37f9e5ac8a55cbbf4c62a66c7fd44ae222461113e09e283cd4f067ca6dced031

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe
Size

90KB
MD5

77d793f606512c3bf0d1a8af74407c70
SHA1

75a9c4aac851575547e236dc8d852181a04890d5
SHA256

37f9e5ac8a55cbbf4c62a66c7fd44ae222461113e09e283cd4f067ca6dced031
SHA512

1a822455abbae3e020c50ccc356bf388a4644995011ad64b9a7b2d011c86407b4f4f81b25390778e305e6c9634b8f8a7779150cc2280757093820dd3389a7d90
SSDEEP

768:50w981IshKQLroT4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzS:CEGI0oTlVunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe{238A57C2-927D-423c-AC11-F6D553E7F301}.exe{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe{F4569973-120D-482c-812C-649A23396CBC}.exe{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDB11E09-7EDF-4598-A215-76FCC622298E}	{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE8EE5D3-F815-4f2f-9266-7E6326B3F8FD}	{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B14787C-36BD-48fb-82B7-49572D27CFB3}\stubpath = "C:\\Windows\\{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe"	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4569973-120D-482c-812C-649A23396CBC}\stubpath = "C:\\Windows\\{F4569973-120D-482c-812C-649A23396CBC}.exe"	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}\stubpath = "C:\\Windows\\{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe"	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}\stubpath = "C:\\Windows\\{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe"	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}	{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}\stubpath = "C:\\Windows\\{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe"	{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{948928CF-171E-4fe3-8DBC-28D2A981899B}	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{238A57C2-927D-423c-AC11-F6D553E7F301}	77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4569973-120D-482c-812C-649A23396CBC}	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}\stubpath = "C:\\Windows\\{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe"	{F4569973-120D-482c-812C-649A23396CBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{948928CF-171E-4fe3-8DBC-28D2A981899B}\stubpath = "C:\\Windows\\{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe"	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71CF3CC9-6F1B-41be-9A37-D8523D460680}\stubpath = "C:\\Windows\\{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe"	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{238A57C2-927D-423c-AC11-F6D553E7F301}\stubpath = "C:\\Windows\\{238A57C2-927D-423c-AC11-F6D553E7F301}.exe"	77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B14787C-36BD-48fb-82B7-49572D27CFB3}	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}	{F4569973-120D-482c-812C-649A23396CBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71CF3CC9-6F1B-41be-9A37-D8523D460680}	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDB11E09-7EDF-4598-A215-76FCC622298E}\stubpath = "C:\\Windows\\{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe"	{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE8EE5D3-F815-4f2f-9266-7E6326B3F8FD}\stubpath = "C:\\Windows\\{CE8EE5D3-F815-4f2f-9266-7E6326B3F8FD}.exe"	{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2744 cmd.exe

pid	process
2744	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{238A57C2-927D-423c-AC11-F6D553E7F301}.exe{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe{F4569973-120D-482c-812C-649A23396CBC}.exe{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe{CE8EE5D3-F815-4f2f-9266-7E6326B3F8FD}.exe

pid	process
2544	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe
2660	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe
2796	{F4569973-120D-482c-812C-649A23396CBC}.exe
2312	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe
2060	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe
348	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe
2344	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe
1552	{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe
2896	{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe
684	{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe
1760	{CE8EE5D3-F815-4f2f-9266-7E6326B3F8FD}.exe

Drops file in Windows directory 11 IoCs

Processes:

{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe{238A57C2-927D-423c-AC11-F6D553E7F301}.exe{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe{F4569973-120D-482c-812C-649A23396CBC}.exe{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe

description	ioc	process
File created	C:\Windows\{CE8EE5D3-F815-4f2f-9266-7E6326B3F8FD}.exe	{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe
File created	C:\Windows\{238A57C2-927D-423c-AC11-F6D553E7F301}.exe	77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe
File created	C:\Windows\{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe
File created	C:\Windows\{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe
File created	C:\Windows\{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe
File created	C:\Windows\{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe
File created	C:\Windows\{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe
File created	C:\Windows\{F4569973-120D-482c-812C-649A23396CBC}.exe	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe
File created	C:\Windows\{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe	{F4569973-120D-482c-812C-649A23396CBC}.exe
File created	C:\Windows\{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe	{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe
File created	C:\Windows\{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe	{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe{238A57C2-927D-423c-AC11-F6D553E7F301}.exe{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe{F4569973-120D-482c-812C-649A23396CBC}.exe{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2292	77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2544	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe
Token: SeIncBasePriorityPrivilege	2660	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe
Token: SeIncBasePriorityPrivilege	2796	{F4569973-120D-482c-812C-649A23396CBC}.exe
Token: SeIncBasePriorityPrivilege	2312	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe
Token: SeIncBasePriorityPrivilege	2060	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe
Token: SeIncBasePriorityPrivilege	348	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe
Token: SeIncBasePriorityPrivilege	2344	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe
Token: SeIncBasePriorityPrivilege	1552	{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe
Token: SeIncBasePriorityPrivilege	2896	{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe
Token: SeIncBasePriorityPrivilege	684	{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2292 wrote to memory of 2544	2292	77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe
PID 2292 wrote to memory of 2544	2292	77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe
PID 2292 wrote to memory of 2544	2292	77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe
PID 2292 wrote to memory of 2544	2292	77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe
PID 2292 wrote to memory of 2744	2292	77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe	cmd.exe
PID 2292 wrote to memory of 2744	2292	77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe	cmd.exe
PID 2292 wrote to memory of 2744	2292	77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe	cmd.exe
PID 2292 wrote to memory of 2744	2292	77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe	cmd.exe
PID 2544 wrote to memory of 2660	2544	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe
PID 2544 wrote to memory of 2660	2544	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe
PID 2544 wrote to memory of 2660	2544	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe
PID 2544 wrote to memory of 2660	2544	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe
PID 2544 wrote to memory of 2880	2544	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe	cmd.exe
PID 2544 wrote to memory of 2880	2544	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe	cmd.exe
PID 2544 wrote to memory of 2880	2544	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe	cmd.exe
PID 2544 wrote to memory of 2880	2544	{238A57C2-927D-423c-AC11-F6D553E7F301}.exe	cmd.exe
PID 2660 wrote to memory of 2796	2660	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe	{F4569973-120D-482c-812C-649A23396CBC}.exe
PID 2660 wrote to memory of 2796	2660	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe	{F4569973-120D-482c-812C-649A23396CBC}.exe
PID 2660 wrote to memory of 2796	2660	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe	{F4569973-120D-482c-812C-649A23396CBC}.exe
PID 2660 wrote to memory of 2796	2660	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe	{F4569973-120D-482c-812C-649A23396CBC}.exe
PID 2660 wrote to memory of 1968	2660	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe	cmd.exe
PID 2660 wrote to memory of 1968	2660	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe	cmd.exe
PID 2660 wrote to memory of 1968	2660	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe	cmd.exe
PID 2660 wrote to memory of 1968	2660	{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe	cmd.exe
PID 2796 wrote to memory of 2312	2796	{F4569973-120D-482c-812C-649A23396CBC}.exe	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe
PID 2796 wrote to memory of 2312	2796	{F4569973-120D-482c-812C-649A23396CBC}.exe	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe
PID 2796 wrote to memory of 2312	2796	{F4569973-120D-482c-812C-649A23396CBC}.exe	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe
PID 2796 wrote to memory of 2312	2796	{F4569973-120D-482c-812C-649A23396CBC}.exe	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe
PID 2796 wrote to memory of 2780	2796	{F4569973-120D-482c-812C-649A23396CBC}.exe	cmd.exe
PID 2796 wrote to memory of 2780	2796	{F4569973-120D-482c-812C-649A23396CBC}.exe	cmd.exe
PID 2796 wrote to memory of 2780	2796	{F4569973-120D-482c-812C-649A23396CBC}.exe	cmd.exe
PID 2796 wrote to memory of 2780	2796	{F4569973-120D-482c-812C-649A23396CBC}.exe	cmd.exe
PID 2312 wrote to memory of 2060	2312	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe
PID 2312 wrote to memory of 2060	2312	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe
PID 2312 wrote to memory of 2060	2312	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe
PID 2312 wrote to memory of 2060	2312	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe
PID 2312 wrote to memory of 1344	2312	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe	cmd.exe
PID 2312 wrote to memory of 1344	2312	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe	cmd.exe
PID 2312 wrote to memory of 1344	2312	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe	cmd.exe
PID 2312 wrote to memory of 1344	2312	{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe	cmd.exe
PID 2060 wrote to memory of 348	2060	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe
PID 2060 wrote to memory of 348	2060	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe
PID 2060 wrote to memory of 348	2060	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe
PID 2060 wrote to memory of 348	2060	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe
PID 2060 wrote to memory of 2788	2060	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe	cmd.exe
PID 2060 wrote to memory of 2788	2060	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe	cmd.exe
PID 2060 wrote to memory of 2788	2060	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe	cmd.exe
PID 2060 wrote to memory of 2788	2060	{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe	cmd.exe
PID 348 wrote to memory of 2344	348	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe
PID 348 wrote to memory of 2344	348	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe
PID 348 wrote to memory of 2344	348	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe
PID 348 wrote to memory of 2344	348	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe
PID 348 wrote to memory of 2856	348	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe	cmd.exe
PID 348 wrote to memory of 2856	348	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe	cmd.exe
PID 348 wrote to memory of 2856	348	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe	cmd.exe
PID 348 wrote to memory of 2856	348	{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe	cmd.exe
PID 2344 wrote to memory of 1552	2344	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe	{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe
PID 2344 wrote to memory of 1552	2344	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe	{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe
PID 2344 wrote to memory of 1552	2344	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe	{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe
PID 2344 wrote to memory of 1552	2344	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe	{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe
PID 2344 wrote to memory of 1288	2344	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe	cmd.exe
PID 2344 wrote to memory of 1288	2344	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe	cmd.exe
PID 2344 wrote to memory of 1288	2344	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe	cmd.exe
PID 2344 wrote to memory of 1288	2344	{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77d793f606512c3bf0d1a8af74407c70_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\{238A57C2-927D-423c-AC11-F6D553E7F301}.exe
C:\Windows\{238A57C2-927D-423c-AC11-F6D553E7F301}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe
C:\Windows\{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\{F4569973-120D-482c-812C-649A23396CBC}.exe
C:\Windows\{F4569973-120D-482c-812C-649A23396CBC}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe
C:\Windows\{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe
C:\Windows\{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe
C:\Windows\{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348

C:\Windows\{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe
C:\Windows\{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe
C:\Windows\{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe
C:\Windows\{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe
C:\Windows\{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\{CE8EE5D3-F815-4f2f-9266-7E6326B3F8FD}.exe
C:\Windows\{CE8EE5D3-F815-4f2f-9266-7E6326B3F8FD}.exe
12⤵
- Executes dropped EXE
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DDB11~1.EXE > nul
12⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FA3D1~1.EXE > nul
11⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8CA81~1.EXE > nul
10⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{71CF3~1.EXE > nul
9⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1AA8A~1.EXE > nul
8⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{94892~1.EXE > nul
7⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FA120~1.EXE > nul
6⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F4569~1.EXE > nul
5⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3B147~1.EXE > nul
4⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{238A5~1.EXE > nul
3⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\77D793~1.EXE > nul
2⤵
- Deletes itself
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1AA8A147-AFA7-430f-8B20-1E3D14A0E8FE}.exe

Filesize
90KB

MD5
fb7e1e9e4777cb5d51911011111536f2

SHA1
07490de98224b815531b06a0d9720bf4b5f8155d

SHA256
67bbf080ed3b4676ee4781146ca479077fbf1506a945f7b066b14175a847b4f9

SHA512
fad555c401f43de9680f2b3ac62e30f2c6961c7f4f864e227039f7a136a784684f29d64451fa190a29bdd8344f2789d80a7a4c43709361f1898b41219b707070

Download Submit
C:\Windows\{238A57C2-927D-423c-AC11-F6D553E7F301}.exe

Filesize
90KB

MD5
c73984a4b49a2f6b9501a71f5f000737

SHA1
5398759047e2b185590f0b56a08aa7ae92ae53b6

SHA256
fa39863c26aaf6a5e10afc791eee28b7db9b16daf3b2a23f8b0839efb7eb017d

SHA512
15251ef50d70c909c239d28022e86bffbb2a7cea450b84c8f2f2a34dc2fc92db910caf65beb5e6f5b48c465d5becfcaf448d82e4b9a3cd9f076643de9cc53056

Download Submit
C:\Windows\{3B14787C-36BD-48fb-82B7-49572D27CFB3}.exe

Filesize
90KB

MD5
38ff18c4d5c99e926f3d2268b9ae687a

SHA1
1c880d33a92c6db2ed06f713f4a41d554be673de

SHA256
c9af596195e48c14ff4475598df66f152be9f9e158f07b1fe717208a684facde

SHA512
6cfc95a74ba7db3f1eefb43b48d2afdaa8c15012f32e6e7ffdae2ab706a7c5471402c2d774cc5cd216f51543b4bb59082f7ef1a57049f42c43634324ce3198f3

Download Submit
C:\Windows\{71CF3CC9-6F1B-41be-9A37-D8523D460680}.exe

Filesize
90KB

MD5
cc2e91f91f8e37d7eac4855449853408

SHA1
48e3977d52355ca59b0643ce58b82fcf0933f097

SHA256
68691cf90e50ab75d815b6d35e681279729ac0a0852a8ea0d453e2a722b12af4

SHA512
7a66bfa9ad4131673c48b711ae98666c947b9bd7933f44212219af8c714f5b63d88eede7bdd51fbef208d7945406e295fbe1b51eb7ce65272683081840495891

Download Submit
C:\Windows\{8CA81675-6848-4c8a-A4B9-BFAB9FAD1AE7}.exe

Filesize
90KB

MD5
d7ba7d5b1f7ec2b108654db5d689dda3

SHA1
02c396aee6b66063e400c1ca755b54530099c986

SHA256
ba7589879c8f36d4c9fce1774eba14dd57dd7ea835fa7848c8332d85b26bc8d1

SHA512
d16ca74d47f6fe462d34582ed49fddf1232a0130fb4517f9cebf9ace28309df8bd704af830063cf67457bc65ccba5d45e368a5f27fb96927d124c5b4db09aa4e

Download Submit
C:\Windows\{948928CF-171E-4fe3-8DBC-28D2A981899B}.exe

Filesize
90KB

MD5
783b81dc965976fe72bb7ac28513a167

SHA1
55985ec942b521317b7f3377d611beaf63e1a114

SHA256
1a0924aa50b95577053eb53149db63aeab27a86e203f766b39d3adfe28c18578

SHA512
baa7097a6c18d4e2e975dd6ea1c0d58115cf1b74a04b78463f5765e6bfc4f054eba098772f5a69b35fdde1f5a8a750f28b90da00ed002bcd8ac874d942ba9475

Download Submit
C:\Windows\{CE8EE5D3-F815-4f2f-9266-7E6326B3F8FD}.exe

Filesize
90KB

MD5
bc7e2465a55102f7efa4953b6f471d36

SHA1
853f75d7ae99693b48bd5acc4d71cd7bcad65d80

SHA256
e29298801be29ab3a40ade429ad4da0a991a6e65fd62d34c2246defb185af632

SHA512
d2cb21419bfb7679397cb6fd70222edcb1f32e7f63da714e6a0ad49928dd64c32a075c83d14636a99a979263d0bd3a8ca445c46a813f8402d882abecd6519cf6

Download Submit
C:\Windows\{DDB11E09-7EDF-4598-A215-76FCC622298E}.exe

Filesize
90KB

MD5
4a57ed3c96f3a9bcf60e77adacf6360a

SHA1
bb2b824503e997722ecc831ef3c58ce9fd6dcff5

SHA256
7e1e11315fc065bf6f3281de2f50d1db5dac75246790cd421cf709953b244f7e

SHA512
c767ff3026e27793516da8bbe01f562b1291f9cff703d8ff052e5acfa1c1d93ec09b0e92e030e9132cc4d67752293d6da91a09151e88c8995bf89e523d1ff667

Download Submit
C:\Windows\{F4569973-120D-482c-812C-649A23396CBC}.exe

Filesize
90KB

MD5
94099a514f249d8b3b2b4dec1963ff77

SHA1
6bb248778f4605ae73631040b74c72a42910238f

SHA256
cb4c5725d0dc2569478cc657f00ac1a6eab921a750105527885118e91a591e21

SHA512
a84b622cd5eb21cf470c2b10d5d188d2a9fa3390104b6b83279e36ae78e91ce2ec6051172f2f90f9455a460054422159b0a57af6c724736a9439d8cc5eca7fe6

Download Submit
C:\Windows\{FA120BE0-DAEA-4dde-BCFE-5506DB146AFA}.exe

Filesize
90KB

MD5
2811cbee3f657d6d86d66f28ff2f1c93

SHA1
7dee9e81e38e43134d11330f463ec0106ef09f7a

SHA256
7635e4bf7b87fd34f4eebb9c810d69f9034462b471f6b3d03635453371372862

SHA512
71ec249f96f8d5359d6e5cb78b2b072ecf6267e6b9fedc768152109cb6c65ecccb2093362418274c25fd9cb0180d643c4c077e6548a3cb51e6092dc3874f76ef

Download Submit
C:\Windows\{FA3D18C0-8F56-4169-B226-8F2DE3B633F4}.exe

Filesize
90KB

MD5
9a2fc8c3b95b41fda92b6a3f3e2f62ea

SHA1
b4f17cb0494cff6aefd546481c5eaa2def271b8c

SHA256
c05959cc7a1b138edfb9843573185b953d4a35f7bebcfeed6d8156aa8940f7d8

SHA512
3189b6c566090c77977b935bb841d8e8a0430fb147661c333fd38e607f7b039f5d840c4b1ca495ca5258e647c6b8a7ce4ea2d83eb9472d80c7cb800ca359cb6b

Download Submit
memory/348-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/348-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/684-88-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/684-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1552-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1552-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2060-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2292-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2292-7-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2292-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2312-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2312-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2544-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2544-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2660-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2660-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2796-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2896-79-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2896-87-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download