Overview

overview

8

Static

static

3

6deb18a849...cs.exe

windows7-x64

8

6deb18a849...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe

  • Size

    90KB

  • MD5

    6deb18a8497c3ecaae65b11999507320

  • SHA1

    16e474ba4d9a0777b95a750acd9f0080154f34dc

  • SHA256

    a59bde49c765b57dcdb7ae428f4eee47f834c2220ad2d2b6e5f3c85dcb90b4fb

  • SHA512

    b4e1ee66efbb4ac45e304f5110808b11bee74904d6e610d9db68049c9c64b1ff9677f72e6ba73d3610b776c4e436aed971d1deb7e96a23a484ba0f95e5f79e7a

  • SSDEEP

    768:Qvw9816vhKQLrof4/wQRNrfrunMxVFA3b7glws:YEGh0ofl2unMxVS3Hgz

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 20 IoCs
    persistence
  • Executes dropped EXE 9 IoCs
  • Drops file in Windows directory 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6deb18a8497c3ecaae65b11999507320_NeikiAnalytics.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Windows\{8C373862-E8D8-41cc-A398-6E3389479498}.exe
      C:\Windows\{8C373862-E8D8-41cc-A398-6E3389479498}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4748
      • C:\Windows\{FBB23944-DB7C-4ecb-9C85-BE5914661F3F}.exe
        C:\Windows\{FBB23944-DB7C-4ecb-9C85-BE5914661F3F}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3924
        • C:\Windows\{8CB5F0C1-5843-493a-BEE5-86B47FB65B6F}.exe
          C:\Windows\{8CB5F0C1-5843-493a-BEE5-86B47FB65B6F}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2104
          • C:\Windows\{C9F49FAF-975A-44f3-9DD5-96B094519009}.exe
            C:\Windows\{C9F49FAF-975A-44f3-9DD5-96B094519009}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3124
            • C:\Windows\{E6739505-CE68-4908-9FCC-3C5BEBDF086B}.exe
              C:\Windows\{E6739505-CE68-4908-9FCC-3C5BEBDF086B}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              PID:2628
              • C:\Windows\{B64F911E-C64F-4589-BAC0-FBA1C98CDC40}.exe
                C:\Windows\{B64F911E-C64F-4589-BAC0-FBA1C98CDC40}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1884
                • C:\Windows\{8A456EC5-7A6E-4f6b-9B9A-1B6BF7F076FD}.exe
                  C:\Windows\{8A456EC5-7A6E-4f6b-9B9A-1B6BF7F076FD}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2728
                  • C:\Windows\{3589E43E-8B20-4946-8FD7-1D646B871C66}.exe
                    C:\Windows\{3589E43E-8B20-4946-8FD7-1D646B871C66}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4576
                    • C:\Windows\{2CE42E87-0543-4d5a-9986-64734CC49CAB}.exe
                      C:\Windows\{2CE42E87-0543-4d5a-9986-64734CC49CAB}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3012
                      • C:\Windows\{D379A1E5-7522-4c4c-A31D-83BCF6BF74AA}.exe
                        C:\Windows\{D379A1E5-7522-4c4c-A31D-83BCF6BF74AA}.exe
                        11⤵
                        • Executes dropped EXE
                        PID:760
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CE42~1.EXE > nul
                        11⤵
                          PID:2076
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{3589E~1.EXE > nul
                        10⤵
                          PID:2412
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A456~1.EXE > nul
                        9⤵
                          PID:564
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{B64F9~1.EXE > nul
                        8⤵
                          PID:4628
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6739~1.EXE > nul
                        7⤵
                          PID:440
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9F49~1.EXE > nul
                        6⤵
                          PID:4324
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CB5F~1.EXE > nul
                        5⤵
                          PID:3528
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBB23~1.EXE > nul
                        4⤵
                          PID:5116
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C373~1.EXE > nul
                        3⤵
                          PID:1544
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6DEB18~1.EXE > nul
                        2⤵
                          PID:2520
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3376 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
                        1⤵
                          PID:780

                        Network

                        MITRE ATT&CK Matrix ATT&CK v13

                        Initial Access

                        Execution

                        Persistence

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Privilege Escalation

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Defense Evasion

                        Modify Registry

                        1
                        T1112

                        Credential Access

                        Discovery

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Resource Development

                        Reconnaissance

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Windows\{2CE42E87-0543-4d5a-9986-64734CC49CAB}.exe
                          Filesize

                          90KB

                          MD5

                          9b65cd9bd3ce537631042eb1f0d3ca0e

                          SHA1

                          083d20f9ccada316a52a0c6ac419ccff45fcf08b

                          SHA256

                          81e1ead13b4b8e05982770d132c8a66a190f244be9c4848e7e11ea7dfa117508

                          SHA512

                          71ebd4d64e2c18ecc8fe48614901e6f98837d054d7f738e06d455251926c87d5c0d20bd54a4524c5801c5d5a30ba75615055187b8d23e4baab37585f37af0b97

                          Download Submit
                        • C:\Windows\{3589E43E-8B20-4946-8FD7-1D646B871C66}.exe
                          Filesize

                          90KB

                          MD5

                          e7e0dc7ab267c28c94d99f041bb7c710

                          SHA1

                          36a1a21e079ec7c9dd934dc31afe2b4781f630d0

                          SHA256

                          44763b03bc34e0b9eeb6cb5776473fb98550d650a0fa6bd6959efe8f92d6ea84

                          SHA512

                          f5b3ff672e630edc92e16b4a9a94c970c4faa95192798643d02dcc34d0c2af3ffe0cbda31d1a70533e9a3cd00298a3ce17fd09204e56f683bd395ba2d0020178

                          Download Submit
                        • C:\Windows\{8A456EC5-7A6E-4f6b-9B9A-1B6BF7F076FD}.exe
                          Filesize

                          90KB

                          MD5

                          2512f367742a22cfd60a90edb547889b

                          SHA1

                          a2d47ecaf3bf3f099e96a9987aa99c21a5bd2b5a

                          SHA256

                          d47a6e8a8774eb0b53fb2579a0f3880f57da66640c3b3ff92229366700b90463

                          SHA512

                          b10effc0ec0c93d5853385cb5bdd1c3028eaad8488560f09df96b8448802178148223239a1fd222dbe3ad136136ec2caa901fae4b7b38aa42cad425bea5e92af

                          Download Submit
                        • C:\Windows\{8C373862-E8D8-41cc-A398-6E3389479498}.exe
                          Filesize

                          90KB

                          MD5

                          1c8a358f2f26491f76ffc19be1769cb5

                          SHA1

                          61388bdb7d5c61e339636f074350b810a3b6a81a

                          SHA256

                          7be324d3607b7f775be44963230ccef95f2c52e3b5655fe8026e0a3073656ffb

                          SHA512

                          116c3eb36702c39c08c9619d63d32d4fe40039fd5a2c7e6f6eb041aa903ce4d03643d83f157b9b64071dce68a92f249a28c70da3e823ca4c0e138db426db1f39

                          Download Submit
                        • C:\Windows\{8CB5F0C1-5843-493a-BEE5-86B47FB65B6F}.exe
                          Filesize

                          90KB

                          MD5

                          5de6a5b8ea838b58e48d552a908bf0ac

                          SHA1

                          257e37f2a779730101c9bc4b80ee8eefd2376874

                          SHA256

                          1de18469c38f5cea263a310ff937ca8317a18955622150b19107fb33ea946724

                          SHA512

                          e363c94099be04390c2d2a118bd34d01fcad3f96c9e969b5f534f29f15e10a92ed232df466122a56f2625bab129c146f2c3491c26b93b7447fe8c07ca1bb1733

                          Download Submit
                        • C:\Windows\{C9F49FAF-975A-44f3-9DD5-96B094519009}.exe
                          Filesize

                          90KB

                          MD5

                          276ef0d5a17073f522d3f021d030c20b

                          SHA1

                          0a143fe5ddac6ba884ba068a9aa323613eac265b

                          SHA256

                          f56c10f7d22db6968d12e5cf8de4b8004890fd877b81380e11ca431653e61533

                          SHA512

                          b4ec49d78ba0a1597e10db66a3d83b6a0c1a24d7acc51f6c1fcfd6b793446dc3cb33372a4852d4a970b06a7d0d6c7ed807031597d94f28763441d6aa47eb3fc3

                          Download Submit
                        • C:\Windows\{D379A1E5-7522-4c4c-A31D-83BCF6BF74AA}.exe
                          Filesize

                          90KB

                          MD5

                          91664b0dfb0768ec3b6491926e48996e

                          SHA1

                          12cd28608f8e391a681f537b901eb9631155abea

                          SHA256

                          d2ce89a3574b86b8ca4034e287a25118523b96c3ab391f3b1cb58be43c592ec1

                          SHA512

                          310dee4a2ee29da225d520b0f7a404cadb49a33c1eb7e77e780395b2fb4390cc1446a9cfcebac70744cdfb3c12b9789c3cfc7f1fdb34d940a023dbbc4d508765

                          Download Submit
                        • C:\Windows\{E6739505-CE68-4908-9FCC-3C5BEBDF086B}.exe
                          Filesize

                          90KB

                          MD5

                          547cf556d6986a67f50981cc6e124610

                          SHA1

                          b18b24aa994dad715318dfe5a83d7fc6cc520156

                          SHA256

                          db8c211d966d8e13f9307df6b5478ffcbcc7f3862e62000b5b35ae20ede42383

                          SHA512

                          c0e7f09cbb043710bfbab1989cde36786ba823ab2644e33b13cfa1a52c31eff1ab5cdcf6ff1e369416cbc5c73e3012ba8698491a153bd59f199a842c033112be

                          Download Submit
                        • C:\Windows\{FBB23944-DB7C-4ecb-9C85-BE5914661F3F}.exe
                          Filesize

                          90KB

                          MD5

                          30eaa7138bc356d675d64b326c6e8812

                          SHA1

                          c3ab731afa57c6e95ea7373d9d8d387ae4c1a43f

                          SHA256

                          59aba494f2d828517dd0901441f9fb39149f3dfd61936a91b0f3b8a26344f010

                          SHA512

                          6c9ce842f805cefac2eb952baaa07a170858b0d9db2bda1d7e67e67217d28cd3ac50e28e4bf0ae31e1406a7eb203f4ea4b037b2f8ec0bba7f2f1d5e1dcbbfbdc

                          Download Submit
                        • memory/2628-19-0x00000000039A0000-0x0000000003A7B000-memory.dmp
                          Filesize

                          876KB

                          Download
                        • memory/2628-20-0x00000000038C0000-0x000000000399B000-memory.dmp
                          Filesize

                          876KB

                          Download