Analysis

  • max time kernel
    144s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 04:53

General

  • Target

    3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe

  • Size

    90KB

  • MD5

    3a5da7c21cb387512051c924cc484430

  • SHA1

    9d952fdc523e88570edf71fb68f43ee6be13a86f

  • SHA256

    af0def80b3c5accef3c73ee79df6f8026f125469a0037290efa229c1c6efc7db

  • SHA512

    5e41ee35b4ff3862bb5eefb99c85defd33f42ea58fcfb0b314c9026d26956df5237e7e2f667119eedc3892e0539e1cabaa287d971f950ecb476182b380104c59

  • SSDEEP

    768:Qvw9816vhKQLrog4/wQRNrfrunMxVFA3b7glws:YEGh0ogl2unMxVS3Hgz

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe
      C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe
        C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe
          C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe
            C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2248
            • C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe
              C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2436
              • C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe
                C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1744
                • C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe
                  C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1636
                  • C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe
                    C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:284
                    • C:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe
                      C:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1160
                      • C:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe
                        C:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:604
                        • C:\Windows\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}.exe
                          C:\Windows\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1792
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6ED18~1.EXE > nul
                          12⤵
                            PID:528
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C41F3~1.EXE > nul
                          11⤵
                            PID:572
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C7F69~1.EXE > nul
                          10⤵
                            PID:864
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{A96F1~1.EXE > nul
                          9⤵
                            PID:1696
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ACE2C~1.EXE > nul
                          8⤵
                            PID:2256
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{6B587~1.EXE > nul
                          7⤵
                            PID:768
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{AD0F3~1.EXE > nul
                          6⤵
                            PID:1980
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C46E7~1.EXE > nul
                          5⤵
                            PID:1756
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{383F0~1.EXE > nul
                          4⤵
                            PID:2420
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{2BC28~1.EXE > nul
                          3⤵
                            PID:2912
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A5DA7~1.EXE > nul
                          2⤵
                            PID:2516

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\{2BC2876D-5FC9-40fe-989A-2C51BA6F8AAB}.exe

                                Filesize

                                90KB

                                MD5

                                bfa479a1e4b5af5845f49ffe9c8bd25c

                                SHA1

                                ff2169f536df19c82eaef4e01bca27c2f502a3fb

                                SHA256

                                82e4abcaf7c1d682b9f61d5d6c92b42de379228b9c0970bb2f12778078d40675

                                SHA512

                                0ba7351263c43cd17ef00896d4b664bf5d38110e0553eb485a753232aba8d45875730556aac8977c114f58531dd282314738b01ba53281e7885eff2c1eab1e62

                              • C:\Windows\{383F0D35-F2BA-4048-AE81-4F43CB80E89E}.exe

                                Filesize

                                90KB

                                MD5

                                7386a9b808865a7e6f63f84266a04db5

                                SHA1

                                da3245f49ba2e4485b5fd89210ba5a4c699aa2c2

                                SHA256

                                dd6a62dbd5f3a8a1a50fcbc8756e31dcc2f1769462ab93f0130ed64cb8f35bc5

                                SHA512

                                ab383b5d210e69588a580018417069c98e3ce97995120aee2f009a452d77379a9770dbb218e590d671b1aeae4e9df6ffcb85617af094d4b78da5637b4add0a9b

                              • C:\Windows\{6B587AC3-0A05-46fe-92C7-E44AAC6B1F94}.exe

                                Filesize

                                90KB

                                MD5

                                b4e8f09016dc9fa1e1fd1a8bf3be7bd9

                                SHA1

                                59ac8dad00a23eba205dfd57d3cefa88bd0dceb0

                                SHA256

                                22a74adfeb5c7117454a769d8e8b9f5841b1e143a79c8680ca591d01cf36e2ea

                                SHA512

                                f62fbdcc9139b43e270ba3670a71f79d70d8943e11a05f70ab62e4eca418d579703b3c67e3ce66bf5de926ee457c8c01e689fc94ef0d457d1c4231014f8b419e

                              • C:\Windows\{6ED18E9F-61DE-44fe-83F7-CE708B5B4B88}.exe

                                Filesize

                                90KB

                                MD5

                                065e6a84bc7590caa76e8071c2646764

                                SHA1

                                3e33337b3f491f444863b1cecfb72aa245f0620d

                                SHA256

                                110ca876cb8be6ee70ff902bdf9e9b71ffefea33d33272538ce0e61844f44310

                                SHA512

                                f54023fbe78ce8b2e6512b94fdf24a65bdd78535379a8903372477e90841cf9bf0c7b902b8f7ca52d3ceabac52235f62dbed2dd6d956b95f1571793d534fcb21

                              • C:\Windows\{A96F13D4-655E-47fe-A8E7-74913A5BBBA3}.exe

                                Filesize

                                90KB

                                MD5

                                24b4a250e6564aaa8474b3db58c9a4b9

                                SHA1

                                7da274450b8e07e7a9d4a733f52a509ce0fffa96

                                SHA256

                                c90003d7e17ac238a9ece9a2d594cb10a4d17e34a93b3fb05eaf10996efc8b48

                                SHA512

                                ae9cfce4cf2321d39f1e22fff14de64242ec969de70effd7cd988caad1a03ee6adc33e64526491057622dbaf26d270e09d74cfe97a8c08cd75a28c99b350317d

                              • C:\Windows\{ACE2C2F7-21E6-4b6c-BEBC-E475008A3123}.exe

                                Filesize

                                90KB

                                MD5

                                be5c2d16248580920cdf9ec20177ced3

                                SHA1

                                263bce1cf79be27c09961effa9a9b38c8b67f948

                                SHA256

                                f0cc9e5e768df4d799064c0423293cdcfc2ee441179b4a5fd94681c831eeb9ea

                                SHA512

                                ba3a422ebe6328e1325be39798e6740a7430dd217744a07ae71ad27d935126fe23e2fb3f9d97bb287ae71568306c4b6bac6e7837102d91232a42530d1de8f8bb

                              • C:\Windows\{AD0F3490-DF00-4915-AFC4-3BE74D18BEA1}.exe

                                Filesize

                                90KB

                                MD5

                                b1c1dfb516f782bd1b9f3a752b86f42d

                                SHA1

                                f2b27b35968d9808bbbe073d4d0798dcada20082

                                SHA256

                                76f9678046cfa8c63734d8ebf526101f249e16df6ba752e0179b7b91124f3702

                                SHA512

                                d86f8646e481658b86be0341cb34af7de892d1a9a7c3810e6999245cbfc063b323a6e519c5e7f20eaa2812ea95a07a1918ce668829f3bdb545fa8dac136093b5

                              • C:\Windows\{C41F3C5A-B732-4dd8-AB90-CD100D653489}.exe

                                Filesize

                                90KB

                                MD5

                                6a1e31bb594714507d7b5dfb1a96f61d

                                SHA1

                                8b848cf24dd9986850c5a45cf82f84c507429688

                                SHA256

                                b1ec55268f6539de6dd01fed12d390e2be7be36dab5df3e9b87c42b10bc9ee38

                                SHA512

                                fbeaf70cb0d80f8fccc7b2394a28a784a04f884cbb76dacbb8a666ce449b30dc858008cefa514f40250f2fb498a755edc5358aca71a7f5a117887e0311845571

                              • C:\Windows\{C46E71A3-8097-4903-A697-120E23F9A7CA}.exe

                                Filesize

                                90KB

                                MD5

                                3b62b6186cc484a248262788a246e4f6

                                SHA1

                                818bdc5b392f8e7257855d26d7a573700535abaa

                                SHA256

                                89826ac6e81a8c6d7ca6a0106ac4dee7a6dd2e1c05c7b4dc9b06717227d389d0

                                SHA512

                                bde1185613daf154a84ffa65219e65cd21baf5b94c53a237a32e10d5171d5baf7543a4580a38b894bb2264d4e45bd95131123ba913ad450131a9e1849f018277

                              • C:\Windows\{C7F69F1D-C77E-4b28-B290-1814B884E1AA}.exe

                                Filesize

                                90KB

                                MD5

                                9107faf8fd73b23ac23d96b0a48dab17

                                SHA1

                                6c2df5a30c37257fd29509cd3d8b5e0a93765f55

                                SHA256

                                387419ea100a4413ef7b8aa34a53d321b965ec4da780f01ad00ea7557ba3b760

                                SHA512

                                48be8157cf5f58d3471992ab8f681c28a108bf49819291867a4aa4f05ac8433a8fc63703856903aa881007ed76527a88d0cb0037bdb526f3e4f30a31595caa5d

                              • C:\Windows\{D78C804C-8D22-49f9-9EA4-3F9FB384C933}.exe

                                Filesize

                                90KB

                                MD5

                                06bcd0b46ad35cc600b42ffc7a6b4b95

                                SHA1

                                4f23bc6905357348d4aa23fb0127d7c798c113f0

                                SHA256

                                e61317251282fbffd9f20be31a674a4670c657736c5874bd48a2a0f1dde01d70

                                SHA512

                                68faa0b1d1ce6caaa52b1f22718e22989d1f289707e8c846fdfbbe160981791408dce326453a8a3990e1f7fabe62c5c8e42999a035a112bad369179a30b8b2b5