Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 22:29

General

  • Target

    76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe

  • Size

    90KB

  • MD5

    76f33b38bc9569b5155b7245f15e8d30

  • SHA1

    cd86c322b5b4bbb98e75e2f0d9368036f884a343

  • SHA256

    b12ed006872e73b97ba1e8ff1312311a8abb22605380d600f1ade592bef7bfe6

  • SHA512

    2160c0601e0c679565bd78fddfe1b18e4d699b439ad4d134f89c45349f92c278f8906def10cf35a22f81b835c6ffdb08901ce5dc97148acb590ec2361f5a3447

  • SSDEEP

    768:5vw98169hKjro34/wQCNrfrunMxVFA3b:lEG/Ho3lxunMxVS3

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe
      C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe
        C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2436
        • C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe
          C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3772
          • C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe
            C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1992
            • C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe
              C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1856
              • C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe
                C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1332
                • C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe
                  C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4260
                  • C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe
                    C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3156
                    • C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe
                      C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2116
                      • C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe
                        C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5052
                        • C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe
                          C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4808
                          • C:\Windows\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}.exe
                            C:\Windows\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:2388
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{63B00~1.EXE > nul
                            13⤵
                              PID:4556
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{76AD7~1.EXE > nul
                            12⤵
                              PID:2616
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2A45A~1.EXE > nul
                            11⤵
                              PID:1504
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{81EAE~1.EXE > nul
                            10⤵
                              PID:4384
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{43585~1.EXE > nul
                            9⤵
                              PID:4104
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{852CD~1.EXE > nul
                            8⤵
                              PID:3300
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{9186D~1.EXE > nul
                            7⤵
                              PID:2180
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{6E4E0~1.EXE > nul
                            6⤵
                              PID:4468
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{98AAC~1.EXE > nul
                            5⤵
                              PID:4036
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{4050A~1.EXE > nul
                            4⤵
                              PID:4948
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FF840~1.EXE > nul
                            3⤵
                              PID:4996
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\76F33B~1.EXE > nul
                            2⤵
                              PID:1592

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{2A45AC3F-C55C-4423-83F1-A45031A49FF3}.exe

                            Filesize

                            90KB

                            MD5

                            2337f258a567d20ce5c2260e0bc35c29

                            SHA1

                            11d43ee6b1b1fb3283596493f2ab54ad5224e6b0

                            SHA256

                            4c45bb0e0244fc24bbb8cf1a7ecf94317d09da20ace89b258e42693cfd20a152

                            SHA512

                            180cbaa79d0b89d3a1931e40d7926a29d11906eb2d46fb2ce3375e2935961a174cff82e34dea3f74fde1f252af187796b539f4e7f56928456f18f0904274be5f

                          • C:\Windows\{4050ABA0-496C-4498-97C4-AD65EA511E84}.exe

                            Filesize

                            90KB

                            MD5

                            6fb32be8797837e8b6d72fa0d8d53e32

                            SHA1

                            5e7e0ce8da3fff339ea5453fb35802ea7fbfb171

                            SHA256

                            b2a0d20c76752beda2011c76bceb8058f813ed878023c1911440fc613cac2016

                            SHA512

                            8d84c9982a5aff7bccd7301e497e8d15dfe08d855de1254485b9a66561024a345af6d071e4ef3341f0827d3b29f9b23fbc6dec362cffab15d6d80814ff70f0cc

                          • C:\Windows\{435859EF-1983-4383-8901-19A4A5F0BD05}.exe

                            Filesize

                            90KB

                            MD5

                            bc9a4e619de85c04ca9f7f7330953af6

                            SHA1

                            6fd382d80960974040d757fa33f7498cc21a9633

                            SHA256

                            8bf5d244fe02e01a13c4f57adf460804ae0d8a8c7f88a01287f451a98c0d65b3

                            SHA512

                            b912044a6df35f09924b2a603fbe9ddedbf7949deb3ae600249b8a1b468e6d3cd1aeb045f62aa0275272c4f6c701096cda28611167e47c831871235e3cb023b1

                          • C:\Windows\{63B007E9-7191-476c-AC7C-C486207357E9}.exe

                            Filesize

                            90KB

                            MD5

                            4371ea714015ea91c3985a2b84b6ba83

                            SHA1

                            417bcf0047741b271658b17956df7ff955323741

                            SHA256

                            0fa31687df36cf995d3c315d4f056123fe6496222fe122649da1e5609157cfcd

                            SHA512

                            c13647dd35b8637a36c9b43a861ede42c9d0254676bbc87e4b512a87705f6319c307a78d44019e3403486c3a55d84811a0cb47f832df801a657a1e063a7b2486

                          • C:\Windows\{6E4E0FCE-BFEC-497d-A72D-4AF87ABEBE45}.exe

                            Filesize

                            90KB

                            MD5

                            a8386ab3f5e9e33b2217bfb47bc7dcc9

                            SHA1

                            46f457f9bb441344272af973805bb2f12fe23494

                            SHA256

                            11ce1fe4ef8f5f4526dca11ee74f99d29577ec6ca6d59c889be996e9139d8860

                            SHA512

                            2c0d04ccceaa2562ef54491435ad3707470f467e1f2968300bde416fc1e91f75b54df3affb2b5f7ed89d35aa03e42f5d27810ada0e3e5010656c11ce85f7e79f

                          • C:\Windows\{76AD79CF-AB2F-4d0a-BF36-DFC9527F777A}.exe

                            Filesize

                            90KB

                            MD5

                            2f0bba10a2ed5870eb1037a26846968a

                            SHA1

                            dcde1371331f1fa9ddf0a6033adb56be4ee29c7c

                            SHA256

                            5429f86c0ac2122d8df7cda0f3278655c55c359b38d6ace5b54e04a5500575f7

                            SHA512

                            e82016fc92a918eda29d412d6f96df03fc5417f2baffd8ef5d3ed4c01d1cf903dfefd6b6a563fdc3248579d0bb636188de0f608fde8992aa9068755569c60c24

                          • C:\Windows\{81EAEA95-81F9-4ebc-8C21-64E5C2EFE83C}.exe

                            Filesize

                            90KB

                            MD5

                            3e06f4283108e67c923903cdcd7e150a

                            SHA1

                            90668858fe99aa15f2b4f1f13274fba501aaf8a5

                            SHA256

                            43c620b6eef3644b4f0a1a1dc4a4b3071bd84355cb83d6c55297cd84df1b9a27

                            SHA512

                            9c2f77542873160674d4cbbba065d71a5b17f9e28752eb1beb6fa2ccd4e3bc7ed8d13b2eb1c5a932af428ec2f20729f1302677aa8a48d73199f98a831d324f79

                          • C:\Windows\{852CD48F-F53D-4dc7-80D7-0CE9E34BF78D}.exe

                            Filesize

                            90KB

                            MD5

                            eeeba1ec5fb100cd86c4c28e718782a9

                            SHA1

                            6e4b3ebe49c4f990dea2c06295eea202f8fa3293

                            SHA256

                            4d575429535c51f1953613f817aef8fd5be54dd1b945ce884665f0715c53b4c5

                            SHA512

                            8452cb8b9e28e1fc2ea2d48cbf2d05812ce4d5c9364a50340f20ec7fd1efb33af33952f79367f1a73868ab8e2516686b024e15ebf9e8b3fba49b2d571717bd75

                          • C:\Windows\{9186D66F-5A2B-449e-AE63-10A708BB72C8}.exe

                            Filesize

                            90KB

                            MD5

                            0ce92e8b3ca5113749644d0b5c374c76

                            SHA1

                            1312c6aa2343a4c28708351664275032a73e283e

                            SHA256

                            c9cce07934ecb0d531928a954d9b555cc5dd01c315bb2517c9071325ee272bab

                            SHA512

                            39a29a9cb7d830ed7af580c3a38269d4f7883cce82e79ff76169a7c531d4f622e0cf50373684585c47a95924c700391123856e4710c8f0bd1963c16c4726285e

                          • C:\Windows\{98AAC933-328A-41f2-B5B6-2E26D2C029D1}.exe

                            Filesize

                            90KB

                            MD5

                            ef0bf0197ffea8f688042d9bd84144c4

                            SHA1

                            b007f197d3123f760b2d4a0deca161539d768e4e

                            SHA256

                            6404db9cc9c0aeb784940f848caa805f888a14daa3215d13771defad9a90a31d

                            SHA512

                            9fddd9c2c4cb85c02337ea8b6370d1793a70148a154c7cafc87f0103da4d7d93fb0ee41d45eb9c7255feeadcdbe491b6c4e10495fea7a2b6286e058fd17f7ed4

                          • C:\Windows\{E182DC24-4CD0-4bb4-A30A-E2846595AA16}.exe

                            Filesize

                            90KB

                            MD5

                            189538440d46f798fa2e5765be4f149e

                            SHA1

                            3cab64a9345962405e6b177175d340604647aa57

                            SHA256

                            bafb1baba6e54dd8446c28972383087f421030e342e4bbf69ea203f52884c3fd

                            SHA512

                            afa16c523e7d14ca9457280a5d770cc00d395cf1247fe8dcd334c2c9226673b5c4f8230ab877ddad1c8a14b377bfeff42996611d2182007bd43c88f10008e42a

                          • C:\Windows\{FF840DF1-A1F9-44f4-A13A-6D1502483A35}.exe

                            Filesize

                            90KB

                            MD5

                            04a6deda8663b335400a3e1d4d6f35c9

                            SHA1

                            ba336be324630e92092ece6eed85b8f4609cfae2

                            SHA256

                            143dc6df1129e4e3d29363874eb4d1188a5575e3a00eeeacc013d2ee3ee92bf2

                            SHA512

                            aea43101c21d813bf690556b40d71a262ed76f8a03d18e32a9224ac92888a4468942ef2c5dc38e461804f25c892e6ec867bf163e961c75540f76a9459ee23b36

                          • memory/1332-40-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/1332-36-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/1856-34-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/1856-30-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/1992-23-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/1992-29-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/2116-53-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/2116-59-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/2388-71-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/2436-16-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/2436-11-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/3156-48-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/3156-52-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/3772-22-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/3772-18-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4260-41-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4260-47-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4796-5-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4796-10-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4808-69-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4816-6-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/4816-0-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/5052-60-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB

                          • memory/5052-65-0x0000000000400000-0x0000000000411000-memory.dmp

                            Filesize

                            68KB