644166b8a2731b21dc26aaf580997fdcbecd7946e6e550f73a114f4f53eac6b8

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe
Size

90KB
MD5

752512bd8420ade861113fafa0946ab0
SHA1

f728cf03128e088aeff886246f8d2146e873b176
SHA256

644166b8a2731b21dc26aaf580997fdcbecd7946e6e550f73a114f4f53eac6b8
SHA512

10a1d043ef0cad1463153976f7839c85c3b3db6636ce69c818cdf9b269cc838e490ed7d481dcc5a0a30a869ce678ec6f250de2ca5f1b3958afab55d68e0c9569
SSDEEP

768:Qvw9816vhKQLro14/wQRNrfrunMxVFA3b7glws:YEGh0o1l2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84F94243-98EC-41b2-B79D-B68B081CBA23}	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDDCFA28-7826-4d4d-A18C-83C370655CAD}	{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{398E444B-8929-41d1-9AC7-038BCEE2F907}	{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{398E444B-8929-41d1-9AC7-038BCEE2F907}\stubpath = "C:\\Windows\\{398E444B-8929-41d1-9AC7-038BCEE2F907}.exe"	{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A91D41CA-859A-4d32-8917-F0C953E9DA1D}\stubpath = "C:\\Windows\\{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe"	{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{232E3FF6-C941-4622-94B0-2012DAE5DB97}	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{232E3FF6-C941-4622-94B0-2012DAE5DB97}\stubpath = "C:\\Windows\\{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe"	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}\stubpath = "C:\\Windows\\{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe"	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7331E198-47FA-463e-8015-CC3CEBB91D15}	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A91D41CA-859A-4d32-8917-F0C953E9DA1D}	{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76F0D2BE-1BAF-45fb-8036-45C985906F86}	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76F0D2BE-1BAF-45fb-8036-45C985906F86}\stubpath = "C:\\Windows\\{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe"	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7331E198-47FA-463e-8015-CC3CEBB91D15}\stubpath = "C:\\Windows\\{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe"	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5CFFC7F-9D49-46ac-8ED1-305382383236}\stubpath = "C:\\Windows\\{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe"	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDDCFA28-7826-4d4d-A18C-83C370655CAD}\stubpath = "C:\\Windows\\{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe"	{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5CFFC7F-9D49-46ac-8ED1-305382383236}	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}\stubpath = "C:\\Windows\\{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe"	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{054745B6-5EFE-4897-977D-7AF3BF846DB9}	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{054745B6-5EFE-4897-977D-7AF3BF846DB9}\stubpath = "C:\\Windows\\{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe"	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84F94243-98EC-41b2-B79D-B68B081CBA23}\stubpath = "C:\\Windows\\{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe"	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3068 cmd.exe

pid	process
3068	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe{398E444B-8929-41d1-9AC7-038BCEE2F907}.exe

pid	process
2836	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe
2920	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe
2748	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe
2364	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe
2848	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe
2972	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe
300	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe
2736	{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe
2108	{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe
2320	{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe
1180	{398E444B-8929-41d1-9AC7-038BCEE2F907}.exe

Drops file in Windows directory 11 IoCs

Processes:

{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe

description	ioc	process
File created	C:\Windows\{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe
File created	C:\Windows\{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe
File created	C:\Windows\{398E444B-8929-41d1-9AC7-038BCEE2F907}.exe	{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe
File created	C:\Windows\{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe
File created	C:\Windows\{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe
File created	C:\Windows\{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe
File created	C:\Windows\{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe
File created	C:\Windows\{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe	{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe
File created	C:\Windows\{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe	{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe
File created	C:\Windows\{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe
File created	C:\Windows\{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1936	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2836	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe
Token: SeIncBasePriorityPrivilege	2920	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe
Token: SeIncBasePriorityPrivilege	2748	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe
Token: SeIncBasePriorityPrivilege	2364	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe
Token: SeIncBasePriorityPrivilege	2848	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe
Token: SeIncBasePriorityPrivilege	2972	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe
Token: SeIncBasePriorityPrivilege	300	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe
Token: SeIncBasePriorityPrivilege	2736	{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe
Token: SeIncBasePriorityPrivilege	2108	{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe
Token: SeIncBasePriorityPrivilege	2320	{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1936 wrote to memory of 2836	1936	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe
PID 1936 wrote to memory of 2836	1936	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe
PID 1936 wrote to memory of 2836	1936	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe
PID 1936 wrote to memory of 2836	1936	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe
PID 1936 wrote to memory of 3068	1936	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	cmd.exe
PID 1936 wrote to memory of 3068	1936	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	cmd.exe
PID 1936 wrote to memory of 3068	1936	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	cmd.exe
PID 1936 wrote to memory of 3068	1936	752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe	cmd.exe
PID 2836 wrote to memory of 2920	2836	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe
PID 2836 wrote to memory of 2920	2836	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe
PID 2836 wrote to memory of 2920	2836	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe
PID 2836 wrote to memory of 2920	2836	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe
PID 2836 wrote to memory of 2272	2836	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe	cmd.exe
PID 2836 wrote to memory of 2272	2836	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe	cmd.exe
PID 2836 wrote to memory of 2272	2836	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe	cmd.exe
PID 2836 wrote to memory of 2272	2836	{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe	cmd.exe
PID 2920 wrote to memory of 2748	2920	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe
PID 2920 wrote to memory of 2748	2920	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe
PID 2920 wrote to memory of 2748	2920	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe
PID 2920 wrote to memory of 2748	2920	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe
PID 2920 wrote to memory of 2828	2920	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe	cmd.exe
PID 2920 wrote to memory of 2828	2920	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe	cmd.exe
PID 2920 wrote to memory of 2828	2920	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe	cmd.exe
PID 2920 wrote to memory of 2828	2920	{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe	cmd.exe
PID 2748 wrote to memory of 2364	2748	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe
PID 2748 wrote to memory of 2364	2748	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe
PID 2748 wrote to memory of 2364	2748	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe
PID 2748 wrote to memory of 2364	2748	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe
PID 2748 wrote to memory of 352	2748	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe	cmd.exe
PID 2748 wrote to memory of 352	2748	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe	cmd.exe
PID 2748 wrote to memory of 352	2748	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe	cmd.exe
PID 2748 wrote to memory of 352	2748	{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe	cmd.exe
PID 2364 wrote to memory of 2848	2364	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe
PID 2364 wrote to memory of 2848	2364	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe
PID 2364 wrote to memory of 2848	2364	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe
PID 2364 wrote to memory of 2848	2364	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe
PID 2364 wrote to memory of 2868	2364	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe	cmd.exe
PID 2364 wrote to memory of 2868	2364	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe	cmd.exe
PID 2364 wrote to memory of 2868	2364	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe	cmd.exe
PID 2364 wrote to memory of 2868	2364	{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe	cmd.exe
PID 2848 wrote to memory of 2972	2848	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe
PID 2848 wrote to memory of 2972	2848	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe
PID 2848 wrote to memory of 2972	2848	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe
PID 2848 wrote to memory of 2972	2848	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe
PID 2848 wrote to memory of 1800	2848	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe	cmd.exe
PID 2848 wrote to memory of 1800	2848	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe	cmd.exe
PID 2848 wrote to memory of 1800	2848	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe	cmd.exe
PID 2848 wrote to memory of 1800	2848	{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe	cmd.exe
PID 2972 wrote to memory of 300	2972	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe
PID 2972 wrote to memory of 300	2972	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe
PID 2972 wrote to memory of 300	2972	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe
PID 2972 wrote to memory of 300	2972	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe
PID 2972 wrote to memory of 1708	2972	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe	cmd.exe
PID 2972 wrote to memory of 1708	2972	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe	cmd.exe
PID 2972 wrote to memory of 1708	2972	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe	cmd.exe
PID 2972 wrote to memory of 1708	2972	{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe	cmd.exe
PID 300 wrote to memory of 2736	300	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe	{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe
PID 300 wrote to memory of 2736	300	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe	{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe
PID 300 wrote to memory of 2736	300	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe	{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe
PID 300 wrote to memory of 2736	300	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe	{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe
PID 300 wrote to memory of 1364	300	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe	cmd.exe
PID 300 wrote to memory of 1364	300	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe	cmd.exe
PID 300 wrote to memory of 1364	300	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe	cmd.exe
PID 300 wrote to memory of 1364	300	{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\752512bd8420ade861113fafa0946ab0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe
C:\Windows\{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe
C:\Windows\{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe
C:\Windows\{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe
C:\Windows\{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe
C:\Windows\{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe
C:\Windows\{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe
C:\Windows\{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:300

