Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
03/06/2024, 04:44
General
-
Target
9bf22c56d458042da0a5e1a6b06a5ae0_NeikiAnalytics.exe
-
Size
88KB
-
MD5
9bf22c56d458042da0a5e1a6b06a5ae0
-
SHA1
a86fb4cd3628fe5c9f02f8560b4b863565e60707
-
SHA256
0df2ea804ebfd86077654e3a8884055fc707c582118105acfe6b62deac3cf766
-
SHA512
6ce337d4cade46690c0670059916670736f18b47881bc9c13753c6f732c8553a0fe720bfc24bbf5dbf32aad3cfabbc59cdd139a18abfc32c40f3136d56ea5650
-
SSDEEP
768:uvw981E9hKQLroQL4/wQDNrfrunMxVFA3r:aEGJ0oQLlYunMxVS3r
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bf22c56d458042da0a5e1a6b06a5ae0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9bf22c56d458042da0a5e1a6b06a5ae0_NeikiAnalytics.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0A288178-C99D-4da9-AAEB-148B7B7FD1D3}.exeC:\Windows\{0A288178-C99D-4da9-AAEB-148B7B7FD1D3}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{87A90007-8115-44c0-A790-AA39077FD2B7}.exeC:\Windows\{87A90007-8115-44c0-A790-AA39077FD2B7}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6708E545-9BBF-47e0-81C4-34F1A0023AB1}.exeC:\Windows\{6708E545-9BBF-47e0-81C4-34F1A0023AB1}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B7709D15-3606-41f4-8237-BE82DB551C1E}.exeC:\Windows\{B7709D15-3606-41f4-8237-BE82DB551C1E}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4AC1AD5E-925D-49aa-AC5F-C7E7432746D6}.exeC:\Windows\{4AC1AD5E-925D-49aa-AC5F-C7E7432746D6}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{96755530-0EC7-4605-ADDE-EC12906E89D1}.exeC:\Windows\{96755530-0EC7-4605-ADDE-EC12906E89D1}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{034EE05A-CEAF-476a-8682-E97E96C53F0D}.exeC:\Windows\{034EE05A-CEAF-476a-8682-E97E96C53F0D}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5ECE12B1-EDB7-4733-8DCC-89BFBB923566}.exeC:\Windows\{5ECE12B1-EDB7-4733-8DCC-89BFBB923566}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{B6F9D40E-D940-479a-8BD3-19C659D8CC0F}.exeC:\Windows\{B6F9D40E-D940-479a-8BD3-19C659D8CC0F}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{7A7A4450-65FB-481d-9708-4DBAACA80642}.exeC:\Windows\{7A7A4450-65FB-481d-9708-4DBAACA80642}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{499D9256-6D3B-40dc-9264-810FED2E639F}.exeC:\Windows\{499D9256-6D3B-40dc-9264-810FED2E639F}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7A7A4~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B6F9D~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5ECE1~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{034EE~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{96755~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4AC1A~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B7709~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6708E~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{87A90~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0A288~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9BF22C~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD53d6fe5701328f06bc61f58a925dc4061
SHA1d443ba843237b94ba6195339d71aef2b31254dfd
SHA256f966991cb2e3b7b54ee336cd94fa987a0ad145088b86e6d6afa0b4d376cf6068
