Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 04:53

General

  • Target

    3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe

  • Size

    90KB

  • MD5

    3a5da7c21cb387512051c924cc484430

  • SHA1

    9d952fdc523e88570edf71fb68f43ee6be13a86f

  • SHA256

    af0def80b3c5accef3c73ee79df6f8026f125469a0037290efa229c1c6efc7db

  • SHA512

    5e41ee35b4ff3862bb5eefb99c85defd33f42ea58fcfb0b314c9026d26956df5237e7e2f667119eedc3892e0539e1cabaa287d971f950ecb476182b380104c59

  • SSDEEP

    768:Qvw9816vhKQLrog4/wQRNrfrunMxVFA3b7glws:YEGh0ogl2unMxVS3Hgz

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3a5da7c21cb387512051c924cc484430_NeikiAnalytics.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe
      C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe
        C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe
        3⤵
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe
          C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3532
          • C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe
            C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe
            5⤵
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3632
            • C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe
              C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe
              6⤵
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1148
              • C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe
                C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe
                7⤵
                • Modifies Installed Components in the registry
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4220
                • C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe
                  C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe
                  8⤵
                  • Modifies Installed Components in the registry
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1836
                  • C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe
                    C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe
                    9⤵
                    • Modifies Installed Components in the registry
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:872
                    • C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe
                      C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe
                      10⤵
                      • Modifies Installed Components in the registry
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:5108
                      • C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe
                        C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe
                        11⤵
                        • Modifies Installed Components in the registry
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:5100
                        • C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe
                          C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe
                          12⤵
                          • Modifies Installed Components in the registry
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2004
                          • C:\Windows\{D26F1A63-FB01-430f-A386-54D846B3E3A6}.exe
                            C:\Windows\{D26F1A63-FB01-430f-A386-54D846B3E3A6}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4744
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D2F3D~1.EXE > nul
                            13⤵
                              PID:3628
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{2CDF4~1.EXE > nul
                            12⤵
                              PID:4784
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{06BA9~1.EXE > nul
                            11⤵
                              PID:1796
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DD0DE~1.EXE > nul
                            10⤵
                              PID:4284
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{0AD51~1.EXE > nul
                            9⤵
                              PID:3752
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{07C39~1.EXE > nul
                            8⤵
                              PID:3604
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CFBE7~1.EXE > nul
                            7⤵
                              PID:3248
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{93B5B~1.EXE > nul
                            6⤵
                              PID:4040
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3B319~1.EXE > nul
                            5⤵
                              PID:4832
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{D72A4~1.EXE > nul
                            4⤵
                              PID:3436
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E4415~1.EXE > nul
                            3⤵
                              PID:3568
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A5DA7~1.EXE > nul
                            2⤵
                              PID:5036

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\{06BA9F34-AFA2-4e64-AB9A-84067A183D33}.exe

                                  Filesize

                                  90KB

                                  MD5

                                  dadeeb584fa91b3c0a164d453793cb35

                                  SHA1

                                  ec9962b7e5349f852554c43d94f6894987e84710

                                  SHA256

                                  2da891493bea8558324354af66c5a82b2185701a0636c596d37476d4b2fbca92

                                  SHA512

                                  cb4523dd6da1cca7e90a5ca142b0e5bb7f6c99dabb9383cd35a4a32c5cddde2e4ffbe9877869da827a97e2abf2784a189606ab798fe5c812fb0b9580d36a368f

                                • C:\Windows\{07C39884-5818-4b4a-A61A-A192FFEBF6CC}.exe

                                  Filesize

                                  90KB

                                  MD5

                                  89ba777a410f16f8d9a4827b25eee736

                                  SHA1

                                  2fdcf40802e60b7165a1bc271bd298edece9d5e4

                                  SHA256

                                  2a6a9a939146fc3d017c0c0b771717a14e52a5b29428d58059ea6da03028ce52

                                  SHA512

                                  6a0d288032d0159e5a28a79e40d0122b21b167e5c0bff4c2bffa2a31a0815056e6340bb96df1fe4dda07d2c832072b172865ac7eb4cdb351374960081aad94bd

                                • C:\Windows\{0AD515DC-BD46-45e1-BA9D-21522780795D}.exe

                                  Filesize

                                  90KB

                                  MD5

                                  57bc1788a836e6bcd7de5c4044e862cc

                                  SHA1

                                  558b2ab7edf818a00f6f73c993be7db423fa4eb5

                                  SHA256

                                  af306e09e770d84aff963714d383a8883d8d235c744235ca6d21074ee6e6f66d

                                  SHA512

                                  6e156fd7570408aea2d6c1d0b1dcff066b888bf92fc985b0edf7f76fdbc62172f0ad52be8120ab785b5225a25067ef71a2f2c54768e646ef6c0ef6404f731495

                                • C:\Windows\{2CDF4E3D-314C-4a3e-BDB6-D0A17E96231B}.exe

                                  Filesize

                                  90KB

                                  MD5

                                  0cdb23966e16a6f5f83e859eefeb8b82

                                  SHA1

                                  649f839f262ca01d3274fc9e5ed40340b8a8722a

                                  SHA256

                                  2b65dbca88aa74209794fb32e1edcdfae55bae514eaf6ea953e2c47453838431

                                  SHA512

                                  8936ee7a8cc3239863d0ce8be94b8d27d83f56dbbd22afc046207535ebfded930587500c2264b63948085258641782d14b6308d77e9daa4a5882d727640a88d3

                                • C:\Windows\{3B3192BA-2481-421e-AB81-8793772F906B}.exe

                                  Filesize

                                  90KB

                                  MD5

                                  0fde042da58bcec02a9200367fd7269d

                                  SHA1

                                  0957a5c7ea09ecb1ce5de51a2272b765d4b4e3ed

                                  SHA256

                                  496b751ff23f0feff2444ce3bba6a04cd5b75b7a9d0d704a774939f898c57af6

                                  SHA512

                                  fbe57b1e00206dcd9824c17f73502d5fb8c5dfe2b0bfbb26503741a4ff27f85c04f07b097559a0c7b1439de26215d5aa4e780fee69e097de608d2cd98911906b

                                • C:\Windows\{93B5BDD2-48E6-4a36-86ED-AF81CBC08C50}.exe

                                  Filesize

                                  90KB

                                  MD5

                                  368dc405b43d5e76f22f510f9d3e44de

                                  SHA1

                                  f3de03e30f568dfcb08190cbcb7346fff5835774

                                  SHA256

                                  c11623fd4a5b5a76b1f3b37ba7f002ba084117587d9cb37bbd60fd137aee740b

                                  SHA512

                                  7a95ad238b240029927b6175dbd117752d43797304be94063f0b9b740f132d1210f18812bcf030f6999ac3f6995d7152a062fdaeb54b10856b8598514a2c0ba5

                                • C:\Windows\{CFBE7211-B2A8-4b76-828C-C2AA1EAA4871}.exe

                                  Filesize

                                  90KB

                                  MD5

                                  3c71b6352e90010bc13c9a68fc8f4262

                                  SHA1

                                  30909f19506b6348b876c9a56f1ca5e7eeb2d77e

                                  SHA256

                                  f1b5b13364bbb0a78efe05c92a57e5ea3be259e1209d54313a4260e0829e977c

                                  SHA512

                                  ac04afd77183db5e9939362ae6fe715f7b4e33b5cb3761dfe50412d309b8a1a9ebce27e9981a459870e4f035f20b30895b94c2e32393c01a9eb3927931ff5218

                                • C:\Windows\{D26F1A63-FB01-430f-A386-54D846B3E3A6}.exe

                                  Filesize

                                  90KB

                                  MD5

                                  c88edf78a96516568fea6d3badf3ffd4

                                  SHA1

                                  608b394df7920549f44fc713cb4b09b51c330acc

                                  SHA256

                                  60ca5676e98e66a241ae2ec8894a622e8c9d58bc3fb6ba396b671a0645a43fc8

                                  SHA512

                                  8f63e6a59196d7e064d841427e438511007d62a77941622e5100bcf5f3b0cad7aacd200017a1ea9f86a01a935861497d33c865b53f59ce40d696ccbd697762c1

                                • C:\Windows\{D2F3D43F-78BF-458d-8039-B7E389BF7895}.exe

                                  Filesize

                                  90KB

                                  MD5

                                  2bb85a8ef223d7ec3fbccd79194d3fe0

                                  SHA1

                                  14c9d1c46b9655baa0f28fba7701d36838823ad8

                                  SHA256

                                  749c786c3d7753c6373cdb4f131fc15d1137b65874c64588d424fe5392c42d7e

                                  SHA512

                                  c743430a29182211abe82609d32ae436562be5a49d6d7e34f2dcfde31b4f75aa9a39290a0a9bca1bd1646bc181ffed83655ebda9b8b2a6403255e67c16ed227d

                                • C:\Windows\{D72A4AF7-5CDF-4a67-B5CF-D00EF016FA24}.exe

                                  Filesize

                                  90KB

                                  MD5

                                  76d79a83acd404bd8a21f6f2a6764416

                                  SHA1

                                  6f38cca0437b6bbd5dd08949c473f295804c782e

                                  SHA256

                                  f2a0958d103d1a07f3540da7449712256d7522f40fb907f27d527f4e7ea05367

                                  SHA512

                                  b50c5949b65b07b0a931a5d5adfb8c66b431b581fb5ccdfb02439a97666a86086633af4296f493972b64806ee1459d26962bb0affb39219dc141cc6a56cd6f32

                                • C:\Windows\{DD0DE9C7-A8C0-498d-AD96-78D2B9096C11}.exe

                                  Filesize

                                  90KB

                                  MD5

                                  bf3f9ff7508be91a99a0d5c9067e59b5

                                  SHA1

                                  e2157956a051ae1d6b2ac1e9a3c0d13e113afcc0

                                  SHA256

                                  f902540b7129ec25b5a5950a5b22abd2f258bffa77dbb8dd05ffb4c306f83d6f

                                  SHA512

                                  03270725a3eb4e22db9123a521b44100afa398ecbb9df17e0d40849c0e43b4dd43ac2ce04ccff8dd0daf3bbb1611d8371a5790d24641b38fecff1a01ebd223dd

                                • C:\Windows\{E4415DFC-9F2A-48c2-AB78-B7762A852A68}.exe

                                  Filesize

                                  90KB

                                  MD5

                                  7171553a867362462befbbad9d27da76

                                  SHA1

                                  6f0a496d500a17022c66ec17bdbcfe4b593a8890

                                  SHA256

                                  457c514bc7c60e37c66a00bfe892a1a99a4c1d9f65f7e787ac2343472cf730ca

                                  SHA512

                                  4bd7163a8880eed603e09ac54c0e4696d8c4ed2fef762689cb9be5fc4e7771369c4ee2a3cd4e745e8724fe302aeea3eb037e7afa0d84a600523724279ad31ded