b9a649a805ebbc39f6ae6

SHA256
ba1d46b914a93f3ebb417c84e150dbd6d2ba58f2a2d6ced389c5f80382353f90

SHA512
b0665152dcb53146748e84bf17cc68dd35bf18facbf607517cfc87b6533354421b7b160a40fe76a5800b970a3553e04470137197a56fdbc12e5d9eb003a8498e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES252D.tmp

Filesize
1KB

MD5
4f4c6e33b95c6120a40f418ed29d3229

SHA1
417b844b297175061198987efcc84c70497c9946

SHA256
7886997263508dd0fd074db6083df867711e30128015e75ddda05fd1a77edbba

SHA512
c87aa6210d03733fbe8c9e3effe11dcb1f8f9e46ffb3dd28d0f766d79f952985a298e6d45d540433a71891bdc81e115db85d3128f7cd752fe1a3aee78313c8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfhozjrf\kfhozjrf.0.vb

Filesize
2KB

MD5
6781c760f68fdcbcca68abfce27081ec

SHA1
2d04d8e409791147ad6dd26f85bb828ea9c5984b

SHA256
ac5bae668f0ccfe4090b9955fb08e0fe549d7fba924e83b116135aa17f525abb

SHA512
af41caea458cb8ff3362302698b186d732320a04c623ce26ffabeebc5bd4131b1bd37a5105cf2e90c92ef487b8f09d848f67a13d5fcfb7c17ac0e54e173cea5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfhozjrf\kfhozjrf.cmdline

Filesize
273B

MD5
945a313bd1096335b5f3371282d47c42

SHA1
187407befd45707bb7542825610fbd849a0684f3

SHA256
f0006fa68099a9712be6ad0474cef55a0369750683cad866fe3e4a1d9b112724

SHA512
aa6934a9f6a15f027433e0c4272bde0d25729b20336aaee4f8d0e34d51e61dd7ac7b2ab24c1be6da2269db1a93d7de05973e6fd8d78a7d4de98d0590bbbe0f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp23C7.tmp.exe

Filesize
12KB

MD5
fe57148efe916a2dc9bafdeba28f613d

SHA1
fc2c72a0c984624a426e981684ae9fd3213a5284

SHA256
942e138b4143505f514a713db9f94ee4fe6dd295e0d8ccddeed54fe442e8b89a

SHA512
52e3e310cf511f2297270fab6e6c23b9ff6b12f671f97c17e2529a7bb4b333ca98cba1738f870aaaab9a888f1dbcaa6dbbdf58f3e59a8fd15d5d099504681234

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc63755D698B6B4C4AA62DDE935E7A5E76.TMP

Filesize
1KB

MD5
86f17bf53268dff068820347f535db31

SHA1
b935bc95cf305e20ff000caa67bdef54b418a53d

SHA256
faf706f82832024c2b006cc823e775d2f2bfe03e08c008821e04a848aa9d6533

SHA512
6e4c765dfd6b1913586c8de59b90cf5173b70d6c00309ec930e5a7d463df3f7b304d2c8c70f486b07c5c61ea794d4e1bb5bfbbfc63045b72d94972bcfbd05178

Download Submit
memory/2208-0-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x00000000012B0000-0x00000000012BA000-memory.dmp

Filesize
40KB

Download
memory/2208-7-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-24-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-23-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing