Analysis

  • max time kernel
    144s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 22:29

General

  • Target

    76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe

  • Size

    90KB

  • MD5

    76f33b38bc9569b5155b7245f15e8d30

  • SHA1

    cd86c322b5b4bbb98e75e2f0d9368036f884a343

  • SHA256

    b12ed006872e73b97ba1e8ff1312311a8abb22605380d600f1ade592bef7bfe6

  • SHA512

    2160c0601e0c679565bd78fddfe1b18e4d699b439ad4d134f89c45349f92c278f8906def10cf35a22f81b835c6ffdb08901ce5dc97148acb590ec2361f5a3447

  • SSDEEP

    768:5vw98169hKjro34/wQCNrfrunMxVFA3b:lEG/Ho3lxunMxVS3

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe
      C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe
        C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe
          C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe
            C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1808
            • C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe
              C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe
                C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1924
                • C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe
                  C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1436
                  • C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe
                    C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1216
                    • C:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe
                      C:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2092
                      • C:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe
                        C:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:480
                        • C:\Windows\{B81E48E0-7917-400f-8577-AF0FF1E58E24}.exe
                          C:\Windows\{B81E48E0-7917-400f-8577-AF0FF1E58E24}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1996
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{58A06~1.EXE > nul
                          12⤵
                            PID:1000
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{5DA00~1.EXE > nul
                          11⤵
                            PID:1476
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{14D6A~1.EXE > nul
                          10⤵
                            PID:1076
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{41887~1.EXE > nul
                          9⤵
                            PID:2112
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{22D7A~1.EXE > nul
                          8⤵
                            PID:1628
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C72A8~1.EXE > nul
                          7⤵
                            PID:2156
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{17A4B~1.EXE > nul
                          6⤵
                            PID:2320
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{D4E32~1.EXE > nul
                          5⤵
                            PID:2672
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{9CF67~1.EXE > nul
                          4⤵
                            PID:2544
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{3C47E~1.EXE > nul
                          3⤵
                            PID:2800
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\76F33B~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:3012

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe

                        Filesize

                        90KB

                        MD5

                        27053cdf77bfe4a3a43cd6afb70bfa67

                        SHA1

                        bd4f9450e7229bda5732892211d1501a0b572fe3

                        SHA256

                        23be8da2fcb70f704753595a87659a00ebb5de987d864911f4cf0dca1079b700

                        SHA512

                        4fb9caa3c9684b82123b9f73aee113fa618f0eeff8e7ca55b09756bb2a2357ae10129617a303d1386c0a0cad6e017fc28edcce8fdf48bac4ff30f3b5d17b6655

                      • C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe

                        Filesize

                        90KB

                        MD5

                        01186c6a3d74142e9e0a20abdd32428d

                        SHA1

                        803aefa5af48e9afa19b6a8e9b888691c505bdbf

                        SHA256

                        3c866b8b8ec2ed07e57e2c1a1147ce94f65989c454e29e67e7c9ff5de70dcd9f

                        SHA512

                        bd70c8534531b8455cef73b4b816773010947f39cff833e82ea293161d56315e2064ad2deab29cc0c972e3e5212ac4f942a3c5be625367aca015de42d01241de

                      • C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe

                        Filesize

                        90KB

                        MD5

                        5470fa53c13328289ddb444c81c2c95f

                        SHA1

                        b7631d2f216b88f6f9895040ae9b033a3ca09b58

                        SHA256

                        140ef0206f9339aa03b4d61575368e6ba72ac091da01cac452fbe446073bb0d9

                        SHA512

                        6345f52bf79729a749f13bdb894ad9db68b9552cffa96c124ac183fab42462f4f7ece6ee9505fd4ded76cadc90d5eae11fc713eec99bdb62e24116c60c95dcf1

                      • C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe

                        Filesize

                        90KB

                        MD5

                        6771e8e01066c1159b75ea89c2ea88e1

                        SHA1

                        88700e14c8f63d8c80ab3fa19e6fb2c876af7b8d

                        SHA256

                        3fd8873cfac8a0bcc176cfa46d7409204198492038e65144cb5d36a6f50f41a6

                        SHA512

                        0f3632ac672005cb47df5a512d17ab4d9256d57c8bee3c2b7cac7851a08b02c231f72d2f25c377dc92f100fd6ba8bc1a46426f3325ea3a07c9103274894ef913

                      • C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe

                        Filesize

                        90KB

                        MD5

                        5ea279b73fa9c6b3132e41294b5489c2

                        SHA1

                        6aca2b8ee644b06da05a7360401576a6464fc353

                        SHA256

                        9e5c78634f4b14e986c5b7c55b1eef6621995bf2d4259ccff9dfc85e35fdfe18

                        SHA512

                        39f0b3ac0e02301b8c52673768a8a853918bae01b240ad663645599404891ac3749237ba454af563e1cb942d8df08231b68c795663eb8b7346d04b9c834eca11

                      • C:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe

                        Filesize

                        90KB

                        MD5

                        105da8033eb2fdd24702ef1becf2d2aa

                        SHA1

                        4ce80a72da0e78cb6270380dbc6a151068a2f6a8

                        SHA256

                        78161082a541bf6aaebc9dc6d53fb566d3d0a9bf37b7f2e8e8be163da30402a6

                        SHA512

                        07ed6e03a4c5571485df0d5a12b62b7cc3bbdc0b3aeaf4ce8ec2a500b17f32cbcd9f1ca69687fefed7a17b155c62ae5532f1cd988288c394cccc3a6a16daad62

                      • C:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe

                        Filesize

                        90KB

                        MD5

                        962476d67cfa49c9c69eb3e9268022e0

                        SHA1

                        9539125e1dee564b4d81a41d68546ba2d9f7ea9a

                        SHA256

                        77be4731273fc7503fc96760b0f796ec0f525ea319ea0f04bdd6acb563d4cf33

                        SHA512

                        373c1ec083b6c14ab0864bf5419dc53b20b9fc58b983a8426f2ede20081c2607f478d6991c65878051dd058e1aff8040a5ce4f49542766a74e74aac9e8fc0a6e

                      • C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe

                        Filesize

                        90KB

                        MD5

                        4a885e9855cc7145b8d14ba68d05ae74

                        SHA1

                        b4d563597a6f3f40c1710fd5489cdf23bdca23b6

                        SHA256

                        671321a56daeab0f75ea7063afcc5eecdecb617ba43347df6088fbae9be4fc4f

                        SHA512

                        a0bc0339d495fd3c323ff98b267224b14eab621452c26e86c2f9a2bfbf940a8f69861eb6d8a8482e30de5ca438a8be484ef6cf98aa75120ccbe552c5402b1be2

                      • C:\Windows\{B81E48E0-7917-400f-8577-AF0FF1E58E24}.exe

                        Filesize

                        90KB

                        MD5

                        5b127b9403627053949bf1f304f78ac7

                        SHA1

                        b3f804b3dd77bad1d2f72c52ed6c3b7e6c829865

                        SHA256

                        073c7b5cd136c2ed57d0421e2cfaf41cfd8f9e6f7e4aa8bb49b4ecc5205b4b3f

                        SHA512

                        512dc0e889f38d4d5221bf7ae473dc7ee6d727490bc7623e5853b189a374ebd7cc254ff0a291c52278713d81f4171f6ab5ddd4ec5dd2ea38b35e56684bc0bd05

                      • C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe

                        Filesize

                        90KB

                        MD5

                        cda3bcc2af1f8b5d8c8331f0a05f5604

                        SHA1

                        04e73d462618eca03724fae3a3643bd6091f3660

                        SHA256

                        9b241c87222c05a1ee7ac2436748aa4e09aa46fca2380bee527a20c9aaa7802a

                        SHA512

                        ecf29e8ca6f94b563f909ea5cd7f8a5f8192db317f3369506b34c242d314cedb34cf893dff49a3080bad18d9a262a7a3933971bfe51a9f0d0adfbfc42b285408

                      • C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe

                        Filesize

                        90KB

                        MD5

                        58101828d1995687a19dc53bf29fca68

                        SHA1

                        220eb4e984baa33936db4e3ba215a002bd68d456

                        SHA256

                        6dcbe9374d80baf39688708a46560703118ec0ba62e567373f8f9ec83f172e41

                        SHA512

                        8b4d0433b82e371cdad3ace9f58b30a29f152036a43a5296d223f2a09971d7ffdbce0c6318977a0935e84f141a44e2bc43de6364087fd7afbf6a2352d20a900f

                      • memory/480-95-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/1216-79-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/1216-71-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/1436-70-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/1808-45-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/1924-61-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/2092-87-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/2224-9-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/2224-18-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/2224-14-0x0000000000310000-0x0000000000321000-memory.dmp

                        Filesize

                        68KB

                      • memory/2264-20-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/2264-28-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/2340-29-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/2340-36-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/2388-0-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/2388-10-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/2388-8-0x0000000001BC0000-0x0000000001BD1000-memory.dmp

                        Filesize

                        68KB

                      • memory/2388-3-0x0000000001BC0000-0x0000000001BD1000-memory.dmp

                        Filesize

                        68KB

                      • memory/2780-46-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB

                      • memory/2780-53-0x0000000000400000-0x0000000000411000-memory.dmp

                        Filesize

                        68KB