b1846f89afe6887554265db25b5f9a89b83e7b47e4928e15952258fb9c2c00c1

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b2940c1f734c625eba22b43729bccb0_NeikiAnalytics.exe
Size

278KB
MD5

5b2940c1f734c625eba22b43729bccb0
SHA1

65e7cafbeae5eb5b1986afc5b6caef1445e63b91
SHA256

b1846f89afe6887554265db25b5f9a89b83e7b47e4928e15952258fb9c2c00c1
SHA512

8820e311af9372995b44a61a202d64209ced6f6b310b82ddddc7705470858c5b5d1d2bcd509a6c88e2e57334e312c93acbe1548cede7f8b712def137f658ceb1
SSDEEP

6144:vhbZ5hMTNFf8LAurlEzAX7oAwfSZ4sX/zQI:ZtXMzqrllX7XwoEI

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1936	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe
2704	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202a.exe
2712	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202b.exe
2488	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202c.exe
2464	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202d.exe
2896	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202e.exe
2548	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202f.exe
2916	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202g.exe
1828	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe
1016	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202i.exe
2424	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202j.exe
824	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202k.exe
2288	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202l.exe
2336	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202m.exe
764	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202n.exe
1776	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202o.exe
832	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202p.exe
448	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202q.exe
2272	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202r.exe
1672	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202s.exe
752	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202t.exe
2148	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202u.exe
1644	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202v.exe
2244	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202w.exe
1168	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202x.exe
1664	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
2940	5b2940c1f734c625eba22b43729bccb0_NeikiAnalytics.exe
2940	5b2940c1f734c625eba22b43729bccb0_NeikiAnalytics.exe
1936	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe
1936	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe
2704	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202a.exe
2704	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202a.exe
2712	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202b.exe
2712	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202b.exe
2488	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202c.exe
2488	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202c.exe
2464	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202d.exe
2464	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202d.exe
2896	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202e.exe
2896	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202e.exe
2548	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202f.exe
2548	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202f.exe
2916	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202g.exe
2916	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202g.exe
1828	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe
1828	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe
1016	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202i.exe
1016	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202i.exe
2424	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202j.exe
2424	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202j.exe
824	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202k.exe
824	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202k.exe
2288	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202l.exe
2288	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202l.exe
2336	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202m.exe
2336	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202m.exe
764	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202n.exe
764	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202n.exe
1776	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202o.exe
1776	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202o.exe
832	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202p.exe
832	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202p.exe
448	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202q.exe
448	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202q.exe
2272	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202r.exe
2272	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202r.exe
1672	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202s.exe
1672	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202s.exe
752	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202t.exe
752	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202t.exe
2148	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202u.exe
2148	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202u.exe
1644	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202v.exe
1644	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202v.exe
2244	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202w.exe
2244	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202w.exe
1168	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202x.exe
1168	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202x.exe

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2940-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2940-8-0x0000000000290000-0x00000000002CA000-memory.dmp	upx
behavioral1/files/0x0007000000012120-9.dat	upx
behavioral1/memory/2704-36-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1936-28-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1936-21-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2940-14-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2704-44-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2712-57-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2488-72-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2464-73-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2464-86-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2896-101-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2548-102-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2548-115-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0008000000016cf2-123.dat	upx
behavioral1/memory/2916-125-0x0000000000540000-0x000000000057A000-memory.dmp	upx
behavioral1/memory/2916-131-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1828-132-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1828-146-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1016-161-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2424-174-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2288-190-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/824-189-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2288-203-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2336-205-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2336-219-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/764-220-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/764-234-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1776-246-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/832-256-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2272-267-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/448-266-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2272-274-0x0000000000360000-0x000000000039A000-memory.dmp	upx
behavioral1/memory/2272-278-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1672-288-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/752-294-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/752-300-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2148-310-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1644-311-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1644-321-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2244-331-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1168-332-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1168-342-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1664-343-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = bf16bf8aecc17841	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202m.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1936	2940	5b2940c1f734c625eba22b43729bccb0_NeikiAnalytics.exe	28
PID 2940 wrote to memory of 1936	2940	5b2940c1f734c625eba22b43729bccb0_NeikiAnalytics.exe	28
PID 2940 wrote to memory of 1936	2940	5b2940c1f734c625eba22b43729bccb0_NeikiAnalytics.exe	28
PID 2940 wrote to memory of 1936	2940	5b2940c1f734c625eba22b43729bccb0_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2704	1936	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe	29
PID 1936 wrote to memory of 2704	1936	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe	29
PID 1936 wrote to memory of 2704	1936	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe	29
PID 1936 wrote to memory of 2704	1936	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe	29
PID 2704 wrote to memory of 2712	2704	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202a.exe	30
PID 2704 wrote to memory of 2712	2704	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202a.exe	30
PID 2704 wrote to memory of 2712	2704	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202a.exe	30
PID 2704 wrote to memory of 2712	2704	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202a.exe	30
PID 2712 wrote to memory of 2488	2712	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202b.exe	31
PID 2712 wrote to memory of 2488	2712	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202b.exe	31
PID 2712 wrote to memory of 2488	2712	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202b.exe	31
PID 2712 wrote to memory of 2488	2712	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202b.exe	31
PID 2488 wrote to memory of 2464	2488	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202c.exe	32
PID 2488 wrote to memory of 2464	2488	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202c.exe	32
PID 2488 wrote to memory of 2464	2488	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202c.exe	32
PID 2488 wrote to memory of 2464	2488	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202c.exe	32
PID 2464 wrote to memory of 2896	2464	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202d.exe	33
PID 2464 wrote to memory of 2896	2464	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202d.exe	33
PID 2464 wrote to memory of 2896	2464	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202d.exe	33
PID 2464 wrote to memory of 2896	2464	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202d.exe	33
PID 2896 wrote to memory of 2548	2896	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202e.exe	34
PID 2896 wrote to memory of 2548	2896	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202e.exe	34
PID 2896 wrote to memory of 2548	2896	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202e.exe	34
PID 2896 wrote to memory of 2548	2896	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202e.exe	34
PID 2548 wrote to memory of 2916	2548	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202f.exe	35
PID 2548 wrote to memory of 2916	2548	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202f.exe	35
PID 2548 wrote to memory of 2916	2548	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202f.exe	35
PID 2548 wrote to memory of 2916	2548	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202f.exe	35
PID 2916 wrote to memory of 1828	2916	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202g.exe	36
PID 2916 wrote to memory of 1828	2916	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202g.exe	36
PID 2916 wrote to memory of 1828	2916	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202g.exe	36
PID 2916 wrote to memory of 1828	2916	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202g.exe	36
PID 1828 wrote to memory of 1016	1828	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe	37
PID 1828 wrote to memory of 1016	1828	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe	37
PID 1828 wrote to memory of 1016	1828	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe	37
PID 1828 wrote to memory of 1016	1828	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe	37
PID 1016 wrote to memory of 2424	1016	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202i.exe	38
PID 1016 wrote to memory of 2424	1016	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202i.exe	38
PID 1016 wrote to memory of 2424	1016	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202i.exe	38
PID 1016 wrote to memory of 2424	1016	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202i.exe	38
PID 2424 wrote to memory of 824	2424	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202j.exe	39
PID 2424 wrote to memory of 824	2424	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202j.exe	39
PID 2424 wrote to memory of 824	2424	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202j.exe	39
PID 2424 wrote to memory of 824	2424	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202j.exe	39
PID 824 wrote to memory of 2288	824	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202k.exe	40
PID 824 wrote to memory of 2288	824	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202k.exe	40
PID 824 wrote to memory of 2288	824	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202k.exe	40
PID 824 wrote to memory of 2288	824	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202k.exe	40
PID 2288 wrote to memory of 2336	2288	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202l.exe	41
PID 2288 wrote to memory of 2336	2288	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202l.exe	41
PID 2288 wrote to memory of 2336	2288	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202l.exe	41
PID 2288 wrote to memory of 2336	2288	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202l.exe	41
PID 2336 wrote to memory of 764	2336	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202m.exe	42
PID 2336 wrote to memory of 764	2336	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202m.exe	42
PID 2336 wrote to memory of 764	2336	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202m.exe	42
PID 2336 wrote to memory of 764	2336	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202m.exe	42
PID 764 wrote to memory of 1776	764	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202n.exe	43
PID 764 wrote to memory of 1776	764	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202n.exe	43
PID 764 wrote to memory of 1776	764	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202n.exe	43
PID 764 wrote to memory of 1776	764	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\5b2940c1f734c625eba22b43729bccb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5b2940c1f734c625eba22b43729bccb0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940
- \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe
  c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1936
- - \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202a.exe
    c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202b.exe
      c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2712
    - - \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202c.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202d.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202e.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202f.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202g.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202i.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202j.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202k.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202l.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202m.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202n.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202o.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1776
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202p.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:832
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202q.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:448
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202r.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2272
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202s.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1672
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202t.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:752
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202u.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2148
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202v.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1644
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202w.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2244
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202x.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1168
        
        \??\c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202y.exe
        
        c:\users\admin\appdata\local\temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe

Filesize
278KB

MD5
8d7e7d65eb25f84d094d03ebb69f4dbf

SHA1
8897ddd9f57e1c9c7143ede630cd82480193cf51

SHA256
a0364305f3860c7d857c823404c692a4b7c89a0f84cee125d5533e05753e3093

SHA512
00d6be42080c361469bbb0039dc12d46812418062c6312db59905a78ad8d35b8b001c101eb673a891f647d0cc2aa41888834d351790f24c6f659c2dda548cd02

Download Submit
\Users\Admin\AppData\Local\Temp\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe

Filesize
278KB

MD5
cec924520f7ed899eac908e32fb3f765

SHA1
ba068f76339f25ff7d03b8e77157f558918b19ad

SHA256
65c474195f3487884bdab7637a54932a8bec524b6a53fa2ae77119934ac6095a

SHA512
fd6a2a85a43aae0c9207fcd914d794b3243b823dfef7188a095adc7cd7ec7c7936ce82e8da74892aa400d4a59b4e4df2aa6a24047631d56c3d60a09e1358fa70

Download Submit
memory/448-266-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/752-300-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/752-294-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/752-296-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/764-234-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/764-229-0x00000000002F0000-0x000000000032A000-memory.dmp

Filesize
232KB

Download
memory/764-220-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/824-189-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/832-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1016-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1168-332-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1168-342-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1644-311-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1644-321-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1664-343-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1672-288-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1776-246-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1828-141-0x0000000000350000-0x000000000038A000-memory.dmp

Filesize
232KB

Download
memory/1828-146-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1828-132-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1936-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1936-28-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2148-310-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2244-331-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2272-278-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2272-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2272-274-0x0000000000360000-0x000000000039A000-memory.dmp

Filesize
232KB

Download
memory/2288-203-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2288-190-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-219-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-205-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2424-174-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2464-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2464-86-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2488-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2548-115-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2548-102-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2704-44-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2704-36-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2712-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2896-101-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2916-125-0x0000000000540000-0x000000000057A000-memory.dmp

Filesize
232KB

Download
memory/2916-131-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2940-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2940-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2940-8-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202r.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202e.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202d.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202j.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202q.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe\""	5b2940c1f734c625eba22b43729bccb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202f.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202i.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202s.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202t.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202x.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202b.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202m.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202c.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202k.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202l.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202a.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202g.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202u.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202p.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202v.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202w.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202n.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202y.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202o.exe\""	5b2940c1f734c625eba22b43729bccb0_neikianalytics_3202n.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads