a59bde49c765b57dcdb7ae428f4eee47f834c2220ad2d2b6e5f3c85dcb90b4fb

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe
Size

90KB
MD5

6deb18a8497c3ecaae65b11999507320
SHA1

16e474ba4d9a0777b95a750acd9f0080154f34dc
SHA256

a59bde49c765b57dcdb7ae428f4eee47f834c2220ad2d2b6e5f3c85dcb90b4fb
SHA512

b4e1ee66efbb4ac45e304f5110808b11bee74904d6e610d9db68049c9c64b1ff9677f72e6ba73d3610b776c4e436aed971d1deb7e96a23a484ba0f95e5f79e7a
SSDEEP

768:Qvw9816vhKQLrof4/wQRNrfrunMxVFA3b7glws:YEGh0ofl2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe{E6BD239A-0930-4322-AAFD-70B135196567}.exe{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B2E629D-A1CD-4370-B213-68415C83C1EF}\stubpath = "C:\\Windows\\{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe"	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6BD239A-0930-4322-AAFD-70B135196567}	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}	6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}\stubpath = "C:\\Windows\\{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe"	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F236A3E3-7691-407d-9F55-EDE33C8775C0}	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D07341F-9EF5-4eb7-961B-1D38F1889309}	{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}\stubpath = "C:\\Windows\\{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe"	6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}\stubpath = "C:\\Windows\\{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe"	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6BD239A-0930-4322-AAFD-70B135196567}\stubpath = "C:\\Windows\\{E6BD239A-0930-4322-AAFD-70B135196567}.exe"	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C62947-F141-4bef-86A6-5BCD4E1E4238}	{E6BD239A-0930-4322-AAFD-70B135196567}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C62947-F141-4bef-86A6-5BCD4E1E4238}\stubpath = "C:\\Windows\\{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe"	{E6BD239A-0930-4322-AAFD-70B135196567}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{340A7DB8-7830-442c-8E30-61A65BBABBDA}	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BDB1C29-33D9-4bba-B8A6-E17E0D0B2CB5}	{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F236A3E3-7691-407d-9F55-EDE33C8775C0}\stubpath = "C:\\Windows\\{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe"	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{340A7DB8-7830-442c-8E30-61A65BBABBDA}\stubpath = "C:\\Windows\\{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe"	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D07341F-9EF5-4eb7-961B-1D38F1889309}\stubpath = "C:\\Windows\\{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe"	{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECB71133-0306-433f-8445-24F4A82D1A2D}	{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECB71133-0306-433f-8445-24F4A82D1A2D}\stubpath = "C:\\Windows\\{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe"	{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BDB1C29-33D9-4bba-B8A6-E17E0D0B2CB5}\stubpath = "C:\\Windows\\{0BDB1C29-33D9-4bba-B8A6-E17E0D0B2CB5}.exe"	{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B2E629D-A1CD-4370-B213-68415C83C1EF}	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2388 cmd.exe

pid	process
2388	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe{E6BD239A-0930-4322-AAFD-70B135196567}.exe{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe{0BDB1C29-33D9-4bba-B8A6-E17E0D0B2CB5}.exe

pid	process
2224	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe
2580	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe
2720	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe
2412	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe
1956	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe
1952	{E6BD239A-0930-4322-AAFD-70B135196567}.exe
2020	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe
1892	{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe
2940	{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe
536	{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe
556	{0BDB1C29-33D9-4bba-B8A6-E17E0D0B2CB5}.exe

Drops file in Windows directory 11 IoCs

Processes:

{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe{E6BD239A-0930-4322-AAFD-70B135196567}.exe{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe

description	ioc	process
File created	C:\Windows\{E6BD239A-0930-4322-AAFD-70B135196567}.exe	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe
File created	C:\Windows\{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe	{E6BD239A-0930-4322-AAFD-70B135196567}.exe
File created	C:\Windows\{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe	{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe
File created	C:\Windows\{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe	{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe
File created	C:\Windows\{0BDB1C29-33D9-4bba-B8A6-E17E0D0B2CB5}.exe	{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe
File created	C:\Windows\{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe
File created	C:\Windows\{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe
File created	C:\Windows\{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe
File created	C:\Windows\{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe	6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe
File created	C:\Windows\{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe
File created	C:\Windows\{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe{E6BD239A-0930-4322-AAFD-70B135196567}.exe{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	624	6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2224	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe
Token: SeIncBasePriorityPrivilege	2580	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe
Token: SeIncBasePriorityPrivilege	2720	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe
Token: SeIncBasePriorityPrivilege	2412	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe
Token: SeIncBasePriorityPrivilege	1956	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe
Token: SeIncBasePriorityPrivilege	1952	{E6BD239A-0930-4322-AAFD-70B135196567}.exe
Token: SeIncBasePriorityPrivilege	2020	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe
Token: SeIncBasePriorityPrivilege	1892	{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe
Token: SeIncBasePriorityPrivilege	2940	{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe
Token: SeIncBasePriorityPrivilege	536	{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 624 wrote to memory of 2224	624	6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe
PID 624 wrote to memory of 2224	624	6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe
PID 624 wrote to memory of 2224	624	6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe
PID 624 wrote to memory of 2224	624	6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe
PID 624 wrote to memory of 2388	624	6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe	cmd.exe
PID 624 wrote to memory of 2388	624	6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe	cmd.exe
PID 624 wrote to memory of 2388	624	6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe	cmd.exe
PID 624 wrote to memory of 2388	624	6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe	cmd.exe
PID 2224 wrote to memory of 2580	2224	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe
PID 2224 wrote to memory of 2580	2224	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe
PID 2224 wrote to memory of 2580	2224	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe
PID 2224 wrote to memory of 2580	2224	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe
PID 2224 wrote to memory of 2672	2224	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe	cmd.exe
PID 2224 wrote to memory of 2672	2224	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe	cmd.exe
PID 2224 wrote to memory of 2672	2224	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe	cmd.exe
PID 2224 wrote to memory of 2672	2224	{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe	cmd.exe
PID 2580 wrote to memory of 2720	2580	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe
PID 2580 wrote to memory of 2720	2580	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe
PID 2580 wrote to memory of 2720	2580	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe
PID 2580 wrote to memory of 2720	2580	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe
PID 2580 wrote to memory of 2568	2580	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe	cmd.exe
PID 2580 wrote to memory of 2568	2580	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe	cmd.exe
PID 2580 wrote to memory of 2568	2580	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe	cmd.exe
PID 2580 wrote to memory of 2568	2580	{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe	cmd.exe
PID 2720 wrote to memory of 2412	2720	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe
PID 2720 wrote to memory of 2412	2720	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe
PID 2720 wrote to memory of 2412	2720	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe
PID 2720 wrote to memory of 2412	2720	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe
PID 2720 wrote to memory of 2924	2720	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe	cmd.exe
PID 2720 wrote to memory of 2924	2720	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe	cmd.exe
PID 2720 wrote to memory of 2924	2720	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe	cmd.exe
PID 2720 wrote to memory of 2924	2720	{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe	cmd.exe
PID 2412 wrote to memory of 1956	2412	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe
PID 2412 wrote to memory of 1956	2412	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe
PID 2412 wrote to memory of 1956	2412	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe
PID 2412 wrote to memory of 1956	2412	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe
PID 2412 wrote to memory of 2748	2412	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe	cmd.exe
PID 2412 wrote to memory of 2748	2412	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe	cmd.exe
PID 2412 wrote to memory of 2748	2412	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe	cmd.exe
PID 2412 wrote to memory of 2748	2412	{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe	cmd.exe
PID 1956 wrote to memory of 1952	1956	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe	{E6BD239A-0930-4322-AAFD-70B135196567}.exe
PID 1956 wrote to memory of 1952	1956	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe	{E6BD239A-0930-4322-AAFD-70B135196567}.exe
PID 1956 wrote to memory of 1952	1956	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe	{E6BD239A-0930-4322-AAFD-70B135196567}.exe
PID 1956 wrote to memory of 1952	1956	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe	{E6BD239A-0930-4322-AAFD-70B135196567}.exe
PID 1956 wrote to memory of 2764	1956	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe	cmd.exe
PID 1956 wrote to memory of 2764	1956	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe	cmd.exe
PID 1956 wrote to memory of 2764	1956	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe	cmd.exe
PID 1956 wrote to memory of 2764	1956	{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe	cmd.exe
PID 1952 wrote to memory of 2020	1952	{E6BD239A-0930-4322-AAFD-70B135196567}.exe	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe
PID 1952 wrote to memory of 2020	1952	{E6BD239A-0930-4322-AAFD-70B135196567}.exe	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe
PID 1952 wrote to memory of 2020	1952	{E6BD239A-0930-4322-AAFD-70B135196567}.exe	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe
PID 1952 wrote to memory of 2020	1952	{E6BD239A-0930-4322-AAFD-70B135196567}.exe	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe
PID 1952 wrote to memory of 2740	1952	{E6BD239A-0930-4322-AAFD-70B135196567}.exe	cmd.exe
PID 1952 wrote to memory of 2740	1952	{E6BD239A-0930-4322-AAFD-70B135196567}.exe	cmd.exe
PID 1952 wrote to memory of 2740	1952	{E6BD239A-0930-4322-AAFD-70B135196567}.exe	cmd.exe
PID 1952 wrote to memory of 2740	1952	{E6BD239A-0930-4322-AAFD-70B135196567}.exe	cmd.exe
PID 2020 wrote to memory of 1892	2020	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe	{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe
PID 2020 wrote to memory of 1892	2020	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe	{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe
PID 2020 wrote to memory of 1892	2020	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe	{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe
PID 2020 wrote to memory of 1892	2020	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe	{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe
PID 2020 wrote to memory of 1640	2020	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe	cmd.exe
PID 2020 wrote to memory of 1640	2020	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe	cmd.exe
PID 2020 wrote to memory of 1640	2020	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe	cmd.exe
PID 2020 wrote to memory of 1640	2020	{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe
C:\Windows\{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe
C:\Windows\{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe
C:\Windows\{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe
C:\Windows\{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe
C:\Windows\{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\{E6BD239A-0930-4322-AAFD-70B135196567}.exe
C:\Windows\{E6BD239A-0930-4322-AAFD-70B135196567}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe
C:\Windows\{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe
C:\Windows\{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe
C:\Windows\{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe
C:\Windows\{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\{0BDB1C29-33D9-4bba-B8A6-E17E0D0B2CB5}.exe
C:\Windows\{0BDB1C29-33D9-4bba-B8A6-E17E0D0B2CB5}.exe
12⤵
- Executes dropped EXE
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ECB71~1.EXE > nul
12⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1D073~1.EXE > nul
11⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{340A7~1.EXE > nul
10⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{65C62~1.EXE > nul
9⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E6BD2~1.EXE > nul
8⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0B46A~1.EXE > nul
7⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F236A~1.EXE > nul
6⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0B2E6~1.EXE > nul
5⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{09BA6~1.EXE > nul
4⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{22CE6~1.EXE > nul
3⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6DEB18~1.EXE > nul
2⤵
- Deletes itself
PID:2388

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09BA6A26-BEF4-4841-A2A7-6852FE1C59AB}.exe
Filesize
90KB

MD5
2c9cc57d5b5c096f072a76d35679e5d5

SHA1
6d325305c48b6f9e6a26ef80ff95d464c16dd262

SHA256
3586ba90313e0dec95448fb4e04f43fa20b4bde4b9ee2acb5bb6acb8ecf1b14d

SHA512
da305861bbff55dc439a985f8a6b78e223124561f43a7cce31be3e5f54c74f60e0b883c162e3709a99f0341c6526ebeba00eafd02d9d357b9e48e71996795706

Download Submit
C:\Windows\{0B2E629D-A1CD-4370-B213-68415C83C1EF}.exe
Filesize
90KB

MD5
82ebd7ac3e8839a2e7eca7e4ccef64ef

SHA1
d147bcad7b1313cb4059326020ad440f272c8b91

SHA256
4ec1d764fbf0c43a8395326f2c730c1214b06e939207eaf688a7a1e362531643

SHA512
0169f1cf0b92842f7b9d99cfaa78840914b0dea889dcacd5feba1532dc468bc7e2442501b54683dcf0a6b0256a52943ea9a48df56d80c2ef1f63d7c0bb34ef67

Download Submit
C:\Windows\{0B46A6AE-9EF3-4e42-9EE9-4B5BF1FE3EAA}.exe
Filesize
90KB

MD5
4a593e5d5022dadbead951bb7ad80a52

SHA1
4e3c0899ef333c91325c7e16c22c889feadcc376

SHA256
1395e8a1717dc954a21545f25368ad937ae9434ea56d503c8b0b3dfc3072275e

SHA512
0879d236a6cc12274da2d1fa7719c9bac681bf2889e2dc40c3c1709b62576417ad05d4b4ebc071fa5593f11e68934daa3fdb4b693d1ec266b9f2605c0a5bc7c1

Download Submit
C:\Windows\{0BDB1C29-33D9-4bba-B8A6-E17E0D0B2CB5}.exe
Filesize
90KB

MD5
7fdd83495a750b9b4e3eaf308bbda4d8

SHA1
92630ba319a04ed84c54dd56c8811e28bbe1c76b

SHA256
2c29c1264b27ad2778c339104bfa1b6c23f3eeb92e71b28d97138261667a1565

SHA512
c9d57a5cbe8a78b85bf4d40f0be99d162591f9735d38da48f19205fdbe6f6b4d6e94d370d39ef294899835dcb12761ab0eab4e287d51e060c87c525be3623896

Download Submit
C:\Windows\{1D07341F-9EF5-4eb7-961B-1D38F1889309}.exe
Filesize
90KB

MD5
5254c8c0575f87ef6bc61c0056fad359

SHA1
3bcdb0b24644e867f1d580e6e1fca736d026193f

SHA256
e69005fc5b11c505580ae39365bf4e7f04e436a129a15ed1d22717abe3e5b13b

SHA512
a0b7e7d49d60b0336984e5c4592d59d0c0d85d93e0f8c86529eaee7d53e85e2edab5f381dff5884513a221d8afd044163604d33f2f157e04830a4286cdeb6540

Download Submit
C:\Windows\{22CE6EDB-AE53-4b0b-8DE8-3FBBAA538871}.exe
Filesize
90KB

MD5
22b4197ab6c511e4a053d13979200f92

SHA1
96a4985437854f997c65b498df5a9d78db485237

SHA256
171b17687612579d540cc8d8be84d93b57cc899c90c7cebedae0e0bc669991a3

SHA512
aa343aa820e817635ddc621536b22cc74fb41eace982e1ca3a3ed55d434109712c14de2a480c72b67d263992d50f6792863853dc0ec1d63752c62807f58de277

Download Submit
C:\Windows\{340A7DB8-7830-442c-8E30-61A65BBABBDA}.exe
Filesize
90KB

MD5
0f89630bde84ac13c8e708f978938a88

SHA1
7e48f88b2ef0d259e98770fc8d0919e3f7278934

SHA256
5dfcc9a79bbac039d86a35536ebc22e110abb7981222ebb59373d0cb46cbcaeb

SHA512
e01cacdc5fd815b5f6e70e6d928c6db7a1e3b935e76b83ed252f51455911c32773d4b11e855b6d9a16e15e4820e184d0e5b1140893008bfa0cb2a94232667da7

Download Submit
C:\Windows\{65C62947-F141-4bef-86A6-5BCD4E1E4238}.exe
Filesize
90KB

MD5
8570a1647e91a7b43f17ff5c64ce7f12

SHA1
c9dbf3dfa3d0c17c19eaf5ed0097d9fa36b5e15c

SHA256
c7ef6468a22e89cedbbbaf1597a15d3775f862f6c42105bac9479b52cd2a13e2

SHA512
b90d643ca13f42166eced52a02d6cff0c243a7c8a4010e91820508925c4b5746b3255f3078bfdb501158decddc0c28099923bbce92d0164e9ed23ab682077f9c

Download Submit
C:\Windows\{E6BD239A-0930-4322-AAFD-70B135196567}.exe
Filesize
90KB

MD5
ee5d8d18dbdc1ced2f67487b2c446b39

SHA1
f0974dbc9a91f11030d65274ce0bb69c8c4e1138

SHA256
3a5bcdcb6c87c141ddfe4e0d87bed8f131933ee85f47015a1d744fc15551f196

SHA512
06cb1a40ace296a114da9292260e169bfd2b5ed8806eb7d349af6c60b9fd3e2f05ae63609431a070212168db32ece28d7d6d21038161584a3ecf0f3d5c4d8016

Download Submit
C:\Windows\{ECB71133-0306-433f-8445-24F4A82D1A2D}.exe
Filesize
90KB

MD5
4b406c2f9811ecc8620b71ffa501c68c

SHA1
c81197800c409ec036e997bf4dfceb4033e7246a

SHA256
9407a6e18bf4b5eb6003cb9675536b5570ac515f0b16493b8c2518f1a20e9a4e

SHA512
df6cdf96e64aedc57b5376fe892e1546e3bb6875f0e8227ab8693da7d56ac323d575b747be9ba94959a806921989122301040f6b39415bfa9f5370792d9e3182

Download Submit
C:\Windows\{F236A3E3-7691-407d-9F55-EDE33C8775C0}.exe
Filesize
90KB

MD5
0e31fecd715577dc73a9307c6d9577a6

SHA1
3a0e30d820b3bd94c299387e503741eacd1bf0a2

SHA256
daefa1191a551cfa5d5bafd89baa0ff2ee58e34d9f9362089f38efc3fa818467

SHA512
2bd32e7fe6a7fd7c939acc8ef6d95f6891d46a408725e33d5c379ca4b7a712f9532c089f0b37335df502620045f908727a3d79d37c0a561c437ea23251d872e2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads