1fad62acbd7d4310c724c7395695025bcb09a1d96ef3b69a63f5b5089c218641

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe
Size

90KB
MD5

627fcd77b202ba5704cd6c800e4f65a0
SHA1

aadff672cfb0237f4e48cd60b607c9de23b5c732
SHA256

1fad62acbd7d4310c724c7395695025bcb09a1d96ef3b69a63f5b5089c218641
SHA512

bf68aa9699581c9fed4d4db001465d53ac95099538c196bbddea6d1222d516bcdc8673ccc07082eccf486599e05a51c89e55f64adbe31cd11ebc4b4b489a17f0
SSDEEP

768:50w981IshKQLrop4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzS:CEGI0oplVunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{736F532F-0C72-471d-B9AC-7189F0AE3F07}\stubpath = "C:\\Windows\\{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe"	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B71AD4A-DD56-446e-B839-503F63838C8D}	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA4C9E57-3804-4691-8535-E3145B0A39CA}	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4BB5753-E29D-4ba3-AEC5-780A3641110C}	{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92BE78FE-DA76-42fc-8B53-0260A2A2D978}\stubpath = "C:\\Windows\\{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe"	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C594254E-F600-4217-9FF6-2E1DA2192AA4}	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}\stubpath = "C:\\Windows\\{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe"	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C594254E-F600-4217-9FF6-2E1DA2192AA4}\stubpath = "C:\\Windows\\{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe"	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA4C9E57-3804-4691-8535-E3145B0A39CA}\stubpath = "C:\\Windows\\{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe"	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4BB5753-E29D-4ba3-AEC5-780A3641110C}\stubpath = "C:\\Windows\\{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe"	{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B71AD4A-DD56-446e-B839-503F63838C8D}\stubpath = "C:\\Windows\\{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe"	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5822814-4187-42eb-AB47-AC12CD6128B9}\stubpath = "C:\\Windows\\{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe"	{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92C1486D-F2CE-4483-87CA-96467BD23A61}	{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92BE78FE-DA76-42fc-8B53-0260A2A2D978}	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}\stubpath = "C:\\Windows\\{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe"	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5822814-4187-42eb-AB47-AC12CD6128B9}	{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92C1486D-F2CE-4483-87CA-96467BD23A61}\stubpath = "C:\\Windows\\{92C1486D-F2CE-4483-87CA-96467BD23A61}.exe"	{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5721AF3-5230-4683-A54D-5A01A70F8A84}	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5721AF3-5230-4683-A54D-5A01A70F8A84}\stubpath = "C:\\Windows\\{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe"	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{736F532F-0C72-471d-B9AC-7189F0AE3F07}	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2128 cmd.exe

pid	process
2128	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe{92C1486D-F2CE-4483-87CA-96467BD23A61}.exe

pid	process
2028	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe
2744	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe
2856	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe
2096	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe
2904	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe
1752	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe
1748	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe
1332	{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe
2676	{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe
1160	{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe
2464	{92C1486D-F2CE-4483-87CA-96467BD23A61}.exe

Drops file in Windows directory 11 IoCs

Processes:

{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe

description	ioc	process
File created	C:\Windows\{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe
File created	C:\Windows\{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe
File created	C:\Windows\{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe
File created	C:\Windows\{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe	{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe
File created	C:\Windows\{92C1486D-F2CE-4483-87CA-96467BD23A61}.exe	{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe
File created	C:\Windows\{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe
File created	C:\Windows\{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe
File created	C:\Windows\{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe
File created	C:\Windows\{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe	{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe
File created	C:\Windows\{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe
File created	C:\Windows\{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1700	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2028	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe
Token: SeIncBasePriorityPrivilege	2744	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe
Token: SeIncBasePriorityPrivilege	2856	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe
Token: SeIncBasePriorityPrivilege	2096	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe
Token: SeIncBasePriorityPrivilege	2904	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe
Token: SeIncBasePriorityPrivilege	1752	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe
Token: SeIncBasePriorityPrivilege	1748	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe
Token: SeIncBasePriorityPrivilege	1332	{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe
Token: SeIncBasePriorityPrivilege	2676	{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe
Token: SeIncBasePriorityPrivilege	1160	{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1700 wrote to memory of 2028	1700	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe
PID 1700 wrote to memory of 2028	1700	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe
PID 1700 wrote to memory of 2028	1700	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe
PID 1700 wrote to memory of 2028	1700	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe
PID 1700 wrote to memory of 2128	1700	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	cmd.exe
PID 1700 wrote to memory of 2128	1700	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	cmd.exe
PID 1700 wrote to memory of 2128	1700	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	cmd.exe
PID 1700 wrote to memory of 2128	1700	627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe	cmd.exe
PID 2028 wrote to memory of 2744	2028	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe
PID 2028 wrote to memory of 2744	2028	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe
PID 2028 wrote to memory of 2744	2028	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe
PID 2028 wrote to memory of 2744	2028	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe
PID 2028 wrote to memory of 2620	2028	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe	cmd.exe
PID 2028 wrote to memory of 2620	2028	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe	cmd.exe
PID 2028 wrote to memory of 2620	2028	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe	cmd.exe
PID 2028 wrote to memory of 2620	2028	{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe	cmd.exe
PID 2744 wrote to memory of 2856	2744	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe
PID 2744 wrote to memory of 2856	2744	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe
PID 2744 wrote to memory of 2856	2744	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe
PID 2744 wrote to memory of 2856	2744	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe
PID 2744 wrote to memory of 2220	2744	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe	cmd.exe
PID 2744 wrote to memory of 2220	2744	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe	cmd.exe
PID 2744 wrote to memory of 2220	2744	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe	cmd.exe
PID 2744 wrote to memory of 2220	2744	{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe	cmd.exe
PID 2856 wrote to memory of 2096	2856	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe
PID 2856 wrote to memory of 2096	2856	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe
PID 2856 wrote to memory of 2096	2856	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe
PID 2856 wrote to memory of 2096	2856	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe
PID 2856 wrote to memory of 2764	2856	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe	cmd.exe
PID 2856 wrote to memory of 2764	2856	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe	cmd.exe
PID 2856 wrote to memory of 2764	2856	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe	cmd.exe
PID 2856 wrote to memory of 2764	2856	{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe	cmd.exe
PID 2096 wrote to memory of 2904	2096	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe
PID 2096 wrote to memory of 2904	2096	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe
PID 2096 wrote to memory of 2904	2096	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe
PID 2096 wrote to memory of 2904	2096	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe
PID 2096 wrote to memory of 2468	2096	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe	cmd.exe
PID 2096 wrote to memory of 2468	2096	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe	cmd.exe
PID 2096 wrote to memory of 2468	2096	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe	cmd.exe
PID 2096 wrote to memory of 2468	2096	{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe	cmd.exe
PID 2904 wrote to memory of 1752	2904	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe
PID 2904 wrote to memory of 1752	2904	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe
PID 2904 wrote to memory of 1752	2904	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe
PID 2904 wrote to memory of 1752	2904	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe
PID 2904 wrote to memory of 2480	2904	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe	cmd.exe
PID 2904 wrote to memory of 2480	2904	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe	cmd.exe
PID 2904 wrote to memory of 2480	2904	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe	cmd.exe
PID 2904 wrote to memory of 2480	2904	{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe	cmd.exe
PID 1752 wrote to memory of 1748	1752	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe
PID 1752 wrote to memory of 1748	1752	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe
PID 1752 wrote to memory of 1748	1752	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe
PID 1752 wrote to memory of 1748	1752	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe
PID 1752 wrote to memory of 2748	1752	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe	cmd.exe
PID 1752 wrote to memory of 2748	1752	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe	cmd.exe
PID 1752 wrote to memory of 2748	1752	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe	cmd.exe
PID 1752 wrote to memory of 2748	1752	{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe	cmd.exe
PID 1748 wrote to memory of 1332	1748	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe	{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe
PID 1748 wrote to memory of 1332	1748	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe	{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe
PID 1748 wrote to memory of 1332	1748	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe	{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe
PID 1748 wrote to memory of 1332	1748	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe	{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe
PID 1748 wrote to memory of 2300	1748	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe	cmd.exe
PID 1748 wrote to memory of 2300	1748	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe	cmd.exe
PID 1748 wrote to memory of 2300	1748	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe	cmd.exe
PID 1748 wrote to memory of 2300	1748	{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\627fcd77b202ba5704cd6c800e4f65a0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe
C:\Windows\{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe
C:\Windows\{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe
C:\Windows\{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe
C:\Windows\{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe
C:\Windows\{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe
C:\Windows\{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe
C:\Windows\{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe
C:\Windows\{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe
C:\Windows\{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe
C:\Windows\{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\{92C1486D-F2CE-4483-87CA-96467BD23A61}.exe
C:\Windows\{92C1486D-F2CE-4483-87CA-96467BD23A61}.exe
12⤵
- Executes dropped EXE
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B4BB5~1.EXE > nul
12⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A5822~1.EXE > nul
11⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DA4C9~1.EXE > nul
10⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4B71A~1.EXE > nul
9⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{15456~1.EXE > nul
8⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{736F5~1.EXE > nul
7⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AB1D2~1.EXE > nul
6⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C5721~1.EXE > nul
5⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C5942~1.EXE > nul
4⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{92BE7~1.EXE > nul
3⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\627FCD~1.EXE > nul
2⤵
- Deletes itself
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15456322-8880-4f1a-8D2A-1DAC8DEBF2CA}.exe

Filesize
90KB

MD5
96f22d93cea6e03cb6e1958a0ebe3255

SHA1
ac1d758852fb74313508758a5a378c7fc3596116

SHA256
de2ca752ac2995312c90bf4713ec15057319fd1ca8b656148ea002919fd7d8a8

SHA512
73bfd7c3caa0bae91ca57ed137e2d51919e647a724c4342f80322c45296bb1230ddd10df0276f059b2d798d9e2670e057818e9832b1b184af38974558b838495

Download Submit
C:\Windows\{4B71AD4A-DD56-446e-B839-503F63838C8D}.exe

Filesize
90KB

MD5
27c196d2ff14236a2ef1ab8a8bb4254a

SHA1
e11b5d4caf136013cf9893b235ffae39a52cbbc5

SHA256
a2e6c3214168cbc3c34644519f1263886080db4cd9f9103ac638a07076975a56

SHA512
08e025425b9b0e73975dd5bf9836468f34ce77791d675f30989714a74cec7f1d23e121d6ab90bafc50f193229a5b2851c825a8a048065b392bf467a9b7eba1a6

Download Submit
C:\Windows\{736F532F-0C72-471d-B9AC-7189F0AE3F07}.exe

Filesize
90KB

MD5
5ca0e4131e143435edc183c6ea491764

SHA1
830451d73c9a46bbdada92268e8699e517ae041a

SHA256
edb0a1e9e84e84e97077a1560e2d967079ce550969297f8eec357528974a596f

SHA512
91d6deebf8a49ce9910313ec2826db5f6010977293e068c78e198663db768e3f9a316db1b645464805747bf7e0f32fc442bcec7d43cecf4224e4fa9eba4251be

Download Submit
C:\Windows\{92BE78FE-DA76-42fc-8B53-0260A2A2D978}.exe

Filesize
90KB

MD5
c92495e448a9d041fdf60072fbc7153c

SHA1
fd4a9d71e1bacf4a15b89459f427adb7fa0325a3

SHA256
77e9fb6d305dba6fdfdacdc799b002b0c59289c74a52626e26c839b9e0037112

SHA512
950df8ab852d14ae9832f64427807b3e99911064540ec4e28c037ed968da4edc4e337b1003ab30783e58a50338de68ea92939029a6ec5c66f72291ce15cd0d64

Download Submit
C:\Windows\{92C1486D-F2CE-4483-87CA-96467BD23A61}.exe

Filesize
90KB

MD5
ca59dcdb827218f5b892e96b8c2ce954

SHA1
6b4bdaddcda5ce6aba30a9d818e446edcc7a5e17

SHA256
04edabb39f8fc790e3d51c520db903b184337dd0241daffdd602b3f436c83b8e

SHA512
08371716754c2851815beb700810b02adaf4edab0e54263123c0cfb887aa7664f02309371c7cf1d8baef9ba6512ac896ae7dfe65b06b3b18a09bcf379690fbfc

Download Submit
C:\Windows\{A5822814-4187-42eb-AB47-AC12CD6128B9}.exe

Filesize
90KB

MD5
e7af95217c1d7f863976ced71b3885c3

SHA1
2c7a97361a603fecf96d798b07a808c47f600f02

SHA256
babd2919dc716bfd30cc96b5cc743a29cc449f49cb2dac427c330c31678bc3b1

SHA512
305fa80e123260086d5c41e0bee884a1ccdee110f126cc3a6777099e2d00ce9ba63b1e05446e80408419784f49e5324c3bdf72a51a45e8d22cb20ffb28a3dd6c

Download Submit
C:\Windows\{AB1D2D0D-E9C2-4a89-9FD8-E7154ABB00B2}.exe

Filesize
90KB

MD5
3af1a7143576e3c0e38ead7cd1c7c9b4

SHA1
6f0a2f32c43ad637f91ab6fc5bc698a513698e23

SHA256
76b9a8ad20f181b11e512651ac997312b07eb16fc5b0d50fd251c5b35a5e008a

SHA512
be3f9c73e7a001a8921e38fbded7cd3507ef5980b004067618d7c8155441698a71eb1b60310c52a554384a4ca7fedd8c7b8c92a5bbc91d1e470d3f31f674347d

Download Submit
C:\Windows\{B4BB5753-E29D-4ba3-AEC5-780A3641110C}.exe

Filesize
90KB

MD5
8e5b596d59eea636ac65d337e0dda043

SHA1
5da1000780791d6eb39b1f67b3807c389a0ef600

SHA256
00e3fa4729da6263c5755fb379cc5b67cf9c04e1823947a3d8d10e350965e960

SHA512
e8ad0099267dd3c49f2bf667db082a8500aed8a03487dbdfb2ff3a97cf6c43b67b3ba7cb6b6725b55ed7dc0088a55ad189fcec281b5d698fc0fd8cac49ccc7cc

Download Submit
C:\Windows\{C5721AF3-5230-4683-A54D-5A01A70F8A84}.exe

Filesize
90KB

MD5
3bec3b7dc87071747e13e36ee4481ccc

SHA1
bd2540aae35d22d54f2cfbc91011452149b896d3

SHA256
87005aa23c979b7cd9004ceb4dd1d470a01f2286d18c8890a656758bda70d383

SHA512
2d0ab281c5b79a68ff0386419013e5285b0598cd910890468ef286008edabfc8c485699d7d175240cafd852caa834f6e7c1a585efeee61342a03961ca05b834a

Download Submit
C:\Windows\{C594254E-F600-4217-9FF6-2E1DA2192AA4}.exe

Filesize
90KB

MD5
686b506cab99df5f9e2768f0f3ed241f

SHA1
368ddb725970dcc7bc1cbc78d3651e246828cdc6

SHA256
a290d4e8cb37bbb3e4abf3f8d9b37e23e761d746d390bbe356d1810738a53dfb

SHA512
fab6b75f11c3b643f45526c43f8da5a9748c012b5cc77db87a2cb692f2c2e8806091f64040d3bf955e93f536d99cac6566ea2c7496c01b75e892f586c028e1c9

Download Submit
C:\Windows\{DA4C9E57-3804-4691-8535-E3145B0A39CA}.exe

Filesize
90KB

MD5
dc253159320c00486c3028a345edaebb

SHA1
0821a671656301a514cf93e1e468d7d1ace5b278

SHA256
6572c267992750ed97e00fd7c16520f1d9d4023e385d72273e4750d0ad7e8385

SHA512
c1ad46c488da63a269cd4981501e61e3506801cd16e8557c48a397fe3b952d8010e55c0fae994ba99bd3494d5e14350c3f8ec995cc036a5e9cedea6cca401422

Download Submit
memory/1160-100-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1160-95-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/1332-83-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1700-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1700-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1700-7-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/1700-8-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/1748-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1748-70-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/1752-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-14-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2028-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2096-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2096-43-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2676-91-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2744-27-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/2744-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2744-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2856-36-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/2856-37-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/2856-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2904-53-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2904-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2904-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download