8b75a581b815769866431bb152d11796aa8ba6d8dc22a50ab37c1cd7434c4e2f

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe
Size

90KB
MD5

66ad3cf29b5044dc6ac5f5475feb20f0
SHA1

a4e81dc5f7bc462e65bd76e5b1543f3f6aad621e
SHA256

8b75a581b815769866431bb152d11796aa8ba6d8dc22a50ab37c1cd7434c4e2f
SHA512

f1976026d5bd20b16a0bd04c40a3abb5bb60de266d4db35247c1cd5ae7d0acd0848a86eeb3df4348ed86a9e4baf3e31869344f60c3dbf31507f98993d11d80ed
SSDEEP

768:5vw981UMhKQLrop4/wQ4pNrfrunMxVFA3bA:lEG00opl3zunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}\stubpath = "C:\\Windows\\{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe"	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91014EC4-7820-471d-AC29-965BDD24B7F9}\stubpath = "C:\\Windows\\{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe"	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC1965E6-27D5-4a80-9B8C-68346062769F}	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC1965E6-27D5-4a80-9B8C-68346062769F}\stubpath = "C:\\Windows\\{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe"	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}\stubpath = "C:\\Windows\\{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe"	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}	{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}\stubpath = "C:\\Windows\\{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe"	{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}\stubpath = "C:\\Windows\\{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe"	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0767AA14-678A-4c62-87A8-F967C30E43EE}\stubpath = "C:\\Windows\\{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe"	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71504ED1-98B3-41dc-9756-9D1EDD45D354}	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1230DBB6-CAEC-4c55-97F7-12FA2415057E}	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1230DBB6-CAEC-4c55-97F7-12FA2415057E}\stubpath = "C:\\Windows\\{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe"	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}\stubpath = "C:\\Windows\\{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe"	{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D511BDA-3411-4379-BBAE-DCA074A30CE4}	{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71504ED1-98B3-41dc-9756-9D1EDD45D354}\stubpath = "C:\\Windows\\{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe"	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91014EC4-7820-471d-AC29-965BDD24B7F9}	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}	{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D511BDA-3411-4379-BBAE-DCA074A30CE4}\stubpath = "C:\\Windows\\{1D511BDA-3411-4379-BBAE-DCA074A30CE4}.exe"	{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0767AA14-678A-4c62-87A8-F967C30E43EE}	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2924 cmd.exe

pid	process
2924	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe{1D511BDA-3411-4379-BBAE-DCA074A30CE4}.exe

pid	process
1636	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe
2712	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe
2592	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe
2180	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe
1760	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe
1584	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe
2464	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe
2432	{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe
320	{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe
1420	{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe
696	{1D511BDA-3411-4379-BBAE-DCA074A30CE4}.exe

Drops file in Windows directory 11 IoCs

Processes:

{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe

description	ioc	process
File created	C:\Windows\{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe
File created	C:\Windows\{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe
File created	C:\Windows\{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe
File created	C:\Windows\{1D511BDA-3411-4379-BBAE-DCA074A30CE4}.exe	{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe
File created	C:\Windows\{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe
File created	C:\Windows\{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe
File created	C:\Windows\{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe
File created	C:\Windows\{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe
File created	C:\Windows\{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe	{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe
File created	C:\Windows\{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe	{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe
File created	C:\Windows\{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	352	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1636	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe
Token: SeIncBasePriorityPrivilege	2712	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe
Token: SeIncBasePriorityPrivilege	2592	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe
Token: SeIncBasePriorityPrivilege	2180	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe
Token: SeIncBasePriorityPrivilege	1760	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe
Token: SeIncBasePriorityPrivilege	1584	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe
Token: SeIncBasePriorityPrivilege	2464	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe
Token: SeIncBasePriorityPrivilege	2432	{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe
Token: SeIncBasePriorityPrivilege	320	{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe
Token: SeIncBasePriorityPrivilege	1420	{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 352 wrote to memory of 1636	352	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe
PID 352 wrote to memory of 1636	352	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe
PID 352 wrote to memory of 1636	352	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe
PID 352 wrote to memory of 1636	352	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe
PID 352 wrote to memory of 2924	352	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	cmd.exe
PID 352 wrote to memory of 2924	352	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	cmd.exe
PID 352 wrote to memory of 2924	352	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	cmd.exe
PID 352 wrote to memory of 2924	352	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	cmd.exe
PID 1636 wrote to memory of 2712	1636	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe
PID 1636 wrote to memory of 2712	1636	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe
PID 1636 wrote to memory of 2712	1636	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe
PID 1636 wrote to memory of 2712	1636	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe
PID 1636 wrote to memory of 2820	1636	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe	cmd.exe
PID 1636 wrote to memory of 2820	1636	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe	cmd.exe
PID 1636 wrote to memory of 2820	1636	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe	cmd.exe
PID 1636 wrote to memory of 2820	1636	{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe	cmd.exe
PID 2712 wrote to memory of 2592	2712	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe
PID 2712 wrote to memory of 2592	2712	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe
PID 2712 wrote to memory of 2592	2712	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe
PID 2712 wrote to memory of 2592	2712	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe
PID 2712 wrote to memory of 1624	2712	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe	cmd.exe
PID 2712 wrote to memory of 1624	2712	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe	cmd.exe
PID 2712 wrote to memory of 1624	2712	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe	cmd.exe
PID 2712 wrote to memory of 1624	2712	{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe	cmd.exe
PID 2592 wrote to memory of 2180	2592	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe
PID 2592 wrote to memory of 2180	2592	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe
PID 2592 wrote to memory of 2180	2592	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe
PID 2592 wrote to memory of 2180	2592	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe
PID 2592 wrote to memory of 1484	2592	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe	cmd.exe
PID 2592 wrote to memory of 1484	2592	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe	cmd.exe
PID 2592 wrote to memory of 1484	2592	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe	cmd.exe
PID 2592 wrote to memory of 1484	2592	{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe	cmd.exe
PID 2180 wrote to memory of 1760	2180	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe
PID 2180 wrote to memory of 1760	2180	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe
PID 2180 wrote to memory of 1760	2180	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe
PID 2180 wrote to memory of 1760	2180	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe
PID 2180 wrote to memory of 1904	2180	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe	cmd.exe
PID 2180 wrote to memory of 1904	2180	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe	cmd.exe
PID 2180 wrote to memory of 1904	2180	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe	cmd.exe
PID 2180 wrote to memory of 1904	2180	{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe	cmd.exe
PID 1760 wrote to memory of 1584	1760	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe
PID 1760 wrote to memory of 1584	1760	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe
PID 1760 wrote to memory of 1584	1760	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe
PID 1760 wrote to memory of 1584	1760	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe
PID 1760 wrote to memory of 1372	1760	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe	cmd.exe
PID 1760 wrote to memory of 1372	1760	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe	cmd.exe
PID 1760 wrote to memory of 1372	1760	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe	cmd.exe
PID 1760 wrote to memory of 1372	1760	{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe	cmd.exe
PID 1584 wrote to memory of 2464	1584	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe
PID 1584 wrote to memory of 2464	1584	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe
PID 1584 wrote to memory of 2464	1584	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe
PID 1584 wrote to memory of 2464	1584	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe
PID 1584 wrote to memory of 852	1584	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe	cmd.exe
PID 1584 wrote to memory of 852	1584	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe	cmd.exe
PID 1584 wrote to memory of 852	1584	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe	cmd.exe
PID 1584 wrote to memory of 852	1584	{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe	cmd.exe
PID 2464 wrote to memory of 2432	2464	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe	{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe
PID 2464 wrote to memory of 2432	2464	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe	{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe
PID 2464 wrote to memory of 2432	2464	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe	{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe
PID 2464 wrote to memory of 2432	2464	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe	{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe
PID 2464 wrote to memory of 2344	2464	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe	cmd.exe
PID 2464 wrote to memory of 2344	2464	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe	cmd.exe
PID 2464 wrote to memory of 2344	2464	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe	cmd.exe
PID 2464 wrote to memory of 2344	2464	{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352

C:\Windows\{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe
C:\Windows\{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe
C:\Windows\{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe
C:\Windows\{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe
C:\Windows\{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe
C:\Windows\{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe
C:\Windows\{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe
C:\Windows\{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe
C:\Windows\{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe
C:\Windows\{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe
C:\Windows\{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\{1D511BDA-3411-4379-BBAE-DCA074A30CE4}.exe
C:\Windows\{1D511BDA-3411-4379-BBAE-DCA074A30CE4}.exe
12⤵
- Executes dropped EXE
PID:696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8A317~1.EXE > nul
12⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A9EBD~1.EXE > nul
11⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{25F81~1.EXE > nul
10⤵
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1230D~1.EXE > nul
9⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{71504~1.EXE > nul
8⤵
PID:852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EC196~1.EXE > nul
7⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{91014~1.EXE > nul
6⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D6D2A~1.EXE > nul
5⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0767A~1.EXE > nul
4⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BF3BD~1.EXE > nul
3⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\66AD3C~1.EXE > nul
2⤵
- Deletes itself
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0767AA14-678A-4c62-87A8-F967C30E43EE}.exe

Filesize
90KB

MD5
2c47514af8e436d73e254a55b7728e97

SHA1
39699b737dc450501b19f6e9eddbe311b957e5c8

SHA256
a3b94a594d4202bc45841980cbc4c9206c6ace5528de1e042841d4823babcd92

SHA512
4265963a111f81b4cc3069fd1a8e72845d69d131311c6de82a3292424265e747c063530eb563e2cc3329eb6b329fc1c931edd4fd1d247bcc62788364d815bc83

Download Submit
C:\Windows\{1230DBB6-CAEC-4c55-97F7-12FA2415057E}.exe

Filesize
90KB

MD5
59764be0fa64fa0ae088d5755160b97c

SHA1
8af241c298c4a66cd79a5e231adad52d54958ac1

SHA256
fdff7ea1ba9570b031d8a0cca33fe4606cd992b40fb21a0a6cb978659c8c6dee

SHA512
708c84687173d8e6001390840c27fbed77960ad4a1b3983dfb4b7bfed0fd90e7856aafc9617df151a0c523627634a92aa0459f938d2132fe146f799601a78ef3

Download Submit
C:\Windows\{1D511BDA-3411-4379-BBAE-DCA074A30CE4}.exe

Filesize
90KB

MD5
6a5aadc8e60cd743e2a74f38b401b469

SHA1
461e373de3476ace1d96244b05f6eaa8be1c6a3c

SHA256
35ddb1b6d0ee59b055019d514b18892c2a40c1b0c948d6c1ebc9685d6edb1310

SHA512
04cb2de0ed11d0751f817ab834a54c19eb655538d501d694b69f89d920b4f47c0ea1df20f30357a5eb65a391cedc634495cc965482e1fc21cc40ddee6e614d30

Download Submit
C:\Windows\{25F81C27-6CBB-4cdf-A4D3-23C8E6376A59}.exe

Filesize
90KB

MD5
8b2a8b3f4d22650bc3627df52cf4c0dc

SHA1
a616bb37b4add5273f8cb0620299dce9bbda4e94

SHA256
4d24a97f2627e431552c38dcf47ebc5ef5b61c9a17146d6aa3df5ccfb651ee23

SHA512
03e27b8baad253088b3d5111c15b6f4adceb23050f2ae5d7273d3960a4a5540a08a3e14b7ba05a418f972df290cd74c3c0cc3bddcb3c51f34515947b1bc01539

Download Submit
C:\Windows\{71504ED1-98B3-41dc-9756-9D1EDD45D354}.exe

Filesize
90KB

MD5
aecab96b146ec857ce416fe8d9f314da

SHA1
8939fc43d0235e814727048d82680d01122258f7

SHA256
132c905a41fe06711cf53315ecfa763720fbb328d8ad60a223187e47e2b3b11e

SHA512
32897960c8c6b86997932824cdc32a6d01041f6365c6933ee7eb7e88b0b8f3378cd1018584cb8f45ffdae57cddad4e23f6b3b900e78bce508f2276ffe0f6d0d6

Download Submit
C:\Windows\{8A317FA9-71F6-4fd5-8C47-470FA037D3F1}.exe

Filesize
90KB

MD5
fd983c76231bf1c224b92fc3922d0d07

SHA1
6c8ea2fa102df6e30b592531ac388445163b2d8f

SHA256
b0c1ac84a2eda20d3490ff7f12bdb4a18ec235b92c36dc69ec4c33f0ea7a3c85

SHA512
05d3cc6f3acbabc41f18d951bd9ad9df82ee5676d2a81cac79ff66b01b009a0e0dd61f7ebce5b95235aff811731672c748abc6611c9e85e2b199af6eb9076174

Download Submit
C:\Windows\{91014EC4-7820-471d-AC29-965BDD24B7F9}.exe

Filesize
90KB

MD5
900cb3e2bf041c8f0379ae228a566afd

SHA1
ff8e21607caeaa944e5ed4fc3dd21f47ae3e09b5

SHA256
1cbf2b8eab97477bb1b3d9132f5515ceaf2218f3e6ecf80b52196ef0906704af

SHA512
7d85ecb15e810ec1f4bf01f0f8fd1a7331968d6195f27b151610f6de94e150a11a05eb8d9ffbc0115efb9ccfac9b01e601ab9e6138314b0ea6635e0530b4ce56

Download Submit
C:\Windows\{A9EBDD5A-389F-4ce0-83D9-8E9E47D3786E}.exe

Filesize
90KB

MD5
49d5f7ce0ad481c9efc2ad92e2f004fe

SHA1
4a0d257c6353445e4a8f250f67b6333af8fcff19

SHA256
7579e6c0a9cef17c58e17ab9db3da0305f5049f420968df09a4a591d0f0f0ca0

SHA512
930b15ee35bb5c1311e7a93bec18e70f37da7edd13f3c236d54b73dbfda51bcdea3334f2cf8510432b1bfd2720680069e1a3f71c181ff8465f246fcdc94a00de

Download Submit
C:\Windows\{BF3BDA43-E9B4-474a-A404-5FC1FE4923B2}.exe

Filesize
90KB

MD5
1b4f4a7b34042cfda2ff75631184aa01

SHA1
ff5a1a6a1f233b6c38daa3b0f6ccbfad0d900c7b

SHA256
f14defbbd85a95ddda3d05aa4f913d28fe3afa9ac83169d0241d7751fceaccdb

SHA512
4e730387d6010f4decbf8ff6f84495f783da12b7cf7f1b255bb6d10c998a34ec7af45fdb38e27c10fcd1e7fb2f722d01f5cf23300b310895ed3524d499b910d9

Download Submit
C:\Windows\{D6D2AAC8-27DA-4415-8617-B9DA4A4F1509}.exe

Filesize
90KB

MD5
38e6e2244b6a8f1c9ba7d3fcb99dbc17

SHA1
29bc7c7296b396f5fc733f0b63351cc6fb62fbd5

SHA256
daae16c6d14c16717c29b295e90a410ac34dc662444f4bcb724d9cb8b03f0e6c

SHA512
d290d3b4669788b5cbc5d92cd71fa6f171a540fe754e182a7c03ef67f6e946f82043156ac496aea914b0d7ff7cf41d859868b18c7f1b7f6764c4283bb2bc6781

Download Submit
C:\Windows\{EC1965E6-27D5-4a80-9B8C-68346062769F}.exe

Filesize
90KB

MD5
d72725f49f2c6cb93cc053965fb86fac

SHA1
607445ac08756a857e218867d261d217ad4239d7

SHA256
75811069068c485d87280499d0fbaa3208a36548191d6d2017ae044cc5a01446

SHA512
3e8404cb9a37d19390404ad57cbe0751631295fca50ee1f06f854f2e580a8ed7c1c0bf34b03eae249e32070be7daa400c9bb0b97edac3bf56112e9a689b86769

Download Submit
memory/320-94-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/320-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/352-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/352-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/352-3-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/696-104-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1420-95-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1420-103-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1584-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1584-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1636-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1636-16-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/1636-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1760-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1760-56-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/1760-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1760-57-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2180-46-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/2180-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2180-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2432-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2464-72-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2464-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2592-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2592-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2712-26-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2712-27-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2712-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2712-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download