d3e5e4cab95c2fa65cb8d21646c985b5e1611fed3607e35c9d83098b50609099

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe
Size

64KB
MD5

4fdcbdd229aec3da3a9a6dd4c64333d0
SHA1

3a543d5e57a1e5e2bac55969b0f6cfd053137fa7
SHA256

d3e5e4cab95c2fa65cb8d21646c985b5e1611fed3607e35c9d83098b50609099
SHA512

ce32bcc72798f510d32d2768dddf2293fb328904a5c187852ddac5e9fac18fb06103935017a33d8bdc3af9dae8a4aa29c97495125c4d406485b0f4a8d6875423
SSDEEP

192:ObOzawOs81elJHsc45CcRZOgtSWcWaOT2QLrCqwKY04/CFxyNhoy5tR:ObLwOs8AHsc4sMfwIKQLrog4/CFsrdR

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe{844595A9-4963-402e-B863-AB839E802638}.exe{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe{722C734F-B412-40fe-BE27-30D93D40E90E}.exe{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FC82451-3141-411e-934B-9D19085A4DE8}	{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FC82451-3141-411e-934B-9D19085A4DE8}\stubpath = "C:\\Windows\\{9FC82451-3141-411e-934B-9D19085A4DE8}.exe"	{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}	{844595A9-4963-402e-B863-AB839E802638}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}\stubpath = "C:\\Windows\\{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe"	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}\stubpath = "C:\\Windows\\{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe"	{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F5F2611-C576-41b7-A490-9BB1B55C8224}	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F5F2611-C576-41b7-A490-9BB1B55C8224}\stubpath = "C:\\Windows\\{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe"	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{722C734F-B412-40fe-BE27-30D93D40E90E}\stubpath = "C:\\Windows\\{722C734F-B412-40fe-BE27-30D93D40E90E}.exe"	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}\stubpath = "C:\\Windows\\{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe"	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}\stubpath = "C:\\Windows\\{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe"	{844595A9-4963-402e-B863-AB839E802638}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}\stubpath = "C:\\Windows\\{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe"	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}	{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}\stubpath = "C:\\Windows\\{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe"	{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}	4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{844595A9-4963-402e-B863-AB839E802638}\stubpath = "C:\\Windows\\{844595A9-4963-402e-B863-AB839E802638}.exe"	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}	{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}\stubpath = "C:\\Windows\\{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe"	4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{844595A9-4963-402e-B863-AB839E802638}	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{722C734F-B412-40fe-BE27-30D93D40E90E}	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2712 cmd.exe

pid	process
2712	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe{844595A9-4963-402e-B863-AB839E802638}.exe{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe{722C734F-B412-40fe-BE27-30D93D40E90E}.exe{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe{9FC82451-3141-411e-934B-9D19085A4DE8}.exe

pid	process
1296	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe
2720	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe
2100	{844595A9-4963-402e-B863-AB839E802638}.exe
1352	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe
2828	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe
1336	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe
1600	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe
2300	{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe
2868	{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe
2876	{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe
1912	{9FC82451-3141-411e-934B-9D19085A4DE8}.exe

Drops file in Windows directory 11 IoCs

Processes:

4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe{844595A9-4963-402e-B863-AB839E802638}.exe{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe{722C734F-B412-40fe-BE27-30D93D40E90E}.exe{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe

description	ioc	process
File created	C:\Windows\{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe	4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe
File created	C:\Windows\{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe	{844595A9-4963-402e-B863-AB839E802638}.exe
File created	C:\Windows\{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe	{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe
File created	C:\Windows\{9FC82451-3141-411e-934B-9D19085A4DE8}.exe	{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe
File created	C:\Windows\{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe
File created	C:\Windows\{844595A9-4963-402e-B863-AB839E802638}.exe	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe
File created	C:\Windows\{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe
File created	C:\Windows\{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe
File created	C:\Windows\{722C734F-B412-40fe-BE27-30D93D40E90E}.exe	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe
File created	C:\Windows\{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe
File created	C:\Windows\{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe	{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe{844595A9-4963-402e-B863-AB839E802638}.exe{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe{722C734F-B412-40fe-BE27-30D93D40E90E}.exe{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1760	4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1296	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe
Token: SeIncBasePriorityPrivilege	2720	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe
Token: SeIncBasePriorityPrivilege	2100	{844595A9-4963-402e-B863-AB839E802638}.exe
Token: SeIncBasePriorityPrivilege	1352	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe
Token: SeIncBasePriorityPrivilege	2828	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe
Token: SeIncBasePriorityPrivilege	1336	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe
Token: SeIncBasePriorityPrivilege	1600	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe
Token: SeIncBasePriorityPrivilege	2300	{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe
Token: SeIncBasePriorityPrivilege	2868	{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe
Token: SeIncBasePriorityPrivilege	2876	{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1760 wrote to memory of 1296	1760	4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe
PID 1760 wrote to memory of 1296	1760	4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe
PID 1760 wrote to memory of 1296	1760	4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe
PID 1760 wrote to memory of 1296	1760	4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe
PID 1760 wrote to memory of 2712	1760	4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe	cmd.exe
PID 1760 wrote to memory of 2712	1760	4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe	cmd.exe
PID 1760 wrote to memory of 2712	1760	4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe	cmd.exe
PID 1760 wrote to memory of 2712	1760	4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe	cmd.exe
PID 1296 wrote to memory of 2720	1296	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe
PID 1296 wrote to memory of 2720	1296	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe
PID 1296 wrote to memory of 2720	1296	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe
PID 1296 wrote to memory of 2720	1296	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe
PID 1296 wrote to memory of 2804	1296	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe	cmd.exe
PID 1296 wrote to memory of 2804	1296	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe	cmd.exe
PID 1296 wrote to memory of 2804	1296	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe	cmd.exe
PID 1296 wrote to memory of 2804	1296	{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe	cmd.exe
PID 2720 wrote to memory of 2100	2720	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe	{844595A9-4963-402e-B863-AB839E802638}.exe
PID 2720 wrote to memory of 2100	2720	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe	{844595A9-4963-402e-B863-AB839E802638}.exe
PID 2720 wrote to memory of 2100	2720	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe	{844595A9-4963-402e-B863-AB839E802638}.exe
PID 2720 wrote to memory of 2100	2720	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe	{844595A9-4963-402e-B863-AB839E802638}.exe
PID 2720 wrote to memory of 572	2720	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe	cmd.exe
PID 2720 wrote to memory of 572	2720	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe	cmd.exe
PID 2720 wrote to memory of 572	2720	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe	cmd.exe
PID 2720 wrote to memory of 572	2720	{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe	cmd.exe
PID 2100 wrote to memory of 1352	2100	{844595A9-4963-402e-B863-AB839E802638}.exe	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe
PID 2100 wrote to memory of 1352	2100	{844595A9-4963-402e-B863-AB839E802638}.exe	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe
PID 2100 wrote to memory of 1352	2100	{844595A9-4963-402e-B863-AB839E802638}.exe	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe
PID 2100 wrote to memory of 1352	2100	{844595A9-4963-402e-B863-AB839E802638}.exe	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe
PID 2100 wrote to memory of 1728	2100	{844595A9-4963-402e-B863-AB839E802638}.exe	cmd.exe
PID 2100 wrote to memory of 1728	2100	{844595A9-4963-402e-B863-AB839E802638}.exe	cmd.exe
PID 2100 wrote to memory of 1728	2100	{844595A9-4963-402e-B863-AB839E802638}.exe	cmd.exe
PID 2100 wrote to memory of 1728	2100	{844595A9-4963-402e-B863-AB839E802638}.exe	cmd.exe
PID 1352 wrote to memory of 2828	1352	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe
PID 1352 wrote to memory of 2828	1352	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe
PID 1352 wrote to memory of 2828	1352	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe
PID 1352 wrote to memory of 2828	1352	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe
PID 1352 wrote to memory of 2960	1352	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe	cmd.exe
PID 1352 wrote to memory of 2960	1352	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe	cmd.exe
PID 1352 wrote to memory of 2960	1352	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe	cmd.exe
PID 1352 wrote to memory of 2960	1352	{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe	cmd.exe
PID 2828 wrote to memory of 1336	2828	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe
PID 2828 wrote to memory of 1336	2828	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe
PID 2828 wrote to memory of 1336	2828	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe
PID 2828 wrote to memory of 1336	2828	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe
PID 2828 wrote to memory of 2632	2828	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe	cmd.exe
PID 2828 wrote to memory of 2632	2828	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe	cmd.exe
PID 2828 wrote to memory of 2632	2828	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe	cmd.exe
PID 2828 wrote to memory of 2632	2828	{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe	cmd.exe
PID 1336 wrote to memory of 1600	1336	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe
PID 1336 wrote to memory of 1600	1336	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe
PID 1336 wrote to memory of 1600	1336	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe
PID 1336 wrote to memory of 1600	1336	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe
PID 1336 wrote to memory of 1480	1336	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe	cmd.exe
PID 1336 wrote to memory of 1480	1336	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe	cmd.exe
PID 1336 wrote to memory of 1480	1336	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe	cmd.exe
PID 1336 wrote to memory of 1480	1336	{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe	cmd.exe
PID 1600 wrote to memory of 2300	1600	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe	{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe
PID 1600 wrote to memory of 2300	1600	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe	{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe
PID 1600 wrote to memory of 2300	1600	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe	{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe
PID 1600 wrote to memory of 2300	1600	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe	{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe
PID 1600 wrote to memory of 1820	1600	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe	cmd.exe
PID 1600 wrote to memory of 1820	1600	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe	cmd.exe
PID 1600 wrote to memory of 1820	1600	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe	cmd.exe
PID 1600 wrote to memory of 1820	1600	{722C734F-B412-40fe-BE27-30D93D40E90E}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4fdcbdd229aec3da3a9a6dd4c64333d0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe
  C:\Windows\{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe
    C:\Windows\{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{844595A9-4963-402e-B863-AB839E802638}.exe
      C:\Windows\{844595A9-4963-402e-B863-AB839E802638}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe
        
        C:\Windows\{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
      - C:\Windows\{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe
        
        C:\Windows\{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe
        
        C:\Windows\{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\{722C734F-B412-40fe-BE27-30D93D40E90E}.exe
        
        C:\Windows\{722C734F-B412-40fe-BE27-30D93D40E90E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe
        
        C:\Windows\{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe
        
        C:\Windows\{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe
        
        C:\Windows\{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{9FC82451-3141-411e-934B-9D19085A4DE8}.exe
        
        C:\Windows\{9FC82451-3141-411e-934B-9D19085A4DE8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D463~1.EXE > nul
        12⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{941E9~1.EXE > nul
        11⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E3F~1.EXE > nul
        10⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{722C7~1.EXE > nul
        9⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F5F2~1.EXE > nul
        8⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{611CF~1.EXE > nul
        7⤵
        
        PID:2632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E631~1.EXE > nul
        6⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84459~1.EXE > nul
        5⤵
        
        PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B93C1~1.EXE > nul
      4⤵
      PID:572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C24F8~1.EXE > nul
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4FDCBD~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3E631A4A-1F3D-4f90-ADA5-7236F8D20A52}.exe

Filesize
64KB

MD5
0f8811ee6698b03ab3a7b75395de328f

SHA1
b462d2fad37276cd6a0503a514a7395a68ec610c

SHA256
2273db2c5986cd5a83c1fdc44bb6f9b54a2dad4e5c53c4eb654dc30845280094

SHA512
9c3617bffdf4689ef160a292fbf6754631743edc828d552d5cf3db3ff18f86cd44f2291a49657840d5dcb970166cdb2a4e1d16f542666f381fb2c85aa9a53916

Download Submit
C:\Windows\{5F5F2611-C576-41b7-A490-9BB1B55C8224}.exe

Filesize
64KB

MD5
5d8432d3fdac2eb4e4f7e698cd983589

SHA1
21d121ea34deb273cf630767b7307d2ab62ee991

SHA256
14a57c1c29d9d4b8c3fc068751e7ab454516942ba188a220a266fb256e47f2d6

SHA512
f98adfa03d78db1c126bfb57e689bcdcee3f3c7db264562598a90857d6cbfaf5276c66b154c65fb29b638540a3e0f9cbd3e3a15c5b95705010a599aa02d42044

Download Submit
C:\Windows\{611CF4FA-6F17-4ddd-B07B-75C604FF87F1}.exe

Filesize
64KB

MD5
a8c85ded92de573b5346721f198c0d76

SHA1
fc13214d81f6febfc8f6a9eefff4294613ea715b

SHA256
9e65d29dd6442f6c7827ede935c4d89eb94b595424b534b5f24c4949409ac098

SHA512
5775d1a68e9e2923f2c356e8fd94be3f128d136fb3b578bb306938529afb3a07fc3a710a05b8a21e76d7df7b608974d31c82ae703ecd3caf8fecdf4e3d456357

Download Submit
C:\Windows\{722C734F-B412-40fe-BE27-30D93D40E90E}.exe

Filesize
64KB

MD5
a6ef363c75825dd751ccf9c90fcf9b2f

SHA1
c701ddfdb2187ee65408483240b18380a189a181

SHA256
4fa60b5ac1eee5b4fc70f03d23d0189d5e54c1899b2650167ed2c56b3478584f

SHA512
258d978a7a400aaf9e8f6e98ee28caa17962b76ea273ce624e99efc8c9588beb323d98941372fc819e59d5c4dae366653373256a51f0edc7c0538e907de7e213

Download Submit
C:\Windows\{7D463CCF-ADF9-44cc-A5B9-8F1837034A5A}.exe

Filesize
64KB

MD5
9cfed7191baeb079f6be605a2a89505a

SHA1
40883b4892af6223de8d8826fe7e21a303ce2f27

SHA256
62043f21c26cab272d7ddbb4d175df3707eda0c5b51ea145d78a0259f8a53a8e

SHA512
6d80a1fdf792d81130eed9350929946eef8e1d94cd79fc1fe25ed05cb72059247dc86c722886839af76b5827dddb84bfb29cec0663a9e76a2922eb5c136be6ba

Download Submit
C:\Windows\{844595A9-4963-402e-B863-AB839E802638}.exe

Filesize
64KB

MD5
094a3e5fa1b3f5019afbf85d8f79cfd0

SHA1
c06285c0d5f3495d0407b8acc39680e89461a54e

SHA256
d78f9f9f0093bbe9787ef7fa95fe637c69a866732d9c7aca9221df0d44ba2b48

SHA512
90e97a051172a92db9a24f5e174de20653d7c9e7dc7467ccdd077864b069326cbfb902e02e4ed0a28015bd4c475c155edf9d902f1289ad830c19b6e8de924603

Download Submit
C:\Windows\{941E95F4-1FA2-48ca-B0E8-C7A8172968AA}.exe

Filesize
64KB

MD5
e4b1d419fb1870f27fbf700ef5404991

SHA1
4cf1ba055079470d1130bda0f8081739c5fd3c05

SHA256
8a81fd36e026d34ac918c885cb18068f46c658eb8a31926104984f02228dfcc4

SHA512
023f725eea64b449cb40203e0298740608e0d54d8ed7f30a6d92b7ee3d892aa9cb0f24333e589e47a0034db95d061be9548d78e189815a10643d11d53afd9396

Download Submit
C:\Windows\{9FC82451-3141-411e-934B-9D19085A4DE8}.exe

Filesize
64KB

MD5
f64e24e58d2cb7688c19acacc8e499da

SHA1
2020077e7b036afcb8368326003c7876e7a508bf

SHA256
3f6e6dc607ca206aa1479022826eb0a3cc51bd216fe302b33ec8de83e6f85ab9

SHA512
abaedaffb6101e642fe4d4f79dcab7f4644033a444c7b9e6eee352b1596c862a803b1104d3c89a728b51a421ac66e10cb978395e352c6c85baa4b9d05fb52f4e

Download Submit
C:\Windows\{B93C10D1-DFD8-49e3-A705-BB56619B8EB1}.exe

Filesize
64KB

MD5
aab5ff08b42358ec6a31c61b0eff310d

SHA1
7bd2fd5ecf7f596476b0ff23302f2fb5365bdb77

SHA256
91d5440d8da23d6281e8084ce0aa6ad3a87a1aa2750b1fb4de17cbe5522c63ea

SHA512
442fe078aeeca54c1d0a861594f09bfdc4441003c1d0f353fbd714c0d1f6e3b289037633b41620417526a8fbbad61b1ea51a407efae4a4213a8098bac0517f58

Download Submit
C:\Windows\{C24F835B-5A73-4e8b-A387-7E0C2F75FB72}.exe

Filesize
64KB

MD5
3555b996e93e6d6d5dfd890d459e6a93

SHA1
ef1a2dc12dd746159c1c4f843d135e3048834bc7

SHA256
a08353f08a0f2fdb7b7b10aec0d4bc0e159c0f685b115c32c96e4e23258d5f06

SHA512
f033523d1673e5e8b37405c31716b98802c2354c0ccc385ca5f6089f99c04b73a5928658bd7ee93f0ade0ddf3131909b666050c6ea6409ce0fd13bfa673480ee

Download Submit
C:\Windows\{C6E3F327-02BF-4dfe-A1F6-83EA43DD0CD3}.exe

Filesize
64KB

MD5
6eb25455499b3ab757bd8b41706412be

SHA1
d8e6175cd2ca65197b0ca6ded4e61994c0ed9506

SHA256
eee257378a4fe2bc4e09cd88c43478771d4d2f303035b72aad043ae59c6f9fb3

SHA512
ea401d520124183c1f80e1b7041cb45b692de93b683296e4ab49a4ffaa0d59a8a005aac27bc9209e6639253a2f40f0138d1f30fdb13dc162ea5d8b5b256860e2

Download Submit
memory/1296-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1296-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1296-14-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/1336-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1352-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1352-42-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1352-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1600-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1600-72-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1760-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1760-8-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/1760-7-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/1760-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2100-32-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2100-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2100-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2300-83-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2300-78-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2720-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2828-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2828-52-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2828-48-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2868-90-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2876-92-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2876-99-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download