Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
17/05/2024, 20:27
General
-
Target
2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe
-
Size
64KB
-
MD5
2be9233367cf3a95c63505a0a5132080
-
SHA1
b9211a5d347fe4719ed90c2291e184bc19156bd2
-
SHA256
8f96e7c46536ed8940c7950aa8525fcd57f40d118a2c417bbae4682a0bebc14b
-
SHA512
c145ddd1ffacfa29be69537659a506ab6971f76121125f5f4c5ec69ff812ae0f6b996110a576ecebe00bb9909520d1b598485dbb48a00834f7fde349ebd7b46a
-
SSDEEP
384:ObIwOs8AHsc4sMDwhKQLro64/CFsrdHWMZp:OEw9816vhKQLro64/wQpWMZp
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{64C6B4FC-17EB-4e2d-B3AE-DF5F0626B704}.exeC:\Windows\{64C6B4FC-17EB-4e2d-B3AE-DF5F0626B704}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{3AF59DC5-BB63-4e0f-B514-AB199DD2D8AB}.exeC:\Windows\{3AF59DC5-BB63-4e0f-B514-AB199DD2D8AB}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{ED40F526-F6A3-472d-B672-D07C525D874D}.exeC:\Windows\{ED40F526-F6A3-472d-B672-D07C525D874D}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{20E83C20-9485-4e57-9547-B8A623E96C4D}.exeC:\Windows\{20E83C20-9485-4e57-9547-B8A623E96C4D}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F8C35520-FB1C-49ad-99F0-D95DE817462D}.exeC:\Windows\{F8C35520-FB1C-49ad-99F0-D95DE817462D}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9A75F5F8-ECC5-4b5f-BBFB-D3B1B5F5EE75}.exeC:\Windows\{9A75F5F8-ECC5-4b5f-BBFB-D3B1B5F5EE75}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{29CAFED0-A94B-4796-A70F-11C0647417BD}.exeC:\Windows\{29CAFED0-A94B-4796-A70F-11C0647417BD}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4E1A5BF0-F9F8-461b-958B-303013E7F8D1}.exeC:\Windows\{4E1A5BF0-F9F8-461b-958B-303013E7F8D1}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{894DF83B-1388-4178-889F-35FC92B8DAAF}.exeC:\Windows\{894DF83B-1388-4178-889F-35FC92B8DAAF}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B9CD28EC-6CD4-4c0d-A3DC-23B033FD2136}.exeC:\Windows\{B9CD28EC-6CD4-4c0d-A3DC-23B033FD2136}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{900DF0F4-65EB-4100-BC2B-FCFB383DA488}.exeC:\Windows\{900DF0F4-65EB-4100-BC2B-FCFB383DA488}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{1EE90915-417E-4aba-B57D-0203E8C619DC}.exeC:\Windows\{1EE90915-417E-4aba-B57D-0203E8C619DC}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{900DF~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B9CD2~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{894DF~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4E1A5~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{29CAF~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9A75F~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F8C35~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{20E83~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{ED40F~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3AF59~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{64C6B~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2BE923~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD562c8aa5424a1e661bab0a5456a9758e3
SHA14b43d4f66d4d4cd452fd2ffaea6baf6d1d627130
SHA256e88caecc7042ba2e9d4d96654ac667b09d36dba9696c1102f6308a7b641ce080
SHA5120633ab332d8743ae5b16a4cc81b2a7c559ca26bd7f7b95a81829016bdff683c9ddc09fbb189186fc9c99dc5bf04b7523577484a301dda9f40485b570cba060c4
-
Filesize
64KB
MD579e6d760a7f196e36770571a8f1a1cb5
SHA156753fbf44474c960f7b75259d4105c981008c04
SHA2569e9918bed1aa4d66d8584d4134ae070ed250ea24b6840465c724cd1f7e0fbb1b
SHA512b9d3d85e3a205447ad15291701410ea2d56886b33e10275c050d7c626aedfab756f0c9f5f120fc82e9f518cce924f6177da0f3ba64d9b10ecfc25652d9a74378
-
Filesize
64KB
MD5cd1e9af7a72501e85b9647b76577ddce
SHA19fe53a0cbfb1d10df10f8fae66f82f37d29d91f7
SHA256fe9f2ee8e3e688e0702246e235c8127eb5830d74f3a93997af4504a89b479959
SHA5127df094ebf305aa7a553d00c731c4847f2c11bbdc696d1cffddcf51b0c0969a9db7386c60a7f8694404ccb7f3f3855b56658693555ce07ec0ab1aa070aa4acbe4
-
Filesize
64KB
MD5cd61fd7c97ec850a3f1ffc28e93a9226
SHA132ea74822f1d7c21e6a017326b4f6b51c28857a4
SHA256c76aaf415b2502dd2bdd93d3df2512705188761a778a9b4437d7193ced041b1c
SHA5124f3aea181c13f5f9151f2dac99624503865efb5b2c266c5e52fa978db6f5b69781e095302fedf69769edb64eb2cb537f42763652e60888efb316bb8b8637b2e0
-
Filesize
64KB
MD5e67b8c89e5b20e510d2755067008460e
SHA1fa128a8a4988baeecc323d7264c8b4963dbf42b3
SHA256bd382211b00e0a382d747dccf41d5367406549258c8c532df7c1e3d43ab448ba
SHA51205e9bd62680ade0dfb61fcd79e4fe7d86b06291d143248f8d1c6ad706c1574a1dab1f737fd6045d7409c598b4c35e5aa9d0a7bbf00acca95138b9b17a65d2dd1
-
Filesize
64KB
MD5205e79a40cb188561b0e3d253eb6079a
SHA12882b1cae9da740390d0c79bf6666809f3740fbb
SHA25610064f0bc84e2c87c672ef1b32b6677e7d1c565efc1eb0942f96b1a31db85c18
SHA5128553f2e021349d4b12aa0da057092856a9a5fa14a08592b3de6a0e884dc68748d1aa51583e0c3bddd258ee46be84504099817086a6f5068566cd99ba805cd8e3
-
Filesize
64KB
MD56fd6bcd855311decefef493447dd476a
SHA1538157302abf2dc623db98181f3bb1ec9c608d43
SHA256f790a51b76344dabebc3b1bc7f4c12d117a100458ad82bf1799264a46d157326
SHA51241fdfb843446a38fb441ae742039478278d2364e11a0c7a83689262690050afb5d857d38cb5cf064d462b766a6c49f69a1b4c44dbb248d28766252acbe1c2bd9
-
Filesize
64KB
MD5e47f398bb80be07e07966bc17d3b1f72
SHA185ad531c9d6042b93349eeef909ea1e9b9950f3d
SHA256794f298b2965e797e9ffaa71a60b862dfd22227b6df1aa9d578f5d7b55ca2580
SHA512e37c38b256ccf6e4ff7fe87195104c4bc6c4c1d5e79a41f15b589b75577e866d3b389093e32aadd558f4fb2ee927d765237dc7b3a8681f1ea3fc2a152f3547c8
-
Filesize
64KB
MD55fda1b7c301bfc729d3e18444b15bb77
SHA1ef0100d8e21dae304153d3af4a85292df6f42fc7
SHA256fb8ea5cd76fa6ab04515aea2f1721c72cf5ca53de6620b156a71a6bd1307f276
SHA5129be883c99e957ce43c788b8a47daacc9c202243aef2473111bc59991b9868807bedd262d32d67cb449bb575cc92d48e570bb9c811f4bfe256713fc3507a94865
-
Filesize
64KB
MD567f2ede70fa31afa19cf3403e9bdbe3e
SHA1c4fee912044f0e4cd21140851420b1cae631cb96
SHA256c652237aaf63354ef60be4f373f7e320f2982567308a2237647aba4013076d0f
SHA512fb7516609e72f6f77f7111492babab40644c995d7a3b3518e3bd3bd77d0da7a32fc33a6be285125e1c483af13a3ca33d0eaa2dfdc7d1b9b5852ff2e201b1b76f
-
Filesize
64KB
MD54c6841c4e962f6b4855f0e9a9ede8430
SHA19036893e336c24d3847b81ed46a64e1edc8492fe
SHA2569d891d44b9fad7a215e6f4a00add28a34d590ecd25c612a24ce6a2db8aa3ead7
SHA512ec1ad49210b9f40c784488fbed946d6dfebea9765a13f359f3819683cbba654bdc48837334370a32c491d498fadca7440f5d9b7b5a23c131c0051cab0f83c279
-
Filesize
64KB
MD55678b4ce33566a6a8309c0b43925d198
SHA117c2b4ae3c27a2d885d6104390bde257d2165c36
SHA25607d41f959b04aa24d3fc05428dd8226446c05d3d034d65c8c71d645499877498
SHA5121574b202636f559fc9a7a29546f881bf8403f2afe9e09024440ce5b583b91fd723d38bb0120dd73cae211a07326fddf42ed8d6c142aa66e5ede7cdec41d9be30
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB