Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-05-2024 23:39
General
-
Target
59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe
-
Size
98KB
-
MD5
59bcdd8a6068ec4adc979b30ea4649d0
-
SHA1
510a290178e842e374b6f083b1995a3dd5be2bf2
-
SHA256
723b0e45525faab017480a266214a59f23b212b810333432c95866a546014359
-
SHA512
07a26e6c6bcc79338169733c0bc2aec5e8b97d08576d02ced76582bc22f779d82894008d5c8819002462b714f6c5af7e7a4b60e2322705ac8510599ae5f072a3
-
SSDEEP
768:5vw981UMhKQLrog4/wQ4pNrfrunMxVFA3b7glw6:lEG00ogl3zunMxVS3Hgl
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\59bcdd8a6068ec4adc979b30ea4649d0_NeikiAnalytics.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{351F4FBE-C985-40da-9AA5-C0CBA817BBD8}.exeC:\Windows\{351F4FBE-C985-40da-9AA5-C0CBA817BBD8}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{127B1B8F-4F05-4d77-88CE-BFE2CCEBAB87}.exeC:\Windows\{127B1B8F-4F05-4d77-88CE-BFE2CCEBAB87}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E70BBC8E-EA2B-434f-8F3D-FF441152C78D}.exeC:\Windows\{E70BBC8E-EA2B-434f-8F3D-FF441152C78D}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7D54C4CC-C9B7-4cee-9BF7-13F2FD372CC4}.exeC:\Windows\{7D54C4CC-C9B7-4cee-9BF7-13F2FD372CC4}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E68EB781-2D13-4e7f-BD18-97264F131D7F}.exeC:\Windows\{E68EB781-2D13-4e7f-BD18-97264F131D7F}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7E78F4B5-13CA-4783-9F06-245F13629513}.exeC:\Windows\{7E78F4B5-13CA-4783-9F06-245F13629513}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{C93A9B68-FB66-4572-A10F-4F501C01DBF7}.exeC:\Windows\{C93A9B68-FB66-4572-A10F-4F501C01DBF7}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F753F595-8CE1-4b52-A2DA-882C64A75446}.exeC:\Windows\{F753F595-8CE1-4b52-A2DA-882C64A75446}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{03BBB474-E5DB-4ab3-829D-4F72FA6BEB66}.exeC:\Windows\{03BBB474-E5DB-4ab3-829D-4F72FA6BEB66}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{707C7620-C2E5-47bb-BC56-7D097E56CB85}.exeC:\Windows\{707C7620-C2E5-47bb-BC56-7D097E56CB85}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{65E56898-E927-4d3c-B12E-59A7B80AB20A}.exeC:\Windows\{65E56898-E927-4d3c-B12E-59A7B80AB20A}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{35DB1777-AF1E-4a72-8DE4-567159503262}.exeC:\Windows\{35DB1777-AF1E-4a72-8DE4-567159503262}.exe13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{65E56~1.EXE > nul13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{707C7~1.EXE > nul12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{03BBB~1.EXE > nul11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F753F~1.EXE > nul10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C93A9~1.EXE > nul9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7E78F~1.EXE > nul8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E68EB~1.EXE > nul7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7D54C~1.EXE > nul6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E70BB~1.EXE > nul5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{127B1~1.EXE > nul4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{351F4~1.EXE > nul3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\59BCDD~1.EXE > nul2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\{03BBB474-E5DB-4ab3-829D-4F72FA6BEB66}.exeFilesize
98KB
MD57522a84c7afc14e019836a51a80f6821
SHA14b12bf03bfb3761c8501930b37389495cff335ab
SHA2561e09ee8e77a68731bacfb4cf533692c516062a69993d253f6bd202a9ad8eab35
SHA5126f129652c8ab1e3a74e0db3385133a8c50250d09c472014dbe9d793baa777eb468db27b8ce525c4845abd121b5bbc1823d7408c28da786a465f54ba81ca0f74b
-
C:\Windows\{127B1B8F-4F05-4d77-88CE-BFE2CCEBAB87}.exeFilesize
98KB
MD5c9ccdcae8abbcc1404a2a376c9f64ad5
SHA1586651e13aae726c4d00b1d2553531cc2d69d1b7
SHA2565634872b741a9d5b5e8bd35a37503f1eb71dd9712e9c353697a9c7c232ac55b4
SHA5121a7f4665b4bfecefdfb561fd68687ffbadcc6e4577020e97d4f1e9e19e4dcecfd90eeedd14dfd72af090ac6266db21a368cca3d009c5714a0b8eafa50efc1f40
-
C:\Windows\{351F4FBE-C985-40da-9AA5-C0CBA817BBD8}.exeFilesize
98KB
MD5d143a452d49c53cc6c621573e695417d
SHA137a9beba038673ff1fd7d97aef794b057eb7f988
SHA25627abf1838f23f9b57a34fe6506087747b0f6856398a4d43acfdb1669bd9ba0a3
SHA51283e86c4be364add6acd923891583af9d361ccd6ea98e05ab1b9978c7bb2ae97d20fa9a74fdcacff865f7ecb52903e5a7848b0aff06621d8914c44717c278820a
-
C:\Windows\{35DB1777-AF1E-4a72-8DE4-567159503262}.exeFilesize
98KB
MD508412c75176ae0aa7456896c38f00e83
SHA14691b714b887a4434da8865e3ce837574d75aab0
SHA256a85850e7924c942018f8ca7f3f2aa522aa2efc815fe0c3ad372d54e10315aff0
SHA5121a81f30fe38d38f47b98b5790598ce953363c68c8e9caa0b2b36f70d38cc0d0f271bfaffc2f63ae416352da82ab0ae54f2fee38e41f3e173210373f492df77e2
-
C:\Windows\{65E56898-E927-4d3c-B12E-59A7B80AB20A}.exeFilesize
98KB
MD59bc5f2b93ea5f07a099b8ae1dbf7ca3e
SHA1eefe30fc14b10b968b31b781ca2aa10a5c34fc6e
SHA25617cbdcea3a042a9cab6ef51c43acaa8d13ba8a9ef42d30d2fda8fea222204ba1
SHA51222ffdf128915e029b3fdd2d5b50df593a808b7590cd3f88543fd1130e4c8e364e9c1fbd2e10d9dea6838edff2df5c274a9ac19b8cf6cc6e027d9bfcfb4d385a1
-
C:\Windows\{707C7620-C2E5-47bb-BC56-7D097E56CB85}.exeFilesize
98KB
MD542a88c181e1c2a6a1e4399ee6ea9f816
SHA1ec70992a19c90247668177e450cb0516e45d60eb
SHA256d2b1fc3eee76c61eb08dccc41dd3917ebad89339d7b394e56d648b3acb35c889
SHA5123ca8b410886b3c2963b0ef43b010e07c086d1ae95489c73ffc9c06f03fb7e179b8e61b6045f86476facd81aad0bd8cc400a2b85fe89125a45a753182e52f6269
-
C:\Windows\{7D54C4CC-C9B7-4cee-9BF7-13F2FD372CC4}.exeFilesize
98KB
MD5ce55d25d88c352fe7a268942837af274
SHA1461f95ba573263340ee90d6e4eab16a8b86dc815
SHA256956b066a27a9db61dec4a3b6e08cb54ea64fe2c8e23979887f3fcf6b7b3cbdbc
SHA512d2724b803ab10c53025017b3b75c291caded635d3dd4e8d4b5d31872416832787798041dcf7647705da6cd2e59edf438c8018720f3cd20870fac13974dd514f2
-
C:\Windows\{7E78F4B5-13CA-4783-9F06-245F13629513}.exeFilesize
98KB
MD5e6958d238d30097505ec6dff3e481131
SHA176c3ce962cbf29064f6f67fadc82f49e037c6785
SHA256be8dd34d1f67b630f4edcd48924230c2a4db9fabcdc7d8ce3458ca2d7c928e9c
SHA512b0fdd7941d3a7122e3bea1d58cae9624325b7d21fe8a1b9ccd919ef9f3edf008935e097f1a12174f88267423bee07ce38171ef8e30035d78839ae68b05527ac1
-
C:\Windows\{C93A9B68-FB66-4572-A10F-4F501C01DBF7}.exeFilesize
98KB
MD5c825bc334ab0f69a51c00cfe4d91ef2e
SHA10fcea576089f4d222547dde04eece654b2909c40
SHA256ab0be601afededbfb28cc1cd978ebc4caad9642193aee0722fa52dab66b5ae05
SHA512237d84a07b02293631e9b2d7f2d939a5045cf45fd78c3931cdf4a92c63a54252351bb4a348afd62a4b0e961437cbe2428ea8849c0a26e7af90373f86e090afe5
-
C:\Windows\{E68EB781-2D13-4e7f-BD18-97264F131D7F}.exeFilesize
98KB
MD5449d196a6b7c1f2979c2d1ede4f7db87
SHA19760523e0aa3b0e7a4dc1644d1a996959b9433eb
SHA256389d81646088a525d133690fbf56dfef394230e01094c1ec3379827a5395257e
SHA51222e451db554f4d2cd5297b866d7d400c2879ca479c1a9c4fa9cba293eb70330c6ebf8046d5edd9a39c1d158bc7126af31aba7633783240bb4d5037fda01d39b3
-
C:\Windows\{E70BBC8E-EA2B-434f-8F3D-FF441152C78D}.exeFilesize
98KB
MD5ee6032097e12f705f148ed1d08c759a7
SHA1dedafabe4c56ad99eb0106134c7c2bbf964360a1
SHA2568bb4d1ea7ae10441cd98681496e726e0c1ca8ac60f9c0e882551bd8d507abc27
SHA512e2044d7de83bba53302753b0bc8ad0dc9d21edb6627ca20f376568db7f081b9de42ef420904964793afcd1225b4a6f0aedb44f8af5d41c7b9775e24e3aeb6120
-
C:\Windows\{F753F595-8CE1-4b52-A2DA-882C64A75446}.exeFilesize
98KB
MD54ccdb6ad9216ccafb08a9ead592ed29c
SHA15b66b7d6ac9f6b8a88e08a851c5658079bcf5d05
SHA25688c45d979bf882a12912012efd92d578f0482da2ae65196d7c111974edef8295
SHA512ac6993b67fba8a402b7c4fe9c1446dabb9b3f3b4832686ddf2150806f5ded5fa7c29eea3e234f561c1ea411a035faaac832039a5138d2eea4ac58bf1338b8427
-
memory/1652-17-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1652-23-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1704-36-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1704-40-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1768-34-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1768-30-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/2596-0-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/2596-5-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/2700-64-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/2700-69-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/3108-58-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/3108-62-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/3740-41-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/3740-45-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/3972-10-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/3972-4-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/4612-51-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/4984-56-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/5012-15-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/5012-12-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/5040-24-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/5040-29-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB