723b0e45525faab017480a266214a59f23b212b810333432c95866a546014359

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe
Size

98KB
MD5

59bcdd8a6068ec4adc979b30ea4649d0
SHA1

510a290178e842e374b6f083b1995a3dd5be2bf2
SHA256

723b0e45525faab017480a266214a59f23b212b810333432c95866a546014359
SHA512

07a26e6c6bcc79338169733c0bc2aec5e8b97d08576d02ced76582bc22f779d82894008d5c8819002462b714f6c5af7e7a4b60e2322705ac8510599ae5f072a3
SSDEEP

768:5vw981UMhKQLrog4/wQ4pNrfrunMxVFA3b7glw6:lEG00ogl3zunMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{F190A454-B733-4080-A771-ABA7906FC956}.exe{5826B995-2349-46a8-908E-A159A2266A46}.exe{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5826B995-2349-46a8-908E-A159A2266A46}	{F190A454-B733-4080-A771-ABA7906FC956}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}\stubpath = "C:\\Windows\\{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe"	{5826B995-2349-46a8-908E-A159A2266A46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69F76FD7-711E-4a74-81C0-5E34ED6F5487}	{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F190A454-B733-4080-A771-ABA7906FC956}	59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F190A454-B733-4080-A771-ABA7906FC956}\stubpath = "C:\\Windows\\{F190A454-B733-4080-A771-ABA7906FC956}.exe"	59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}\stubpath = "C:\\Windows\\{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe"	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}	{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D7E3E83-C3C9-4519-B516-2779C544C72D}	{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{501E3C4D-8CB6-4b58-B1B0-9A39328F524A}	{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}	{5826B995-2349-46a8-908E-A159A2266A46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{501E3C4D-8CB6-4b58-B1B0-9A39328F524A}\stubpath = "C:\\Windows\\{501E3C4D-8CB6-4b58-B1B0-9A39328F524A}.exe"	{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5826B995-2349-46a8-908E-A159A2266A46}\stubpath = "C:\\Windows\\{5826B995-2349-46a8-908E-A159A2266A46}.exe"	{F190A454-B733-4080-A771-ABA7906FC956}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}\stubpath = "C:\\Windows\\{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe"	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}\stubpath = "C:\\Windows\\{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe"	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}\stubpath = "C:\\Windows\\{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe"	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}\stubpath = "C:\\Windows\\{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe"	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}\stubpath = "C:\\Windows\\{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe"	{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69F76FD7-711E-4a74-81C0-5E34ED6F5487}\stubpath = "C:\\Windows\\{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe"	{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D7E3E83-C3C9-4519-B516-2779C544C72D}\stubpath = "C:\\Windows\\{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe"	{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1960 cmd.exe

pid	process
1960	cmd.exe

Executes dropped EXE 12 IoCs

Processes:

{F190A454-B733-4080-A771-ABA7906FC956}.exe{5826B995-2349-46a8-908E-A159A2266A46}.exe{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe{501E3C4D-8CB6-4b58-B1B0-9A39328F524A}.exe

pid	process
2116	{F190A454-B733-4080-A771-ABA7906FC956}.exe
2484	{5826B995-2349-46a8-908E-A159A2266A46}.exe
2520	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe
2400	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe
1280	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe
752	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe
948	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe
1544	{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe
2652	{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe
2648	{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe
1988	{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe
1836	{501E3C4D-8CB6-4b58-B1B0-9A39328F524A}.exe

Drops file in Windows directory 12 IoCs

Processes:

{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe{5826B995-2349-46a8-908E-A159A2266A46}.exe{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe{F190A454-B733-4080-A771-ABA7906FC956}.exe{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe

description	ioc	process
File created	C:\Windows\{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe
File created	C:\Windows\{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe
File created	C:\Windows\{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe	{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe
File created	C:\Windows\{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe	{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe
File created	C:\Windows\{501E3C4D-8CB6-4b58-B1B0-9A39328F524A}.exe	{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe
File created	C:\Windows\{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe	{5826B995-2349-46a8-908E-A159A2266A46}.exe
File created	C:\Windows\{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe
File created	C:\Windows\{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe
File created	C:\Windows\{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe	{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe
File created	C:\Windows\{F190A454-B733-4080-A771-ABA7906FC956}.exe	59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe
File created	C:\Windows\{5826B995-2349-46a8-908E-A159A2266A46}.exe	{F190A454-B733-4080-A771-ABA7906FC956}.exe
File created	C:\Windows\{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe{F190A454-B733-4080-A771-ABA7906FC956}.exe{5826B995-2349-46a8-908E-A159A2266A46}.exe{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1736	59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2116	{F190A454-B733-4080-A771-ABA7906FC956}.exe
Token: SeIncBasePriorityPrivilege	2484	{5826B995-2349-46a8-908E-A159A2266A46}.exe
Token: SeIncBasePriorityPrivilege	2520	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe
Token: SeIncBasePriorityPrivilege	2400	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe
Token: SeIncBasePriorityPrivilege	1280	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe
Token: SeIncBasePriorityPrivilege	752	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe
Token: SeIncBasePriorityPrivilege	948	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe
Token: SeIncBasePriorityPrivilege	1544	{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe
Token: SeIncBasePriorityPrivilege	2652	{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe
Token: SeIncBasePriorityPrivilege	2648	{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe
Token: SeIncBasePriorityPrivilege	1988	{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1736 wrote to memory of 2116	1736	59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe	{F190A454-B733-4080-A771-ABA7906FC956}.exe
PID 1736 wrote to memory of 2116	1736	59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe	{F190A454-B733-4080-A771-ABA7906FC956}.exe
PID 1736 wrote to memory of 2116	1736	59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe	{F190A454-B733-4080-A771-ABA7906FC956}.exe
PID 1736 wrote to memory of 2116	1736	59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe	{F190A454-B733-4080-A771-ABA7906FC956}.exe
PID 1736 wrote to memory of 1960	1736	59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe	cmd.exe
PID 1736 wrote to memory of 1960	1736	59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe	cmd.exe
PID 1736 wrote to memory of 1960	1736	59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe	cmd.exe
PID 1736 wrote to memory of 1960	1736	59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe	cmd.exe
PID 2116 wrote to memory of 2484	2116	{F190A454-B733-4080-A771-ABA7906FC956}.exe	{5826B995-2349-46a8-908E-A159A2266A46}.exe
PID 2116 wrote to memory of 2484	2116	{F190A454-B733-4080-A771-ABA7906FC956}.exe	{5826B995-2349-46a8-908E-A159A2266A46}.exe
PID 2116 wrote to memory of 2484	2116	{F190A454-B733-4080-A771-ABA7906FC956}.exe	{5826B995-2349-46a8-908E-A159A2266A46}.exe
PID 2116 wrote to memory of 2484	2116	{F190A454-B733-4080-A771-ABA7906FC956}.exe	{5826B995-2349-46a8-908E-A159A2266A46}.exe
PID 2116 wrote to memory of 2556	2116	{F190A454-B733-4080-A771-ABA7906FC956}.exe	cmd.exe
PID 2116 wrote to memory of 2556	2116	{F190A454-B733-4080-A771-ABA7906FC956}.exe	cmd.exe
PID 2116 wrote to memory of 2556	2116	{F190A454-B733-4080-A771-ABA7906FC956}.exe	cmd.exe
PID 2116 wrote to memory of 2556	2116	{F190A454-B733-4080-A771-ABA7906FC956}.exe	cmd.exe
PID 2484 wrote to memory of 2520	2484	{5826B995-2349-46a8-908E-A159A2266A46}.exe	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe
PID 2484 wrote to memory of 2520	2484	{5826B995-2349-46a8-908E-A159A2266A46}.exe	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe
PID 2484 wrote to memory of 2520	2484	{5826B995-2349-46a8-908E-A159A2266A46}.exe	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe
PID 2484 wrote to memory of 2520	2484	{5826B995-2349-46a8-908E-A159A2266A46}.exe	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe
PID 2484 wrote to memory of 2344	2484	{5826B995-2349-46a8-908E-A159A2266A46}.exe	cmd.exe
PID 2484 wrote to memory of 2344	2484	{5826B995-2349-46a8-908E-A159A2266A46}.exe	cmd.exe
PID 2484 wrote to memory of 2344	2484	{5826B995-2349-46a8-908E-A159A2266A46}.exe	cmd.exe
PID 2484 wrote to memory of 2344	2484	{5826B995-2349-46a8-908E-A159A2266A46}.exe	cmd.exe
PID 2520 wrote to memory of 2400	2520	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe
PID 2520 wrote to memory of 2400	2520	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe
PID 2520 wrote to memory of 2400	2520	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe
PID 2520 wrote to memory of 2400	2520	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe
PID 2520 wrote to memory of 2600	2520	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe	cmd.exe
PID 2520 wrote to memory of 2600	2520	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe	cmd.exe
PID 2520 wrote to memory of 2600	2520	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe	cmd.exe
PID 2520 wrote to memory of 2600	2520	{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe	cmd.exe
PID 2400 wrote to memory of 1280	2400	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe
PID 2400 wrote to memory of 1280	2400	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe
PID 2400 wrote to memory of 1280	2400	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe
PID 2400 wrote to memory of 1280	2400	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe
PID 2400 wrote to memory of 568	2400	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe	cmd.exe
PID 2400 wrote to memory of 568	2400	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe	cmd.exe
PID 2400 wrote to memory of 568	2400	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe	cmd.exe
PID 2400 wrote to memory of 568	2400	{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe	cmd.exe
PID 1280 wrote to memory of 752	1280	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe
PID 1280 wrote to memory of 752	1280	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe
PID 1280 wrote to memory of 752	1280	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe
PID 1280 wrote to memory of 752	1280	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe
PID 1280 wrote to memory of 1776	1280	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe	cmd.exe
PID 1280 wrote to memory of 1776	1280	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe	cmd.exe
PID 1280 wrote to memory of 1776	1280	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe	cmd.exe
PID 1280 wrote to memory of 1776	1280	{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe	cmd.exe
PID 752 wrote to memory of 948	752	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe
PID 752 wrote to memory of 948	752	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe
PID 752 wrote to memory of 948	752	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe
PID 752 wrote to memory of 948	752	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe
PID 752 wrote to memory of 1704	752	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe	cmd.exe
PID 752 wrote to memory of 1704	752	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe	cmd.exe
PID 752 wrote to memory of 1704	752	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe	cmd.exe
PID 752 wrote to memory of 1704	752	{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe	cmd.exe
PID 948 wrote to memory of 1544	948	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe	{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe
PID 948 wrote to memory of 1544	948	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe	{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe
PID 948 wrote to memory of 1544	948	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe	{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe
PID 948 wrote to memory of 1544	948	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe	{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe
PID 948 wrote to memory of 1468	948	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe	cmd.exe
PID 948 wrote to memory of 1468	948	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe	cmd.exe
PID 948 wrote to memory of 1468	948	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe	cmd.exe
PID 948 wrote to memory of 1468	948	{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\{F190A454-B733-4080-A771-ABA7906FC956}.exe
C:\Windows\{F190A454-B733-4080-A771-ABA7906FC956}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\{5826B995-2349-46a8-908E-A159A2266A46}.exe
C:\Windows\{5826B995-2349-46a8-908E-A159A2266A46}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe
C:\Windows\{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe
C:\Windows\{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe
C:\Windows\{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe
C:\Windows\{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe
C:\Windows\{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe
C:\Windows\{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe
C:\Windows\{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe
C:\Windows\{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe
C:\Windows\{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\{501E3C4D-8CB6-4b58-B1B0-9A39328F524A}.exe
C:\Windows\{501E3C4D-8CB6-4b58-B1B0-9A39328F524A}.exe
13⤵
- Executes dropped EXE
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5D7E3~1.EXE > nul
13⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{69F76~1.EXE > nul
12⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9F6CF~1.EXE > nul
11⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E6016~1.EXE > nul
10⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D4BE8~1.EXE > nul
9⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C2D0E~1.EXE > nul
8⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{400FE~1.EXE > nul
7⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{05645~1.EXE > nul
6⤵
PID:568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A7F8C~1.EXE > nul
5⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5826B~1.EXE > nul
4⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F190A~1.EXE > nul
3⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\59BCDD~1.EXE > nul
2⤵
- Deletes itself
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05645A0A-EF93-4264-B3ED-7F24A04CCBCF}.exe

Filesize
98KB

MD5
fab298d7adbb227e71196c5e1da7d897

SHA1
94da5bdd445ccf03d0fb5e8ce98ee930c08c6507

SHA256
dd6a6e5edf56731498765ed37991dc2cada780c7c651e835b99b502e4072fec0

SHA512
20b21e19b6c5029cba80209f3672d6d70d6dad1d52a10b0a7a96ca7073151d16edb27a9e7ee59293b6b271bc69c052bcc2ef23f6ab063ed195d86bac62d4f3cd

Download Submit
C:\Windows\{400FED36-47D4-426b-8F8D-F8A1AFA6C9AD}.exe

Filesize
98KB

MD5
2aa93874d29d3ce35b66ca82f7117520

SHA1
8e0f94b66c0e0b2fb8fc4c6faad0bd5f04dc5a36

SHA256
4c7e56bc2613dfdaa159e45a31107cd8515b10aad30f7cd23fae58d394f2fd72

SHA512
ee4e811db90974f4054672cf8468e428b9a74430f813fdfdce1380e3fb4a13b8a946630d5c3bc32f3c14bf73be158848e9e73f4e1249bc3c836ed046e26a8c3f

Download Submit
C:\Windows\{501E3C4D-8CB6-4b58-B1B0-9A39328F524A}.exe

Filesize
98KB

MD5
3eb5e7afebb17acf1cd8d19beb58ab19

SHA1
33408beeaab892f4ee7cb69f08e266d555a71acb

SHA256
29486bddd100df7ee243cf43b4a4627ba05b23412b211d4848f5193c3ffbcac0

SHA512
a5a98769fe382fa30739f0a3b8068c25abb07c6ceff563fdc6c1c8335d0a2e739f56355accc24642533c31afc11c1bad7e5fec0a5a06a02e0c75aa66e700e9d3

Download Submit
C:\Windows\{5826B995-2349-46a8-908E-A159A2266A46}.exe

Filesize
98KB

MD5
5545157ce1446c5aaee447d56831da5e

SHA1
6c70af179e01ce8423b40e28dfb158a85139c332

SHA256
801fdbf8ef0d4958219bc1e720f3ddd78985967d11fb3b2fc434ca1a42776eb4

SHA512
4508d94eeb45a57c7e2ec3714e563d648c78ff9b6fb2ce11349f3194c7066f3f6875045257c018d1c41583a0e68fd54caaac831ca1ce673105415210365a9919

Download Submit
C:\Windows\{5D7E3E83-C3C9-4519-B516-2779C544C72D}.exe

Filesize
98KB

MD5
e103f508d0d9ee6ee02d17e1921da0d1

SHA1
ef4d70a78885131c6c3a16d1dc8fda86102f944d

SHA256
bf71a574497fe5d986dbf687063b998e924491295091c63cbe474bc04e036a91

SHA512
fb46aacdc9a2428a251051c6c69a48ea77f235c682de3a4867bfee1a6b8b41e7832a34899c8f242442ef1facd4ca7c09ba4aed11f87b433758cb67a560f19b70

Download Submit
C:\Windows\{69F76FD7-711E-4a74-81C0-5E34ED6F5487}.exe

Filesize
98KB

MD5
5db827af6b27ff385d0a74f880baae74

SHA1
22bc8b354fa82d798b0b52777003aa831defe355

SHA256
573c4cb0859fefd8a404262268b563d5820eca5f88876601a138a8e10107e655

SHA512
fd25a6ba39a1bdb8ff7018b451669686f2b634a0679f9f0b4d0afd20c69b93c87952719af08051616aedb4f0a8d5df2e8ba80805bc39c0cacff91ccd1c83f3db

Download Submit
C:\Windows\{9F6CF2F9-9653-4d01-92FD-F57A605BCF99}.exe

Filesize
98KB

MD5
751a0e83899411ea44226f835d961653

SHA1
3932c413a01d715435bdd2fa600ea5d14a8bc273

SHA256
874d7b4e358a3b5cd5ab7ee24d99b9724e5296275fcf1b410874cb6c57c36738

SHA512
1aa59f89d229a416936e21d3a46094af4442b224fb86612c12dd212ddb631b3e75091ffd6b4c311c1fb961cc72c4c6fa0573f7b4cbb39e49f2e2df2bbe6607fb

Download Submit
C:\Windows\{A7F8C9AB-2505-4fc3-B3BE-474095AE0645}.exe

Filesize
98KB

MD5
d3fbab479422b77c6d3c87126d4667f6

SHA1
d42893ec2f909ca49679910263154a5ad618331b

SHA256
f0dd5c90bb3e162d2272f13eb1e338a392a66235d7aed316275638f735be7c09

SHA512
4be8bbf0241c36c87684650ae415e631aecff742ebaa642795129821412f0bee095a700498b74a73d4e52224d08bac5f27338ae188ebb71a2ddbdbbdcc81d0ae

Download Submit
C:\Windows\{C2D0E007-F555-4bcd-9EAC-AEE2FCED7889}.exe

Filesize
98KB

MD5
c356ca363f21dec9031bbfa600e61136

SHA1
e786a132a5320b266f533bacff68fd850b9225a0

SHA256
ac777e57b29f92051c59281d7b9f933ae2264eea5fe60ce9bc1feb06a1e3db0e

SHA512
a6724cc4ac6f30edc03dbc546c3316bb58ec480238ecabce19613f1930545c42af52d00928b59d73b073b2ee0e4fc75e5b452edf6dd321c463416ca9f37841bf

Download Submit
C:\Windows\{D4BE8FCE-0752-4926-9B1D-9B9CC9C24529}.exe

Filesize
98KB

MD5
f520ef7b664e255da6a6209374f73cdd

SHA1
06be3daa4c1cec8cf0ebff43cfffb0a905eee2f9

SHA256
a1b57c63c85d273f8d982b11b8e4a3668deaed5fffe47f57c492249b6cb65093

SHA512
f467417edb5daa29df54c61301115dbe10773b7a4dbbf6180e6d71c96c92ead0a8e7cbf657a1389c4f7496534a3ca60ef06f488f7794f12eb980554c18713f3e

Download Submit
C:\Windows\{E6016B71-31FA-42a3-B717-E24D5FEF9FA4}.exe

Filesize
98KB

MD5
43bce32b96b7bb0ec795309fde32a1a4

SHA1
85f6ff5d6fc520be4fd88d3ff732e35ea881da62

SHA256
f9c4eb1bd9d532349baef270bcb35e8e83cfeec55bc07d53e7613fbb62d7b090

SHA512
67c482fc4be9d6f9d832a4046125083a4af3d91d4f972442437263ac0dc707b463e6676bd8e269149af7442f0af9b3a2f646b1150eabc0173b7233e48c844fe4

Download Submit
C:\Windows\{F190A454-B733-4080-A771-ABA7906FC956}.exe

Filesize
98KB

MD5
b5ead97a1d9e70ae193eeb16b81a0e8b

SHA1
e820207352abf8c5895dcc5a1731efdfee768cc4

SHA256
a0df75b20d7d4f6cd6155570f7c8dfd4a9ef7b863771ddc8b29a7e8bf1d55865

SHA512
450c3b6a3b14a3be230292c9804d46893d5d1771655412c4c9fdf44a6def515d34b5e1b038a82e213233d6800d7df66800047a5ddb4f22e9556b243069acbf82

Download Submit
memory/752-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/948-73-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/948-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/948-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1280-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1280-51-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/1544-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1544-82-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1736-8-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/1736-3-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/1736-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1736-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1988-113-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1988-108-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/2116-13-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/2116-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2400-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2400-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2400-42-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2484-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2484-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2484-22-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/2520-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2520-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2648-94-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2648-98-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2648-102-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2652-88-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2652-84-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2652-92-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download