C:\Windows\{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe
C:\Windows\{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe
C:\Windows\{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe
C:\Windows\{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\{398E444B-8929-41d1-9AC7-038BCEE2F907}.exe
C:\Windows\{398E444B-8929-41d1-9AC7-038BCEE2F907}.exe
12⤵
- Executes dropped EXE
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BDDCF~1.EXE > nul
12⤵
PID:592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A91D4~1.EXE > nul
11⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D5CFF~1.EXE > nul
10⤵
PID:1280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7331E~1.EXE > nul
9⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6E104~1.EXE > nul
8⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{84F94~1.EXE > nul
7⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{232E3~1.EXE > nul
6⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{76F0D~1.EXE > nul
5⤵
PID:352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{05474~1.EXE > nul
4⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B8449~1.EXE > nul
3⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\752512~1.EXE > nul
2⤵
- Deletes itself
PID:3068

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{054745B6-5EFE-4897-977D-7AF3BF846DB9}.exe
Filesize
90KB

MD5
5621f5cb10debf485c084cacea80f7af

SHA1
699bb56ac8939cd113eccd162471b6d69845133b

SHA256
90d80d8ceeea27e3bd378a45f7878c93e7a5e6189a3d858ead9e22a14b1cffd9

SHA512
13fec9448744f2e46919c545681b84258a2a44e7bcdce53b25e3653ccffe5249dd65df0dbb2b1d832d12533cfae6c03153dc355e2668701be54b1139309ebc33

Download Submit
C:\Windows\{232E3FF6-C941-4622-94B0-2012DAE5DB97}.exe
Filesize
90KB

MD5
b7b1342574d71c63341c81b11f91ea1d

SHA1
a82ac57cd1ee4ae3a619daf676dd36926ffff273

SHA256
9e52d35bb998d487435480ce0040af73eed1b29a431e7016e50bf4642c8f03df

SHA512
721193d5a76855c2b1efa36c3139e250b69fc064c5a69b823ce1484a97d7676ca23f1b751a379148aea5832f6cc43f5783fcf16eca174fc7f152b796dc3950b1

Download Submit
C:\Windows\{398E444B-8929-41d1-9AC7-038BCEE2F907}.exe
Filesize
90KB

MD5
74f5a9259640d16e909464863d789039

SHA1
386b85853b275f197d2affce2e5c1c6cd87cceaf

SHA256
261b04d5cd5fc36ad50e02e55b5bb94450130b9234f02d6fbd091232d7b627f7

SHA512
bb253494e35e9759876b0a3ec4903a2aa9d7d85e1f3f8a2059b9bef2ed06a2f7db8e61597c6d8f5f60176f2eda4d4d71fbbd4eabc1663faa45c1d78dcb849fe4

Download Submit
C:\Windows\{6E1045AE-BCD4-4740-9C63-4E67CDB1CB76}.exe
Filesize
90KB

MD5
e6142890f16633f0c01a870599f916ca

SHA1
31541f8df7f33b4b897938d4c59666d231eec19d

SHA256
a2835f3f2c3b8b2b107bb49ba1a53c613301eec83ab7f89be458c2f877997208

SHA512
17a80a516fe66b92e5167697c42ef6286fc4df780760ad6771dd1fecb7c4e7fc0b4755c9fef85a57ea908f2fb0fd3f57f38357d2046e8168d1f72a38379be6b4

Download Submit
C:\Windows\{7331E198-47FA-463e-8015-CC3CEBB91D15}.exe
Filesize
90KB

MD5
80677b68fe86d942468179d6a7789793

SHA1
fc8ac3091de118529a7ab7b6aa7deae359356b00

SHA256
d0428f3d85c4006cbfdf369a8c804818457378183419f4cafb46f2ffc0f0d4aa

SHA512
3829b2cd2da52c34c4f0f3e777f8df72a11dba6374db9f7ef4f306e2e9314de645da8cde04a7bcea23222d38d9c684c52fbc5bd5e1ea7ca615f62427559410db

Download Submit
C:\Windows\{76F0D2BE-1BAF-45fb-8036-45C985906F86}.exe
Filesize
90KB

MD5
88795322891f3df8f0d57ab3688f2c81

SHA1
6c64d1c71dedb4064fe2e815aed295e14e0c941d

SHA256
0c1799a42d8d661f56fc97a19e518c47e417496c9e737b7e9ab45ffc5d347033

SHA512
6d2a21a053d4a30d54e117ae958e242822e39ff4b23a224a46ccbbafe95941084516c8236576e4a9a3da274e10e2f496770bb2274fa0dfb6b2d78587737f24f2

Download Submit
C:\Windows\{84F94243-98EC-41b2-B79D-B68B081CBA23}.exe
Filesize
90KB

MD5
f1400c381f57e05a16d6e9012a98f5e4

SHA1
0a18b647345d2f12b3f13e2d11e3d22d99d211ad

SHA256
0d1d9280284c3b95e3687a6269225e26fac61ab29106895a77ae3f1cb2fa7bea

SHA512
ecb97fb3b1a93c0cd4b2f3f473461c8b484c74baac2ae148b9c0218318b91683e393847fb3d58ec5d80ef0fc277910603627ef8032bad754d89ec971313cbfba

Download Submit
C:\Windows\{A91D41CA-859A-4d32-8917-F0C953E9DA1D}.exe
Filesize
90KB

MD5
59fac8405817cd501eb7702560d07c28

SHA1
d2ea28add97fc231d5c708c9dd96708b73606673

SHA256
5c86c438a7d86870b90bc8343890842873d0a4629d61faf307c2cb8047c80446

SHA512
06d03752b05e83d0e8e4d89adf80238d17496af681af2124ba8c094bc0a9c50c25bf4dbc0d7d7901c9d066b7dd5e7321c61618bdf4bdf5c7b7e57cba98107cba

Download Submit
C:\Windows\{B8449996-04E1-4b49-8C68-1CAEAA97DD4A}.exe
Filesize
90KB

MD5
fb7aac1d0610b6ac9efb28ad54d53723

SHA1
afdd8613f5638534e759ff48ddfcb3c81916333d

SHA256
560cc41012486ffdbbc05f5a74b09cf970abf8896b290f08c18e21c1dfe5a877

SHA512
3d2529170fcefe6a534bc4a072c771c66be3ce9a14021d6929abce39ae90bc93ed980a92f77740b484699a4b955422736b8caf753ea6e6b46641bf2ddd0f3a69

Download Submit
C:\Windows\{BDDCFA28-7826-4d4d-A18C-83C370655CAD}.exe
Filesize
90KB

MD5
ab45eddca9a5cb0e84039e276db6e0d2

SHA1
73655dccb52a346925ebc988b11ea319ce30eb37

SHA256
fe5a93f8732de8a6f83b8be296c79eb6769eacc58e0fbf3386bfce3865e4606e

SHA512
98a52214f430bf0140ad02c8491ce319d402903e5a4680fbcab3cdc1c151a399ff12e6a1a9fe8267297d1c2d3ff8d1ad9a693e951c61b52ff4e419cebc9b5f68

Download Submit
C:\Windows\{D5CFFC7F-9D49-46ac-8ED1-305382383236}.exe
Filesize
90KB

MD5
da3093f1447cc721ed9c7f9dcfb1340b

SHA1
c7d973e99f00cad8c9afba3b6a14f69ecb1b6e4d

SHA256
6f21f76d1ae17b733961c6bd27ba6b36a4b7eb98e09522841ca6b667ea538472

SHA512
7f590dd7849a7c2b0befb5caf4859c8e40399cb574532443f45fb8570b3fdfc7ee415936644ffcae21925b2ea20f0421aea893f1d83514c1ae0987c066ed3387

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads