8b75a581b815769866431bb152d11796aa8ba6d8dc22a50ab37c1cd7434c4e2f

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe
Size

90KB
MD5

66ad3cf29b5044dc6ac5f5475feb20f0
SHA1

a4e81dc5f7bc462e65bd76e5b1543f3f6aad621e
SHA256

8b75a581b815769866431bb152d11796aa8ba6d8dc22a50ab37c1cd7434c4e2f
SHA512

f1976026d5bd20b16a0bd04c40a3abb5bb60de266d4db35247c1cd5ae7d0acd0848a86eeb3df4348ed86a9e4baf3e31869344f60c3dbf31507f98993d11d80ed
SSDEEP

768:5vw981UMhKQLrop4/wQ4pNrfrunMxVFA3bA:lEG00opl3zunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe{7582B991-76D1-48c1-8585-693041D3656C}.exe{282ADE65-B7B1-4477-99CE-63856F222D97}.exe{1D00CBD2-B141-417d-843E-114524528390}.exe{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7582B991-76D1-48c1-8585-693041D3656C}	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}\stubpath = "C:\\Windows\\{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe"	{7582B991-76D1-48c1-8585-693041D3656C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D00CBD2-B141-417d-843E-114524528390}	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D00CBD2-B141-417d-843E-114524528390}\stubpath = "C:\\Windows\\{1D00CBD2-B141-417d-843E-114524528390}.exe"	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}	{1D00CBD2-B141-417d-843E-114524528390}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}\stubpath = "C:\\Windows\\{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe"	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A6939C1-5424-4407-9F50-F279BAA64D0D}\stubpath = "C:\\Windows\\{6A6939C1-5424-4407-9F50-F279BAA64D0D}.exe"	{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{282ADE65-B7B1-4477-99CE-63856F222D97}	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}\stubpath = "C:\\Windows\\{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe"	{1D00CBD2-B141-417d-843E-114524528390}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE4458E0-93AF-4280-B161-7BCFF9B732E3}	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE4458E0-93AF-4280-B161-7BCFF9B732E3}\stubpath = "C:\\Windows\\{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe"	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}	{7582B991-76D1-48c1-8585-693041D3656C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}\stubpath = "C:\\Windows\\{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe"	{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{282ADE65-B7B1-4477-99CE-63856F222D97}\stubpath = "C:\\Windows\\{282ADE65-B7B1-4477-99CE-63856F222D97}.exe"	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}\stubpath = "C:\\Windows\\{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe"	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7935A812-D910-4ca4-9A07-DBDCC53D1F31}	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7935A812-D910-4ca4-9A07-DBDCC53D1F31}\stubpath = "C:\\Windows\\{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe"	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5829A80A-D915-4e99-A1E7-29EAF5936FA3}	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5829A80A-D915-4e99-A1E7-29EAF5936FA3}\stubpath = "C:\\Windows\\{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe"	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7582B991-76D1-48c1-8585-693041D3656C}\stubpath = "C:\\Windows\\{7582B991-76D1-48c1-8585-693041D3656C}.exe"	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}	{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A6939C1-5424-4407-9F50-F279BAA64D0D}	{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe

Executes dropped EXE 12 IoCs

Processes:

{282ADE65-B7B1-4477-99CE-63856F222D97}.exe{1D00CBD2-B141-417d-843E-114524528390}.exe{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe{7582B991-76D1-48c1-8585-693041D3656C}.exe{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe{6A6939C1-5424-4407-9F50-F279BAA64D0D}.exe

pid	process
3400	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe
3600	{1D00CBD2-B141-417d-843E-114524528390}.exe
412	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe
4044	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe
3520	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe
3140	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe
3496	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe
2792	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe
4128	{7582B991-76D1-48c1-8585-693041D3656C}.exe
1152	{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe
2560	{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe
848	{6A6939C1-5424-4407-9F50-F279BAA64D0D}.exe

Drops file in Windows directory 12 IoCs

Processes:

{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe{282ADE65-B7B1-4477-99CE-63856F222D97}.exe{1D00CBD2-B141-417d-843E-114524528390}.exe{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe{7582B991-76D1-48c1-8585-693041D3656C}.exe{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe

description	ioc	process
File created	C:\Windows\{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe
File created	C:\Windows\{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe
File created	C:\Windows\{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe	{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe
File created	C:\Windows\{282ADE65-B7B1-4477-99CE-63856F222D97}.exe	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe
File created	C:\Windows\{1D00CBD2-B141-417d-843E-114524528390}.exe	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe
File created	C:\Windows\{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe	{1D00CBD2-B141-417d-843E-114524528390}.exe
File created	C:\Windows\{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe
File created	C:\Windows\{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe
File created	C:\Windows\{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe
File created	C:\Windows\{7582B991-76D1-48c1-8585-693041D3656C}.exe	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe
File created	C:\Windows\{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe	{7582B991-76D1-48c1-8585-693041D3656C}.exe
File created	C:\Windows\{6A6939C1-5424-4407-9F50-F279BAA64D0D}.exe	{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe{282ADE65-B7B1-4477-99CE-63856F222D97}.exe{1D00CBD2-B141-417d-843E-114524528390}.exe{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe{7582B991-76D1-48c1-8585-693041D3656C}.exe{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1984	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3400	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe
Token: SeIncBasePriorityPrivilege	3600	{1D00CBD2-B141-417d-843E-114524528390}.exe
Token: SeIncBasePriorityPrivilege	412	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe
Token: SeIncBasePriorityPrivilege	4044	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe
Token: SeIncBasePriorityPrivilege	3520	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe
Token: SeIncBasePriorityPrivilege	3140	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe
Token: SeIncBasePriorityPrivilege	3496	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe
Token: SeIncBasePriorityPrivilege	2792	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe
Token: SeIncBasePriorityPrivilege	4128	{7582B991-76D1-48c1-8585-693041D3656C}.exe
Token: SeIncBasePriorityPrivilege	1152	{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe
Token: SeIncBasePriorityPrivilege	2560	{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1984 wrote to memory of 3400	1984	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe
PID 1984 wrote to memory of 3400	1984	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe
PID 1984 wrote to memory of 3400	1984	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe
PID 1984 wrote to memory of 4956	1984	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	cmd.exe
PID 1984 wrote to memory of 4956	1984	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	cmd.exe
PID 1984 wrote to memory of 4956	1984	66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe	cmd.exe
PID 3400 wrote to memory of 3600	3400	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe	{1D00CBD2-B141-417d-843E-114524528390}.exe
PID 3400 wrote to memory of 3600	3400	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe	{1D00CBD2-B141-417d-843E-114524528390}.exe
PID 3400 wrote to memory of 3600	3400	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe	{1D00CBD2-B141-417d-843E-114524528390}.exe
PID 3400 wrote to memory of 2364	3400	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe	cmd.exe
PID 3400 wrote to memory of 2364	3400	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe	cmd.exe
PID 3400 wrote to memory of 2364	3400	{282ADE65-B7B1-4477-99CE-63856F222D97}.exe	cmd.exe
PID 3600 wrote to memory of 412	3600	{1D00CBD2-B141-417d-843E-114524528390}.exe	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe
PID 3600 wrote to memory of 412	3600	{1D00CBD2-B141-417d-843E-114524528390}.exe	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe
PID 3600 wrote to memory of 412	3600	{1D00CBD2-B141-417d-843E-114524528390}.exe	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe
PID 3600 wrote to memory of 2548	3600	{1D00CBD2-B141-417d-843E-114524528390}.exe	cmd.exe
PID 3600 wrote to memory of 2548	3600	{1D00CBD2-B141-417d-843E-114524528390}.exe	cmd.exe
PID 3600 wrote to memory of 2548	3600	{1D00CBD2-B141-417d-843E-114524528390}.exe	cmd.exe
PID 412 wrote to memory of 4044	412	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe
PID 412 wrote to memory of 4044	412	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe
PID 412 wrote to memory of 4044	412	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe
PID 412 wrote to memory of 4408	412	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe	cmd.exe
PID 412 wrote to memory of 4408	412	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe	cmd.exe
PID 412 wrote to memory of 4408	412	{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe	cmd.exe
PID 4044 wrote to memory of 3520	4044	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe
PID 4044 wrote to memory of 3520	4044	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe
PID 4044 wrote to memory of 3520	4044	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe
PID 4044 wrote to memory of 2168	4044	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe	cmd.exe
PID 4044 wrote to memory of 2168	4044	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe	cmd.exe
PID 4044 wrote to memory of 2168	4044	{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe	cmd.exe
PID 3520 wrote to memory of 3140	3520	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe
PID 3520 wrote to memory of 3140	3520	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe
PID 3520 wrote to memory of 3140	3520	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe
PID 3520 wrote to memory of 3352	3520	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe	cmd.exe
PID 3520 wrote to memory of 3352	3520	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe	cmd.exe
PID 3520 wrote to memory of 3352	3520	{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe	cmd.exe
PID 3140 wrote to memory of 3496	3140	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe
PID 3140 wrote to memory of 3496	3140	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe
PID 3140 wrote to memory of 3496	3140	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe
PID 3140 wrote to memory of 664	3140	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe	cmd.exe
PID 3140 wrote to memory of 664	3140	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe	cmd.exe
PID 3140 wrote to memory of 664	3140	{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe	cmd.exe
PID 3496 wrote to memory of 2792	3496	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe
PID 3496 wrote to memory of 2792	3496	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe
PID 3496 wrote to memory of 2792	3496	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe
PID 3496 wrote to memory of 1520	3496	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe	cmd.exe
PID 3496 wrote to memory of 1520	3496	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe	cmd.exe
PID 3496 wrote to memory of 1520	3496	{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe	cmd.exe
PID 2792 wrote to memory of 4128	2792	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe	{7582B991-76D1-48c1-8585-693041D3656C}.exe
PID 2792 wrote to memory of 4128	2792	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe	{7582B991-76D1-48c1-8585-693041D3656C}.exe
PID 2792 wrote to memory of 4128	2792	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe	{7582B991-76D1-48c1-8585-693041D3656C}.exe
PID 2792 wrote to memory of 2448	2792	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe	cmd.exe
PID 2792 wrote to memory of 2448	2792	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe	cmd.exe
PID 2792 wrote to memory of 2448	2792	{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe	cmd.exe
PID 4128 wrote to memory of 1152	4128	{7582B991-76D1-48c1-8585-693041D3656C}.exe	{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe
PID 4128 wrote to memory of 1152	4128	{7582B991-76D1-48c1-8585-693041D3656C}.exe	{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe
PID 4128 wrote to memory of 1152	4128	{7582B991-76D1-48c1-8585-693041D3656C}.exe	{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe
PID 4128 wrote to memory of 5028	4128	{7582B991-76D1-48c1-8585-693041D3656C}.exe	cmd.exe
PID 4128 wrote to memory of 5028	4128	{7582B991-76D1-48c1-8585-693041D3656C}.exe	cmd.exe
PID 4128 wrote to memory of 5028	4128	{7582B991-76D1-48c1-8585-693041D3656C}.exe	cmd.exe
PID 1152 wrote to memory of 2560	1152	{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe	{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe
PID 1152 wrote to memory of 2560	1152	{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe	{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe
PID 1152 wrote to memory of 2560	1152	{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe	{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe
PID 1152 wrote to memory of 856	1152	{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\66ad3cf29b5044dc6ac5f5475feb20f0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\{282ADE65-B7B1-4477-99CE-63856F222D97}.exe
C:\Windows\{282ADE65-B7B1-4477-99CE-63856F222D97}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\{1D00CBD2-B141-417d-843E-114524528390}.exe
C:\Windows\{1D00CBD2-B141-417d-843E-114524528390}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe
C:\Windows\{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe
C:\Windows\{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe
C:\Windows\{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe
C:\Windows\{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe
C:\Windows\{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe
C:\Windows\{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\{7582B991-76D1-48c1-8585-693041D3656C}.exe
C:\Windows\{7582B991-76D1-48c1-8585-693041D3656C}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe
C:\Windows\{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe
C:\Windows\{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\{6A6939C1-5424-4407-9F50-F279BAA64D0D}.exe
C:\Windows\{6A6939C1-5424-4407-9F50-F279BAA64D0D}.exe
13⤵
- Executes dropped EXE
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BF5A4~1.EXE > nul
13⤵
PID:784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FF35C~1.EXE > nul
12⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7582B~1.EXE > nul
11⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BE445~1.EXE > nul
10⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2D1BD~1.EXE > nul
9⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5829A~1.EXE > nul
8⤵
PID:664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7935A~1.EXE > nul
7⤵
PID:3352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{738F0~1.EXE > nul
6⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{56689~1.EXE > nul
5⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1D00C~1.EXE > nul
4⤵
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{282AD~1.EXE > nul
3⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\66AD3C~1.EXE > nul
2⤵
PID:4956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D00CBD2-B141-417d-843E-114524528390}.exe
Filesize
90KB

MD5
6ef3bc391106f83d91f194f89d5bbc48

SHA1
ebf4dbc6a00dbdff3c2c1ebde0ea4d918bf1ae91

SHA256
bfcb37c9e650b7116296f9563b0c96273156e0c0e5ed6770e9be1605e6b591e8

SHA512
b79d49d9ba8cebb3d0db4e1a78048891ed9e1d53abaad0d808e71c76c9b19e9d0bad43ba9d5c414e90c55f843902a7e5d300ae6ccd6675b100d2d77c9dcebcbd

Download Submit
C:\Windows\{282ADE65-B7B1-4477-99CE-63856F222D97}.exe
Filesize
90KB

MD5
478d940e07068d0063f5d063263fbb5d

SHA1
9add7caa9b2d75cb0275c2cce743cd243769ebad

SHA256
40af2e6debd1232bf08f82a7eaed4ee31070dba09b28bdbe7e0130637586c518

SHA512
87d62e0230b3103fd85bb94f7b7094f2e47727fe90763b63ea1e79a82f5a3897f00b1422b1b38e8c07b6602c05df557c631df8435112f384a0c800e2583b8895

Download Submit
C:\Windows\{2D1BDC9C-B4F2-4f83-BF4F-E4D0CE6E3446}.exe
Filesize
90KB

MD5
94e5257df93597df5cb65add49eff6b4

SHA1
de28f5d8458259144d706452bfc5f013cec612bf

SHA256
fcd458118e662ca3f17db3eeeb5cb2d63348de981d5fd178912211bc14ebb336

SHA512
6bcc654ff1251da1456ae43ed2e3e24877c8a3589e985557bb194dc01ff9427f56b4e4f02817bc0305c5b98b0c90bdceb2ebe55c28a3477faf70fd672709e702

Download Submit
C:\Windows\{56689EE8-3BF3-4c66-B26A-E4B6AFEC9F29}.exe
Filesize
90KB

MD5
e461ca3857d632f5025b9feddcc5b55a

SHA1
feab1a9afa984d782d5f9fa03cd9027678be0d65

SHA256
3cfd61ae60f94a458c34a92a8ee7ac0efe97b76004e7c03681d10504643bb1e1

SHA512
532e5558fb203dd8f9a27db2a81c0383630499f976d7f533af7dd1ae88d87fb1c8f16ef71210049cbef10b001ac2248df23cf9844ccbd3619321ac59e332d699

Download Submit
C:\Windows\{5829A80A-D915-4e99-A1E7-29EAF5936FA3}.exe
Filesize
90KB

MD5
d326cdb18120df16f11d0e01068f7224

SHA1
4452941cc33d5f2bdb8d4905dbfb1ec2df95c2e6

SHA256
4a5af93d319818e2f6113d8a242788666586156f66c0fa548f93e111a1fad006

SHA512
f75e82aa2aeef2098c689812e545939527f7ce2e1e1a8a5eaf48bd629f6b2cfa93c614c9d8ae84455d0456a99c21060b7a040a38a1a8c90e459fee98401011fb

Download Submit
C:\Windows\{6A6939C1-5424-4407-9F50-F279BAA64D0D}.exe
Filesize
90KB

MD5
ce12b1ed04496c2715eb1285433d7b46

SHA1
df2fc04d17258d56b6210215f5dc3b52335aa40d

SHA256
834806e492c69127a6c591131d63e5e3f248244782ba59d6991bef12e54f310d

SHA512
c4563f1c9701fe63047c208e5cdbd08bcaa02816f2f3e489889ee5768d192a744acefc2a491cc6bbf73f589d25f04e00b8d5237599f95b19f0f79932090d9b8a