SHA512ea5dbf85cc8216db1c5dd4ca65ccbb74447cc085c3cc80705b26f656d96ebeccc365924a98913d657b4dd01c163ce69f177e37debc15aaba455292cbaa1350c3
-
Filesize
88KB
MD51ceb080ce047953d1b5fd9b797cc3fc3
SHA1796cf2d6bfd3a423d9fe636c420071d3c8c1c969
SHA25679a4af7fb4321f64ba0d604e3599f3f92b8e94800cf9a00f8f4f08748da4eba0
SHA5120e7f4aa20153bd762586c5a2f7129d2aa0307334d20e7f7c73370003dc0821f72694a861a90875f1af39284b0906c64bff9e2a79f651eb148bd6ec09cf7e83c4
-
Filesize
88KB
MD5115fec158e050da2ca83aa6551fcdc33
SHA15ad3de7a14faa09c6dee41f637b6cdbe727e4dd9
SHA2563e999e0c2ab88c479ee796c48c7463bb2854f069cc7785c3dbcb40d6e5112f3f
SHA5126b936e358ca890c859fbe496ae02e6fd33f8c0dda49f8a8bfdd96850cccb4b9f87ebfb63557644ca3dc6fb9e91e4046a60259cb3adf1404f10fc98a78eae9dd2
-
Filesize
88KB
MD5e6d629e8e9d330a2e82ec1b259eb35d9
SHA15a62a13bb258ed6cfa0ffc9419c5ff80dbc951f7
SHA2568c08975f1808af1259587646c7b11d286151becf83f511befedbe11179032724
SHA5124a7733b093eebf462cc05504478698923f7a96c93625385e3d1ac8db67ba79c8d38a9066e7a0a2a4e602cf662027ad62b1280b1a6676d273fac67a5e3f355833
-
Filesize
88KB
MD51ee0a7fbe7ab4e8b0cd85cd5f0274845
SHA11b95e8f1a4b6416765e45bf3facb8fedb45504ca
SHA2569f59ac1273e35da674f4ff0eb64b4294a418cfc1c92d417de39bdf63aebbe55d
SHA5125fa832de60b12c94840678f749ae2fb517d76b47510cf0d5d995750caaa63cb1b5aca8d632998b09ced80388f8133ce8bc49e5d3f1cfc34484ae3d3446373d2b
-
Filesize
88KB
MD5ef554d05e0e5964cf7de6fe5004ddf0e
SHA13e5a55b172ff11283a974b275d9281d8e53b8d17
SHA2568a44ea50f9c045a85c9e42b301296fe8c4a82590ecbe6d9500df8a284f2806c0
SHA512fa241bde10d6c0933bcd88ecb16c71320d3a8404b8f7d79dca1cb38e3d60315d438f68c6facb20fdbb37685553015e2293ee57698f1666360a124ab1bd7b2416
-
Filesize
88KB
MD5ffffc98771692592be07b6bd5feb5c69
SHA1e61a4fa243a1045b6b5ebb584afc9be8b0050963
SHA25694bd292e6712abb795d98d8cccebc40d9fe0bf74963a6d95f26a30178273b75a
SHA5126780563adeb9113c8f2d6e741410f26c0e85a60a6199ee52bebffa0b90ebd8d73ab1cd70b819f285fc2aeb24697588fde72518cf6e3f210a0d409048a5d07aed
-
Filesize
88KB
MD5d944cdd13f18e96ba4f08808e7dc2118
SHA115d6f76d39ffe8e920fa045b8b8529aaf24be1b3
SHA2567147c9c8c66e4273632c55d6384796f28feccd5a0229ed5a134c85b9246e8677
SHA51285e1f2691d45ea1e2cbb4f887200c74243208c77692f4db3738c01069f9a0eea312e192b617921c184ffbf70e32924e7f8ee6359320e23756f050480876be218
-
Filesize
88KB
MD53f0027d8c51f00e13421e425e0df3df2
SHA10cc66934567ac0c0a29b708640fb46bf7eaaeee4
SHA256d7b6fbfd6258249486f7fa9d14e62e8f1705c9b33dcf2e7ee5f4b405fffd6463
SHA512e26bbafe8641bdc43874749b2c026c3a2e010758a689c13173ccbacf0dae8b56e8d60865bd36d67fab9615d3ecb01aa6cdbd2735c2b6cb5626b0aad006b27269
-
Filesize
88KB
MD53c1712c6998afa066b3bc8954bf72c8f
SHA11bc18ec2848f2aee927d06aff801bce93629eaab
SHA256405c5b828e8375c548c502ee9f25f2d12706e7c30492159baba3870c37cc46d6
SHA51207490ffde0adfc06ba154367b7a84339940d3791f703197824b3665161658f44ca6112ed438d0eb932a695d5dfbfdcbf1a6b11245a15926a72e9044002a33d8f
-
Filesize
88KB
MD5c6e54f229d75883a63b982a70faf1470
SHA121f14586aeedb001d02c76c7589a69bab64d37b9
SHA256e449c1f4fae58683d0f57826b7e43d2dabef68996ef5b868d6e0196c42056644
SHA512ebd484bc5f34be276ec62b5062bc80e2ac44a0dfddedd95b61cf7bb3797d80908ad9e55facfdc5de37e0b3fbc87dfafccbdf5814d34befb37a3f5aad033d9ab0
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB