4d40c41be9c90a6773b907665be489a04be5c6667ee93758816764fa99527844

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe
Size

90KB
MD5

574b38d4eb0f3bd985d09a1ef3b55a10
SHA1

59d56f471e123d70dc077194ef21255612253f1e
SHA256

4d40c41be9c90a6773b907665be489a04be5c6667ee93758816764fa99527844
SHA512

d60bca7aa563f2e7a4da27bc801992c3ca7fccd66e777ee52d7d9671e939d879ea586c19c97d8678ba09de554163f5ec206d4b72ea6ec778b48a132311906a3d
SSDEEP

768:Qvw9816vhKQLro54/wQRNrfrunMxVFA3b7glw6:YEGh0o5l2unMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe{E64BBC9E-4734-4648-956E-3CD42F413638}.exe{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe{809864D1-115C-4f98-9022-B31E869BF076}.exe{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}	574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF5251ED-0837-433c-BDE6-4433E86C8E7C}	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8698705D-81A0-4c27-BE56-7E8D890F8314}\stubpath = "C:\\Windows\\{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe"	{E64BBC9E-4734-4648-956E-3CD42F413638}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{809864D1-115C-4f98-9022-B31E869BF076}\stubpath = "C:\\Windows\\{809864D1-115C-4f98-9022-B31E869BF076}.exe"	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}\stubpath = "C:\\Windows\\{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe"	{809864D1-115C-4f98-9022-B31E869BF076}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}\stubpath = "C:\\Windows\\{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe"	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A62D08B-B461-4ecc-A90B-1CB44892320A}	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D31743-768A-47f6-BB6E-16878B6F3A74}	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E64BBC9E-4734-4648-956E-3CD42F413638}\stubpath = "C:\\Windows\\{E64BBC9E-4734-4648-956E-3CD42F413638}.exe"	{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71CEA9E3-689F-48d4-A4AF-8433E41026D1}	{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}\stubpath = "C:\\Windows\\{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe"	574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{809864D1-115C-4f98-9022-B31E869BF076}	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}	{809864D1-115C-4f98-9022-B31E869BF076}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CDA3C26-F336-46f3-AC3F-68287AAED36B}	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A62D08B-B461-4ecc-A90B-1CB44892320A}\stubpath = "C:\\Windows\\{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe"	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77D31743-768A-47f6-BB6E-16878B6F3A74}\stubpath = "C:\\Windows\\{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe"	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CDA3C26-F336-46f3-AC3F-68287AAED36B}\stubpath = "C:\\Windows\\{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe"	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF5251ED-0837-433c-BDE6-4433E86C8E7C}\stubpath = "C:\\Windows\\{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe"	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E64BBC9E-4734-4648-956E-3CD42F413638}	{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8698705D-81A0-4c27-BE56-7E8D890F8314}	{E64BBC9E-4734-4648-956E-3CD42F413638}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71CEA9E3-689F-48d4-A4AF-8433E41026D1}\stubpath = "C:\\Windows\\{71CEA9E3-689F-48d4-A4AF-8433E41026D1}.exe"	{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3064 cmd.exe

pid	process
3064	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe{809864D1-115C-4f98-9022-B31E869BF076}.exe{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe{E64BBC9E-4734-4648-956E-3CD42F413638}.exe{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe{71CEA9E3-689F-48d4-A4AF-8433E41026D1}.exe

pid	process
2352	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe
2768	{809864D1-115C-4f98-9022-B31E869BF076}.exe
2544	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe
1720	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe
2860	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe
1968	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe
880	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe
2704	{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe
884	{E64BBC9E-4734-4648-956E-3CD42F413638}.exe
2936	{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe
112	{71CEA9E3-689F-48d4-A4AF-8433E41026D1}.exe

Drops file in Windows directory 11 IoCs

Processes:

{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe{809864D1-115C-4f98-9022-B31E869BF076}.exe{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe{E64BBC9E-4734-4648-956E-3CD42F413638}.exe574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe

description	ioc	process
File created	C:\Windows\{809864D1-115C-4f98-9022-B31E869BF076}.exe	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe
File created	C:\Windows\{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe	{809864D1-115C-4f98-9022-B31E869BF076}.exe
File created	C:\Windows\{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe
File created	C:\Windows\{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe
File created	C:\Windows\{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe
File created	C:\Windows\{E64BBC9E-4734-4648-956E-3CD42F413638}.exe	{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe
File created	C:\Windows\{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe	{E64BBC9E-4734-4648-956E-3CD42F413638}.exe
File created	C:\Windows\{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe	574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe
File created	C:\Windows\{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe
File created	C:\Windows\{71CEA9E3-689F-48d4-A4AF-8433E41026D1}.exe	{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe
File created	C:\Windows\{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe{809864D1-115C-4f98-9022-B31E869BF076}.exe{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe{E64BBC9E-4734-4648-956E-3CD42F413638}.exe{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2420	574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2352	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe
Token: SeIncBasePriorityPrivilege	2768	{809864D1-115C-4f98-9022-B31E869BF076}.exe
Token: SeIncBasePriorityPrivilege	2544	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe
Token: SeIncBasePriorityPrivilege	1720	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe
Token: SeIncBasePriorityPrivilege	2860	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe
Token: SeIncBasePriorityPrivilege	1968	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe
Token: SeIncBasePriorityPrivilege	880	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe
Token: SeIncBasePriorityPrivilege	2704	{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe
Token: SeIncBasePriorityPrivilege	884	{E64BBC9E-4734-4648-956E-3CD42F413638}.exe
Token: SeIncBasePriorityPrivilege	2936	{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2420 wrote to memory of 2352	2420	574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe
PID 2420 wrote to memory of 2352	2420	574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe
PID 2420 wrote to memory of 2352	2420	574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe
PID 2420 wrote to memory of 2352	2420	574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe
PID 2420 wrote to memory of 3064	2420	574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe	cmd.exe
PID 2420 wrote to memory of 3064	2420	574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe	cmd.exe
PID 2420 wrote to memory of 3064	2420	574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe	cmd.exe
PID 2420 wrote to memory of 3064	2420	574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe	cmd.exe
PID 2352 wrote to memory of 2768	2352	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe	{809864D1-115C-4f98-9022-B31E869BF076}.exe
PID 2352 wrote to memory of 2768	2352	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe	{809864D1-115C-4f98-9022-B31E869BF076}.exe
PID 2352 wrote to memory of 2768	2352	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe	{809864D1-115C-4f98-9022-B31E869BF076}.exe
PID 2352 wrote to memory of 2768	2352	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe	{809864D1-115C-4f98-9022-B31E869BF076}.exe
PID 2352 wrote to memory of 2752	2352	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe	cmd.exe
PID 2352 wrote to memory of 2752	2352	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe	cmd.exe
PID 2352 wrote to memory of 2752	2352	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe	cmd.exe
PID 2352 wrote to memory of 2752	2352	{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe	cmd.exe
PID 2768 wrote to memory of 2544	2768	{809864D1-115C-4f98-9022-B31E869BF076}.exe	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe
PID 2768 wrote to memory of 2544	2768	{809864D1-115C-4f98-9022-B31E869BF076}.exe	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe
PID 2768 wrote to memory of 2544	2768	{809864D1-115C-4f98-9022-B31E869BF076}.exe	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe
PID 2768 wrote to memory of 2544	2768	{809864D1-115C-4f98-9022-B31E869BF076}.exe	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe
PID 2768 wrote to memory of 2536	2768	{809864D1-115C-4f98-9022-B31E869BF076}.exe	cmd.exe
PID 2768 wrote to memory of 2536	2768	{809864D1-115C-4f98-9022-B31E869BF076}.exe	cmd.exe
PID 2768 wrote to memory of 2536	2768	{809864D1-115C-4f98-9022-B31E869BF076}.exe	cmd.exe
PID 2768 wrote to memory of 2536	2768	{809864D1-115C-4f98-9022-B31E869BF076}.exe	cmd.exe
PID 2544 wrote to memory of 1720	2544	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe
PID 2544 wrote to memory of 1720	2544	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe
PID 2544 wrote to memory of 1720	2544	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe
PID 2544 wrote to memory of 1720	2544	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe
PID 2544 wrote to memory of 2556	2544	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe	cmd.exe
PID 2544 wrote to memory of 2556	2544	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe	cmd.exe
PID 2544 wrote to memory of 2556	2544	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe	cmd.exe
PID 2544 wrote to memory of 2556	2544	{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe	cmd.exe
PID 1720 wrote to memory of 2860	1720	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe
PID 1720 wrote to memory of 2860	1720	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe
PID 1720 wrote to memory of 2860	1720	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe
PID 1720 wrote to memory of 2860	1720	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe
PID 1720 wrote to memory of 2856	1720	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe	cmd.exe
PID 1720 wrote to memory of 2856	1720	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe	cmd.exe
PID 1720 wrote to memory of 2856	1720	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe	cmd.exe
PID 1720 wrote to memory of 2856	1720	{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe	cmd.exe
PID 2860 wrote to memory of 1968	2860	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe
PID 2860 wrote to memory of 1968	2860	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe
PID 2860 wrote to memory of 1968	2860	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe
PID 2860 wrote to memory of 1968	2860	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe
PID 2860 wrote to memory of 1920	2860	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe	cmd.exe
PID 2860 wrote to memory of 1920	2860	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe	cmd.exe
PID 2860 wrote to memory of 1920	2860	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe	cmd.exe
PID 2860 wrote to memory of 1920	2860	{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe	cmd.exe
PID 1968 wrote to memory of 880	1968	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe
PID 1968 wrote to memory of 880	1968	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe
PID 1968 wrote to memory of 880	1968	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe
PID 1968 wrote to memory of 880	1968	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe
PID 1968 wrote to memory of 1724	1968	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe	cmd.exe
PID 1968 wrote to memory of 1724	1968	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe	cmd.exe
PID 1968 wrote to memory of 1724	1968	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe	cmd.exe
PID 1968 wrote to memory of 1724	1968	{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe	cmd.exe
PID 880 wrote to memory of 2704	880	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe	{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe
PID 880 wrote to memory of 2704	880	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe	{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe
PID 880 wrote to memory of 2704	880	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe	{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe
PID 880 wrote to memory of 2704	880	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe	{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe
PID 880 wrote to memory of 308	880	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe	cmd.exe
PID 880 wrote to memory of 308	880	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe	cmd.exe
PID 880 wrote to memory of 308	880	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe	cmd.exe
PID 880 wrote to memory of 308	880	{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\574b38d4eb0f3bd985d09a1ef3b55a10_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe
C:\Windows\{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\{809864D1-115C-4f98-9022-B31E869BF076}.exe
C:\Windows\{809864D1-115C-4f98-9022-B31E869BF076}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe
C:\Windows\{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe
C:\Windows\{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe
C:\Windows\{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe
C:\Windows\{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe
C:\Windows\{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe
C:\Windows\{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\{E64BBC9E-4734-4648-956E-3CD42F413638}.exe
C:\Windows\{E64BBC9E-4734-4648-956E-3CD42F413638}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe
C:\Windows\{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\{71CEA9E3-689F-48d4-A4AF-8433E41026D1}.exe
C:\Windows\{71CEA9E3-689F-48d4-A4AF-8433E41026D1}.exe
12⤵
- Executes dropped EXE
PID:112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{86987~1.EXE > nul
12⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E64BB~1.EXE > nul
11⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{77D31~1.EXE > nul
10⤵
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7A62D~1.EXE > nul
9⤵
PID:308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FF525~1.EXE > nul
8⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9CDA3~1.EXE > nul
7⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DC308~1.EXE > nul
6⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9C023~1.EXE > nul
5⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{80986~1.EXE > nul
4⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BE56E~1.EXE > nul
3⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\574B38~1.EXE > nul
2⤵
- Deletes itself
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{71CEA9E3-689F-48d4-A4AF-8433E41026D1}.exe

Filesize
90KB

MD5
58e848ca06c2a3106a37944c0bd391d1

SHA1
bea14bda001a6debbd4cdc567f672703b4e1589e

SHA256
7e090ba0a50ec0ad1a1eabeabba61e084d09998d326d0fb86b8d28cbad358aff

SHA512
077a0ccea9fd928c406b0a65196533a5d97db0beb0c8571aae6bf383b7440a22276acb1ca04936bb78de2936b0fbd0a7e11f52dde832683ca5cbf37edf6b084e

Download Submit
C:\Windows\{77D31743-768A-47f6-BB6E-16878B6F3A74}.exe

Filesize
90KB

MD5
f751f2f6b310b806b43e952c0355b060

SHA1
599d3f1b1811c4bc738253cedfa880eee5ed2a8b

SHA256
7227c066ac0bb835c357eb303288cb9f645d6bdb5852151a31c15666cd93364c

SHA512
37b2c93991ce3e9de899396ade450d8849234ef5cb4225bd7194a1fee8e9deb3223be30d108dc31e9ea204d2ab14aec9068f91847b9d593cf93f9be979806c2d

Download Submit
C:\Windows\{7A62D08B-B461-4ecc-A90B-1CB44892320A}.exe

Filesize
90KB

MD5
4f4d980cbf16f481fa7c482c6acb4140

SHA1
77d7495fae2a5dfa061a22c49f37cebfbf447b08

SHA256
9a893ca73f94a84c119011ef059e000369fe7b1b55c8b944760b932d9d2d06dd

SHA512
3ee414284e4f1705f1452536c66b1ad7adaf6e06c1784b3f2d4fd502a5704859b98e55d6397ed5d42f3bd9a6a352097670a8b7846aec87afa75feec823c8f554

Download Submit
C:\Windows\{809864D1-115C-4f98-9022-B31E869BF076}.exe

Filesize
90KB

MD5
27c8999227cb3ac35748cc9794fc062f

SHA1
b14035f83965c927b0d1f30f3c37847ab7bd8281

SHA256
26ec1a9639cf0d35fa0fd6a900baf997794b831ac56dc163959cc237c5ab8ded

SHA512
659736f8361e57794aa5cf26a32a230a6f9a2550d40cd599a50a24fda1223ea02d61374c335b7ebf6ffe8b29223e4dc7314b016ef53c164ab920298c1893f9ed

Download Submit
C:\Windows\{8698705D-81A0-4c27-BE56-7E8D890F8314}.exe

Filesize
90KB

MD5
d836cbbe288aaf06a42a74b5dff391d5

SHA1
16cf63360886e4e3bb97df55a0a75059cdb86217

SHA256
1d460a0f2b262c8692270f0995fee6bf82e7b42c2b013e91379190fe5e72c96a

SHA512
b7ffd85fc972a5c53351c1b4879575ea316c7917e7c5a46a5157236f14005973b500086c1d067d14d2c05ad4da20d767bc6b7c2b8ac4c3bd9e9d11162583eefc

Download Submit
C:\Windows\{9C0232F4-A21B-45f8-AA7C-A0493AFD3581}.exe

Filesize
90KB

MD5
f7f1489d52de9ad07f9fd5248530d026

SHA1
909a56ab6b6bbdb8932fef52bc0d270c1f21f0c3

SHA256
7bbdcebbf472db7bef0bdc3012c43cfd7638a997d01add10651028df5d299799

SHA512
953a0c89c5eb3dd421dc99c62d9f4e88fe6f458efd0c1cc11eca96fc365f6d98cb11eb91dd71d1abb338d72e2e2fda1ab036c5b79141b47dc4d451b5d4aeb836

Download Submit
C:\Windows\{9CDA3C26-F336-46f3-AC3F-68287AAED36B}.exe

Filesize
90KB

MD5
eaaeb8878b7d7decc1b689c08f1efa9c

SHA1
02e822219a75b8649f45a32d14871080dc66d9f4

SHA256
9976816b1c4edbd3c7e4d704e175c44ba3cf9722341374ec122f5fe1760e49ff

SHA512
f7cbdba80b28f40c56b656cf84f4d493ed75bec93609f66bf065e2f41aa777f21236074216a1355222b954e352386856239df8c0c1b9ef3b065dd28518e1600e

Download Submit
C:\Windows\{BE56E7A5-D940-4958-87A4-EDFC1CB891CE}.exe

Filesize
90KB

MD5
017086b91a98f69c20bdd7dbd837cb28

SHA1
978a1bdde571a6661c75234cbfc3b85eff3d5705

SHA256
c18481422915a48aba2141db8ebcdd0f21d98512c03302b30839cd57b1c49b30

SHA512
a1c9aef76066075c5f6f2b34e20a2912c3e608185aad7704a2e66bdd0c0a485557f9160e794f4f3211c065b99e353eec977ce15afeafc3bb7f98b895ffa9b294

Download Submit
C:\Windows\{DC308F4A-C5AC-4340-AAC7-7A121B22C65A}.exe

Filesize
90KB

MD5
32dc0f6c38359c515be392c21f515270

SHA1
78aacca8a62a21e6b38ad52f739849316949625f

SHA256
524eba208670294a46d1dda66b2d9f35f9ed33489b08afe7fd1a3f0680d362e1

SHA512
d75dc580e89a90b5a2ac9333546fc63ed5c518a5a2750c17c4a04e016196c1760c3e9d964244654d0c1abedb3be294695b70047f9db56b088683b850d306a717

Download Submit
C:\Windows\{E64BBC9E-4734-4648-956E-3CD42F413638}.exe

Filesize
90KB

MD5
a49d9c5d111b737db3a0de598252acbf

SHA1
fe2418b83112a21ea527f33862b90fc0cb7173ab

SHA256
111aca7f6dafce1f325dccbb1dc2c3670baf185abaea6c1f33346e39d18a9104

SHA512
a7aae36494c8651152ccd98040f1e4ec987696acd5dd8ab0c61fd5d4f5a675eded0695530f81b1379c81467acf752d917f0a56fe969bfa1a46e80442834ea4ea

Download Submit
C:\Windows\{FF5251ED-0837-433c-BDE6-4433E86C8E7C}.exe

Filesize
90KB

MD5
9cc7ef269fb99841f7fb82aabae3b2be

SHA1
712c4ebd7f5ef175c3a21f51498293e763ca0b33

SHA256
dc40e8b7a47b702c396e58082cd84417f6aacbf2a5fdfc53f15d24f703048fcf

SHA512
6b785b5463b5a1afc8014c142815cc0cc30f2114d19ff7b0df5e92723d124de97b91d2b55658fe46d1a037b5342216dd09619e900f711a1cfd8bf5eec522f4c0

Download Submit