Download Submit
C:\Windows\{738F0520-AC7A-4bf1-B038-19F9F9A6F70F}.exe
Filesize
90KB

MD5
3cec65e3973237b25ed346b34b62d81a

SHA1
13691d1acaf80808ca0c642ef3ac4ccb7b314a09

SHA256
7af2c8be242972d62fb06e0255367f1179198b9d699b75ea94f0729e061f7467

SHA512
00c243b7f7c450b839a99f51e7cf54f61b73ee9f9a03aaf1c9cf8fa9aab8145230050b4ee60d7ea9a1a716742941d4bbd345741d771b07650622d15285e63858

Download Submit
C:\Windows\{7582B991-76D1-48c1-8585-693041D3656C}.exe
Filesize
90KB

MD5
29776fccfed9c0f20a26e72bb0ccbc26

SHA1
1870a4bff56d107bcd1e25161d4269c7c9025f3d

SHA256
4a8617df77de0e2755ebfce879cf1f50b7985ffd1514de5e317726847c11092d

SHA512
6ded2d831368122b0b61f9aac5f280d37960d2e15b63297df7347b0fb6a172d84a677281410703474e34486d74bcfc791e6fec99725650ccab6409e88729453a

Download Submit
C:\Windows\{7935A812-D910-4ca4-9A07-DBDCC53D1F31}.exe
Filesize
90KB

MD5
174f421b77f0e543500bf56137d094fb

SHA1
02fc704c890c867b82a51990e1bff8c73034542f

SHA256
d25f1ded08c8def409bd741a6959fc04b136d4008e7584034b444bac72f3d298

SHA512
c34234ee33b5a736e97d267c62a8ab86e52720d3b73d35f02492525988e3d77b920ace2c8675bdbd565d08ce0780d5406217ffbf55525a2c3cad68dc67f499cc

Download Submit
C:\Windows\{BE4458E0-93AF-4280-B161-7BCFF9B732E3}.exe
Filesize
90KB

MD5
d2a4a6da0fa1a48ac32a5a6987222591

SHA1
1e58e0c46d77c295d72685b9b113559edc4c580b

SHA256
b666143c7ec7599e95f5e5b633ea994d2cfc84eb3d1001ccd7b3872c183866a3

SHA512
f94c47059aa206aa0581722d64c1b05205957d9473ef001b52b66d7303e8f0c3482215f74492d03ffa87e5ff520807c1945a74845b0ca3df3799abe3d392c22f

Download Submit
C:\Windows\{BF5A4FB0-F50D-4c6d-9BEB-1BBEACAA50A6}.exe
Filesize
90KB

MD5
ed4bb8b763cdec5563f09993d5ab9c77

SHA1
f1b2d36a5e138e5ba7635c9a67ae81893110bbf5

SHA256
fdff24d1b390a31d8ba01bf4843ea2b3a1d558a5e82fd71da6ba689af0c3d6cc

SHA512
584f3f34d0a0430d3f6f249068433f9b5959fa4bff9577f276a2f6753bbb91657cf8ee4f1f816e73f2f54268021d746bf8651ec745e5f6c6dd79ecff629d6201

Download Submit
C:\Windows\{FF35C8A7-C415-4ff5-B429-3A4B98399AFF}.exe
Filesize
90KB

MD5
5ad81a1036861fda7af9b37b9442dc51

SHA1
0ae73bf9cc5ab97c7a3c11405cae2ba2a69a41df

SHA256
6f6df879e2fa72aa231943ece49ac005c6d2233c32c63e74b38ac13f329a1a25

SHA512
ac040ab285919b0446b71608b219a4f98728928b4646f5ef876f689f1ec8364fef6f6c29a38f1c00990f6a9eb4808308e1a05f7a99f2c019304b2d793d231aa6

Download Submit
memory/412-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/848-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1152-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1984-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1984-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2560-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2560-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2792-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3140-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3400-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3400-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3496-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3496-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3520-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3520-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3600-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3600-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4044-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4128-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4128-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download