e210714cf9ad0c8ce1abf38c9a941d0a87a9c79233966b23caf364c0d424b734

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe
Size

64KB
MD5

59a06761c0708e67d2cc04b03f85f2a0
SHA1

0b3629f9ec11a96b2368ea0720a6266b383f2f09
SHA256

e210714cf9ad0c8ce1abf38c9a941d0a87a9c79233966b23caf364c0d424b734
SHA512

738281fbddcee37fae3cc168a02780cbf4bf5f80713a686361b822f0125126b92751648ba6e9e8c9f108916b596c7ad29347e9996a6826d618a342205a83474f
SSDEEP

192:ObOzawOs81elJHsc45HcRZOgtSWcWaOT2QLrCqwgY04/CFxyNhoy5tm:ObLwOs8AHsc4pMfwIKQLrou4/CFsrdm

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe{87C840BE-CF3C-402c-8657-7A85273A7433}.exe{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe{F32CF680-2E6A-4147-8925-237F9751790F}.exe{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}\stubpath = "C:\\Windows\\{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe"	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87C840BE-CF3C-402c-8657-7A85273A7433}\stubpath = "C:\\Windows\\{87C840BE-CF3C-402c-8657-7A85273A7433}.exe"	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}\stubpath = "C:\\Windows\\{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe"	{87C840BE-CF3C-402c-8657-7A85273A7433}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3697E7E7-42AA-494d-810E-9AB5C732B89E}	{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16EC78F2-3866-4a70-A294-8909AA87B218}\stubpath = "C:\\Windows\\{16EC78F2-3866-4a70-A294-8909AA87B218}.exe"	{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFBEF468-306D-40fc-ADC9-1418055EA002}	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFBEF468-306D-40fc-ADC9-1418055EA002}\stubpath = "C:\\Windows\\{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe"	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}\stubpath = "C:\\Windows\\{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe"	{F32CF680-2E6A-4147-8925-237F9751790F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C97C981B-4814-40ed-A2C6-B4DCAC871028}\stubpath = "C:\\Windows\\{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe"	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3697E7E7-42AA-494d-810E-9AB5C732B89E}\stubpath = "C:\\Windows\\{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe"	{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30B14D93-67E6-480a-B68E-6DD177729EB3}\stubpath = "C:\\Windows\\{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe"	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}\stubpath = "C:\\Windows\\{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe"	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F32CF680-2E6A-4147-8925-237F9751790F}\stubpath = "C:\\Windows\\{F32CF680-2E6A-4147-8925-237F9751790F}.exe"	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}	{F32CF680-2E6A-4147-8925-237F9751790F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C97C981B-4814-40ed-A2C6-B4DCAC871028}	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87C840BE-CF3C-402c-8657-7A85273A7433}	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}	{87C840BE-CF3C-402c-8657-7A85273A7433}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16EC78F2-3866-4a70-A294-8909AA87B218}	{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30B14D93-67E6-480a-B68E-6DD177729EB3}	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F32CF680-2E6A-4147-8925-237F9751790F}	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2564 cmd.exe

pid	process
2564	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe{F32CF680-2E6A-4147-8925-237F9751790F}.exe{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe{87C840BE-CF3C-402c-8657-7A85273A7433}.exe{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe{16EC78F2-3866-4a70-A294-8909AA87B218}.exe

pid	process
3024	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe
2716	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe
2628	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe
848	{F32CF680-2E6A-4147-8925-237F9751790F}.exe
2172	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe
2168	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe
536	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe
2036	{87C840BE-CF3C-402c-8657-7A85273A7433}.exe
1972	{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe
1960	{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe
2316	{16EC78F2-3866-4a70-A294-8909AA87B218}.exe

Drops file in Windows directory 11 IoCs

Processes:

{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe{F32CF680-2E6A-4147-8925-237F9751790F}.exe{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe{87C840BE-CF3C-402c-8657-7A85273A7433}.exe

description	ioc	process
File created	C:\Windows\{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe
File created	C:\Windows\{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe	{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe
File created	C:\Windows\{16EC78F2-3866-4a70-A294-8909AA87B218}.exe	{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe
File created	C:\Windows\{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe
File created	C:\Windows\{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe
File created	C:\Windows\{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe	{F32CF680-2E6A-4147-8925-237F9751790F}.exe
File created	C:\Windows\{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe
File created	C:\Windows\{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe
File created	C:\Windows\{F32CF680-2E6A-4147-8925-237F9751790F}.exe	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe
File created	C:\Windows\{87C840BE-CF3C-402c-8657-7A85273A7433}.exe	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe
File created	C:\Windows\{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe	{87C840BE-CF3C-402c-8657-7A85273A7433}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe{F32CF680-2E6A-4147-8925-237F9751790F}.exe{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe{87C840BE-CF3C-402c-8657-7A85273A7433}.exe{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2980	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3024	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe
Token: SeIncBasePriorityPrivilege	2716	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe
Token: SeIncBasePriorityPrivilege	2628	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe
Token: SeIncBasePriorityPrivilege	848	{F32CF680-2E6A-4147-8925-237F9751790F}.exe
Token: SeIncBasePriorityPrivilege	2172	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe
Token: SeIncBasePriorityPrivilege	2168	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe
Token: SeIncBasePriorityPrivilege	536	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe
Token: SeIncBasePriorityPrivilege	2036	{87C840BE-CF3C-402c-8657-7A85273A7433}.exe
Token: SeIncBasePriorityPrivilege	1972	{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe
Token: SeIncBasePriorityPrivilege	1960	{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2980 wrote to memory of 3024	2980	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe
PID 2980 wrote to memory of 3024	2980	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe
PID 2980 wrote to memory of 3024	2980	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe
PID 2980 wrote to memory of 3024	2980	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe
PID 2980 wrote to memory of 2564	2980	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	cmd.exe
PID 2980 wrote to memory of 2564	2980	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	cmd.exe
PID 2980 wrote to memory of 2564	2980	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	cmd.exe
PID 2980 wrote to memory of 2564	2980	59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe	cmd.exe
PID 3024 wrote to memory of 2716	3024	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe
PID 3024 wrote to memory of 2716	3024	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe
PID 3024 wrote to memory of 2716	3024	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe
PID 3024 wrote to memory of 2716	3024	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe
PID 3024 wrote to memory of 2740	3024	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe	cmd.exe
PID 3024 wrote to memory of 2740	3024	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe	cmd.exe
PID 3024 wrote to memory of 2740	3024	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe	cmd.exe
PID 3024 wrote to memory of 2740	3024	{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe	cmd.exe
PID 2716 wrote to memory of 2628	2716	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe
PID 2716 wrote to memory of 2628	2716	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe
PID 2716 wrote to memory of 2628	2716	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe
PID 2716 wrote to memory of 2628	2716	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe
PID 2716 wrote to memory of 1176	2716	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe	cmd.exe
PID 2716 wrote to memory of 1176	2716	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe	cmd.exe
PID 2716 wrote to memory of 1176	2716	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe	cmd.exe
PID 2716 wrote to memory of 1176	2716	{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe	cmd.exe
PID 2628 wrote to memory of 848	2628	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe	{F32CF680-2E6A-4147-8925-237F9751790F}.exe
PID 2628 wrote to memory of 848	2628	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe	{F32CF680-2E6A-4147-8925-237F9751790F}.exe
PID 2628 wrote to memory of 848	2628	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe	{F32CF680-2E6A-4147-8925-237F9751790F}.exe
PID 2628 wrote to memory of 848	2628	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe	{F32CF680-2E6A-4147-8925-237F9751790F}.exe
PID 2628 wrote to memory of 2544	2628	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe	cmd.exe
PID 2628 wrote to memory of 2544	2628	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe	cmd.exe
PID 2628 wrote to memory of 2544	2628	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe	cmd.exe
PID 2628 wrote to memory of 2544	2628	{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe	cmd.exe
PID 848 wrote to memory of 2172	848	{F32CF680-2E6A-4147-8925-237F9751790F}.exe	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe
PID 848 wrote to memory of 2172	848	{F32CF680-2E6A-4147-8925-237F9751790F}.exe	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe
PID 848 wrote to memory of 2172	848	{F32CF680-2E6A-4147-8925-237F9751790F}.exe	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe
PID 848 wrote to memory of 2172	848	{F32CF680-2E6A-4147-8925-237F9751790F}.exe	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe
PID 848 wrote to memory of 1524	848	{F32CF680-2E6A-4147-8925-237F9751790F}.exe	cmd.exe
PID 848 wrote to memory of 1524	848	{F32CF680-2E6A-4147-8925-237F9751790F}.exe	cmd.exe
PID 848 wrote to memory of 1524	848	{F32CF680-2E6A-4147-8925-237F9751790F}.exe	cmd.exe
PID 848 wrote to memory of 1524	848	{F32CF680-2E6A-4147-8925-237F9751790F}.exe	cmd.exe
PID 2172 wrote to memory of 2168	2172	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe
PID 2172 wrote to memory of 2168	2172	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe
PID 2172 wrote to memory of 2168	2172	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe
PID 2172 wrote to memory of 2168	2172	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe
PID 2172 wrote to memory of 1492	2172	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe	cmd.exe
PID 2172 wrote to memory of 1492	2172	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe	cmd.exe
PID 2172 wrote to memory of 1492	2172	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe	cmd.exe
PID 2172 wrote to memory of 1492	2172	{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe	cmd.exe
PID 2168 wrote to memory of 536	2168	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe
PID 2168 wrote to memory of 536	2168	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe
PID 2168 wrote to memory of 536	2168	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe
PID 2168 wrote to memory of 536	2168	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe
PID 2168 wrote to memory of 680	2168	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe	cmd.exe
PID 2168 wrote to memory of 680	2168	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe	cmd.exe
PID 2168 wrote to memory of 680	2168	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe	cmd.exe
PID 2168 wrote to memory of 680	2168	{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe	cmd.exe
PID 536 wrote to memory of 2036	536	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe	{87C840BE-CF3C-402c-8657-7A85273A7433}.exe
PID 536 wrote to memory of 2036	536	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe	{87C840BE-CF3C-402c-8657-7A85273A7433}.exe
PID 536 wrote to memory of 2036	536	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe	{87C840BE-CF3C-402c-8657-7A85273A7433}.exe
PID 536 wrote to memory of 2036	536	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe	{87C840BE-CF3C-402c-8657-7A85273A7433}.exe
PID 536 wrote to memory of 1684	536	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe	cmd.exe
PID 536 wrote to memory of 1684	536	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe	cmd.exe
PID 536 wrote to memory of 1684	536	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe	cmd.exe
PID 536 wrote to memory of 1684	536	{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59a06761c0708e67d2cc04b03f85f2a0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe
C:\Windows\{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe
C:\Windows\{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe
C:\Windows\{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\{F32CF680-2E6A-4147-8925-237F9751790F}.exe
C:\Windows\{F32CF680-2E6A-4147-8925-237F9751790F}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe
C:\Windows\{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe
C:\Windows\{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe
C:\Windows\{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\{87C840BE-CF3C-402c-8657-7A85273A7433}.exe
C:\Windows\{87C840BE-CF3C-402c-8657-7A85273A7433}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe
C:\Windows\{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe
C:\Windows\{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\{16EC78F2-3866-4a70-A294-8909AA87B218}.exe
C:\Windows\{16EC78F2-3866-4a70-A294-8909AA87B218}.exe
12⤵
- Executes dropped EXE
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3697E~1.EXE > nul
12⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D8A6E~1.EXE > nul
11⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{87C84~1.EXE > nul
10⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FA988~1.EXE > nul
9⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C97C9~1.EXE > nul
8⤵
PID:680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AD5A5~1.EXE > nul
7⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F32CF~1.EXE > nul
6⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E06BE~1.EXE > nul
5⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{30B14~1.EXE > nul
4⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BFBEF~1.EXE > nul
3⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\59A067~1.EXE > nul
2⤵
- Deletes itself
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16EC78F2-3866-4a70-A294-8909AA87B218}.exe

Filesize
64KB

MD5
2234f5e50ac5d278cb6c0ed73ad8c28c

SHA1
03872ea5e47bdba91a364e04c492b67e36f081b2

SHA256
8736b229a687e8eb2b96c9c230b5170d329d8c5236f6f14844f9091c7d448b7e

SHA512
c897d45f06557a4b6685bfb48f64a894c827dcf54cec43bb316a01577d9eba9268f3d7731ef39e3a4356c1c4b0b4e54443ae62fb6c94d8f1831889403f0e7685

Download Submit
C:\Windows\{30B14D93-67E6-480a-B68E-6DD177729EB3}.exe

Filesize
64KB

MD5
7662dc433a5ee227401e4c4859fd1a05

SHA1
82b4d65aa9e5b832146e06acb0276c7322831c44

SHA256
bc8af6e4b6dc6300c233af125c519443b3dcfdcc7574b56d0fb6e80ff4bc0854

SHA512
4acb54ce4e45be6e35a0c46de3ba7b61764db31c80be0a482671912915a5ab1d39402cbb41c5a054a7d5f9a687792387fa7983e6541207a9c769dccbcb2eaf6f

Download Submit
C:\Windows\{3697E7E7-42AA-494d-810E-9AB5C732B89E}.exe

Filesize
64KB

MD5
173fecbd9c3f63cf29dd3413c9e5f3f5

SHA1
2707a4ea2ca22f0b2cf0360c41d37a2819bc10f7

SHA256
ef154ffa510a5d732291df8dd704d7f3947392c67a2f1319251bc4003234cddf

SHA512
bbc4af5b9f83325501edd5339ea0b146778f743d21fb98768d57bf4fd8fe8e6682858b11b04f3a8afdff362c52ab00be6e2119e8ea433ccf032af9fef96e6b42

Download Submit
C:\Windows\{87C840BE-CF3C-402c-8657-7A85273A7433}.exe

Filesize
64KB

MD5
6bd1aa5367ee7a39acf55f0ec8bff324

SHA1
0f563296eca033116b44f0e89fe7678230983a1f

SHA256
43e2cafe0130f7723eeb1a49c2131c31afe0f8d3cb73d2d0f676965aa8ef07a7

SHA512
c07f9c45273751dbf8400e0b712a77ed3bace26e717e407a3a996983c06141fe0cd76b1d898240eb93b7a9e036a4e6b3cb94a99146c416295566b7623e1a6f5e

Download Submit
C:\Windows\{AD5A5A0A-4A74-4d1c-BEB3-46EDF96B2B7A}.exe

Filesize
64KB

MD5
8440c39671cf79a832d13f5d00112927

SHA1
94b2d1deef3fdc554ed7ddd7baae9409ee4805df

SHA256
55ca5a11835c5b9c8897c29174bb0c3df3150eae43895b4a5f8bdfdfbd8a99ee

SHA512
8705f05b5abe0d0dd5cc5d99e5dce328940b2dda3697b3bac6b152a5a4ab83fdbbb9bdf86885a3be7cc17e285f019ac13e1d3ab55cd70b8b8f53ea2a54cfc27b

Download Submit
C:\Windows\{BFBEF468-306D-40fc-ADC9-1418055EA002}.exe

Filesize
64KB

MD5
d3f9738ae7c9aba60058e71ac3138654

SHA1
62c9160620228e7ae71a38fe01f6e2273abecd91

SHA256
4eff1e6a1a2de3669a3b4f4af8182eb11f8fb3b3153ac6f6fb8e00bdbf998575

SHA512
d1fc7ffc794027e32335ec907d8aa16d0797551c840049172c271e82cafcf1b73beb7f274cdf8f4b47edc2612be7b67d76e5ead235a77aa46975e2e11e6c2f70

Download Submit
C:\Windows\{C97C981B-4814-40ed-A2C6-B4DCAC871028}.exe

Filesize
64KB

MD5
de3d0a8a70c24a86eeec5b7451188878

SHA1
cc587e852b92f8d61b2b3018b2d00e9e46ccd864

SHA256
c1c9d8503b684545aba77ac6e616f661da946c4629bff7954e522ecb9cfbda30

SHA512
c5e51bad4f8cee2f25d987787f12f606e6b324ce05d293746d91b05df863e82b79af8408e52e38c59c47625ee782d1157e459db82b9bef4d1093ce17ff8cabd9

Download Submit
C:\Windows\{D8A6E13A-069C-4b63-BD8A-17D55673CE0B}.exe

Filesize
64KB

MD5
8bb840243ab3c6ae60a5162a8a37fa26

SHA1
55c3360997c60a09d9dc5b6a58574330910d5022

SHA256
6249a62ff06826aecbe0eeadb8c23b62607a7702db5d39c0b1e9faa3b178b2f7

SHA512
5a51f777513405ead6de21aa046212e4546cd203fdd66b4260308e9e8acb7d682916a162925daff2b02e469c43fcc9c50da1f64f241a29c412bec87b67aaa14c

Download Submit
C:\Windows\{E06BE0D6-1CD7-4692-95E7-464F38FC80FC}.exe

Filesize
64KB

MD5
7cefd3dba17a5561aaf75814a20b8607

SHA1
11e290c9450880c3924c5ea9683b0e22f233a514

SHA256
bbc9bb444540bf164179438ad022c3dcf84edfe2dcc405d7b013b249017b90c7

SHA512
52091880e37395f600bf0eb233cd9cb8d3dfb213e2f661610cfd06dda948d2e45ea5b3c415c2c79dd10fed79cc57c47c75ac173d45df8fecf5cf0a2dfab20bb8

Download Submit
C:\Windows\{F32CF680-2E6A-4147-8925-237F9751790F}.exe

Filesize
64KB

MD5
546e6714082356e16389d421f15840c5

SHA1
09778651e74b53279ebd35033e7e9900e72b2370

SHA256
86a611dc479c494b2ff807ce2d807fe645b356f3f0fc13d7aef19e9b4bac2a8c

SHA512
ea23851640490c73e135bff3852108f29cf678a5ee0ba157f223bf4f00b22b5985234a328a0ecdbbb5b75b4c7fbc0564a680ee5b07783c260a2bb2db4df94cad

Download Submit
C:\Windows\{FA988CE9-6EF7-4cfd-AFC4-81B14366A6B7}.exe

Filesize
64KB

MD5
e93389a9a6c6860a64123b51c33d216c

SHA1
a072192237e355a74577a0233943b18a18d4fe3b

SHA256
b9364b19f213b4d275c6af41841ce764040f41d9964a8005b07b4ab6a7cbe306

SHA512
d7c812a1303ba02aa2366c76f427f25f433f01967942c7bdef69f5806a99a55916818ce936af1fd7c144d226026c4fc2e557d8d62c6489e1f4ccd908fa03aa9d

Download Submit
memory/536-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/536-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/848-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/848-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1960-92-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1960-100-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1972-91-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2036-75-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2036-83-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2168-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2168-64-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2172-54-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2172-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2172-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2316-101-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2628-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2628-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2716-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2716-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-7-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2980-8-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2980-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3024-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3024-18-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/3024-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download