Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08-06-2024 16:17
Behavioral task
behavioral1
Sample
13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe
-
Size
5.9MB
-
MD5
13bac35cdeae107cd56f33b442b9dc20
-
SHA1
45cbae0c14db9b22108645478a3b9f45bc098c0b
-
SHA256
f29e66ee2be3e0daabe3053d8d54ab2e82c502c9009d4f8beca0be55681efaab
-
SHA512
69577f6d8bfe11ad710fc2568942284bac3798777365b0bf8e58dc9580f36882eae3f477f1e85617c9e4c6dfe197921ad1630335668599c77e4fb1837acdac0b
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUr:Q+856utgpPF8u/7r
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\GQzgjbK.exe cobalt_reflective_dll \Windows\system\oIzCHmN.exe cobalt_reflective_dll C:\Windows\system\rfjxxRc.exe cobalt_reflective_dll C:\Windows\system\OiDOppc.exe cobalt_reflective_dll C:\Windows\system\wNzvhMC.exe cobalt_reflective_dll C:\Windows\system\YSWigTx.exe cobalt_reflective_dll \Windows\system\JgvpQEi.exe cobalt_reflective_dll C:\Windows\system\yOOMcAL.exe cobalt_reflective_dll \Windows\system\moMTPYd.exe cobalt_reflective_dll C:\Windows\system\mKiEWlD.exe cobalt_reflective_dll \Windows\system\JKuvdJs.exe cobalt_reflective_dll C:\Windows\system\JvMfNOH.exe cobalt_reflective_dll C:\Windows\system\LBVdRdv.exe cobalt_reflective_dll C:\Windows\system\HXOgalD.exe cobalt_reflective_dll C:\Windows\system\XsMGdOL.exe cobalt_reflective_dll C:\Windows\system\dPAuMmU.exe cobalt_reflective_dll C:\Windows\system\cyOLuai.exe cobalt_reflective_dll C:\Windows\system\nqRYbVm.exe cobalt_reflective_dll C:\Windows\system\nXVGyzj.exe cobalt_reflective_dll C:\Windows\system\hqWUxrZ.exe cobalt_reflective_dll C:\Windows\system\swYuLwA.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
XMRig Miner payload 64 IoCs
Processes:
resource yara_rule behavioral1/memory/2580-0-0x000000013FDD0000-0x0000000140124000-memory.dmp xmrig \Windows\system\GQzgjbK.exe xmrig behavioral1/memory/2212-8-0x000000013F480000-0x000000013F7D4000-memory.dmp xmrig \Windows\system\oIzCHmN.exe xmrig behavioral1/memory/2800-13-0x000000013FF00000-0x0000000140254000-memory.dmp xmrig C:\Windows\system\rfjxxRc.exe xmrig behavioral1/memory/2640-20-0x000000013FE60000-0x00000001401B4000-memory.dmp xmrig behavioral1/memory/2700-27-0x000000013F820000-0x000000013FB74000-memory.dmp xmrig C:\Windows\system\OiDOppc.exe xmrig behavioral1/memory/2628-39-0x000000013F140000-0x000000013F494000-memory.dmp xmrig behavioral1/memory/2648-34-0x000000013FC50000-0x000000013FFA4000-memory.dmp xmrig C:\Windows\system\wNzvhMC.exe xmrig behavioral1/memory/2748-53-0x000000013F2A0000-0x000000013F5F4000-memory.dmp xmrig behavioral1/memory/2668-59-0x000000013F690000-0x000000013F9E4000-memory.dmp xmrig behavioral1/memory/2500-64-0x000000013FA70000-0x000000013FDC4000-memory.dmp xmrig C:\Windows\system\YSWigTx.exe xmrig \Windows\system\JgvpQEi.exe xmrig behavioral1/memory/2700-85-0x000000013F820000-0x000000013FB74000-memory.dmp xmrig C:\Windows\system\yOOMcAL.exe xmrig behavioral1/memory/2628-99-0x000000013F140000-0x000000013F494000-memory.dmp xmrig \Windows\system\moMTPYd.exe xmrig C:\Windows\system\mKiEWlD.exe xmrig \Windows\system\JKuvdJs.exe xmrig C:\Windows\system\JvMfNOH.exe xmrig C:\Windows\system\LBVdRdv.exe xmrig C:\Windows\system\HXOgalD.exe xmrig behavioral1/memory/1936-94-0x000000013FF50000-0x00000001402A4000-memory.dmp xmrig C:\Windows\system\XsMGdOL.exe xmrig behavioral1/memory/1420-139-0x000000013F8E0000-0x000000013FC34000-memory.dmp xmrig behavioral1/memory/2648-92-0x000000013FC50000-0x000000013FFA4000-memory.dmp xmrig C:\Windows\system\dPAuMmU.exe xmrig behavioral1/memory/2096-101-0x000000013F620000-0x000000013F974000-memory.dmp xmrig behavioral1/memory/1144-86-0x000000013FAB0000-0x000000013FE04000-memory.dmp xmrig behavioral1/memory/2640-80-0x000000013FE60000-0x00000001401B4000-memory.dmp xmrig behavioral1/memory/2560-71-0x000000013FA00000-0x000000013FD54000-memory.dmp xmrig behavioral1/memory/2800-69-0x000000013FF00000-0x0000000140254000-memory.dmp xmrig behavioral1/memory/2212-58-0x000000013F480000-0x000000013F7D4000-memory.dmp xmrig C:\Windows\system\cyOLuai.exe xmrig C:\Windows\system\nqRYbVm.exe xmrig behavioral1/memory/2748-140-0x000000013F2A0000-0x000000013F5F4000-memory.dmp xmrig behavioral1/memory/1420-47-0x000000013F8E0000-0x000000013FC34000-memory.dmp xmrig behavioral1/memory/2580-46-0x000000013FDD0000-0x0000000140124000-memory.dmp xmrig C:\Windows\system\nXVGyzj.exe xmrig C:\Windows\system\hqWUxrZ.exe xmrig C:\Windows\system\swYuLwA.exe xmrig behavioral1/memory/2668-141-0x000000013F690000-0x000000013F9E4000-memory.dmp xmrig behavioral1/memory/2500-142-0x000000013FA70000-0x000000013FDC4000-memory.dmp xmrig behavioral1/memory/2580-143-0x000000013FA00000-0x000000013FD54000-memory.dmp xmrig behavioral1/memory/2560-144-0x000000013FA00000-0x000000013FD54000-memory.dmp xmrig behavioral1/memory/1144-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp xmrig behavioral1/memory/1936-147-0x000000013FF50000-0x00000001402A4000-memory.dmp xmrig behavioral1/memory/2580-148-0x000000013F620000-0x000000013F974000-memory.dmp xmrig behavioral1/memory/2096-149-0x000000013F620000-0x000000013F974000-memory.dmp xmrig behavioral1/memory/2212-151-0x000000013F480000-0x000000013F7D4000-memory.dmp xmrig behavioral1/memory/2800-152-0x000000013FF00000-0x0000000140254000-memory.dmp xmrig behavioral1/memory/2640-153-0x000000013FE60000-0x00000001401B4000-memory.dmp xmrig behavioral1/memory/2700-154-0x000000013F820000-0x000000013FB74000-memory.dmp xmrig behavioral1/memory/2668-156-0x000000013F690000-0x000000013F9E4000-memory.dmp xmrig behavioral1/memory/2628-155-0x000000013F140000-0x000000013F494000-memory.dmp xmrig behavioral1/memory/2500-159-0x000000013FA70000-0x000000013FDC4000-memory.dmp xmrig behavioral1/memory/2560-158-0x000000013FA00000-0x000000013FD54000-memory.dmp xmrig behavioral1/memory/2648-161-0x000000013FC50000-0x000000013FFA4000-memory.dmp xmrig behavioral1/memory/2748-160-0x000000013F2A0000-0x000000013F5F4000-memory.dmp xmrig behavioral1/memory/1420-157-0x000000013F8E0000-0x000000013FC34000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
GQzgjbK.exeoIzCHmN.exerfjxxRc.exeswYuLwA.exehqWUxrZ.exeOiDOppc.exenXVGyzj.exewNzvhMC.exenqRYbVm.execyOLuai.exeYSWigTx.exeJgvpQEi.exedPAuMmU.exeyOOMcAL.exeXsMGdOL.exemoMTPYd.exeLBVdRdv.exeHXOgalD.exeJvMfNOH.exemKiEWlD.exeJKuvdJs.exepid process 2212 GQzgjbK.exe 2800 oIzCHmN.exe 2640 rfjxxRc.exe 2700 swYuLwA.exe 2648 hqWUxrZ.exe 2628 OiDOppc.exe 1420 nXVGyzj.exe 2748 wNzvhMC.exe 2668 nqRYbVm.exe 2500 cyOLuai.exe 2560 YSWigTx.exe 1144 JgvpQEi.exe 1936 dPAuMmU.exe 2096 yOOMcAL.exe 1928 XsMGdOL.exe 976 moMTPYd.exe 1844 LBVdRdv.exe 2720 HXOgalD.exe 2256 JvMfNOH.exe 2868 mKiEWlD.exe 1568 JKuvdJs.exe -
Loads dropped DLL 21 IoCs
Processes:
13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exepid process 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral1/memory/2580-0-0x000000013FDD0000-0x0000000140124000-memory.dmp upx \Windows\system\GQzgjbK.exe upx behavioral1/memory/2212-8-0x000000013F480000-0x000000013F7D4000-memory.dmp upx \Windows\system\oIzCHmN.exe upx behavioral1/memory/2800-13-0x000000013FF00000-0x0000000140254000-memory.dmp upx C:\Windows\system\rfjxxRc.exe upx behavioral1/memory/2640-20-0x000000013FE60000-0x00000001401B4000-memory.dmp upx behavioral1/memory/2700-27-0x000000013F820000-0x000000013FB74000-memory.dmp upx C:\Windows\system\OiDOppc.exe upx behavioral1/memory/2628-39-0x000000013F140000-0x000000013F494000-memory.dmp upx behavioral1/memory/2648-34-0x000000013FC50000-0x000000013FFA4000-memory.dmp upx C:\Windows\system\wNzvhMC.exe upx behavioral1/memory/2748-53-0x000000013F2A0000-0x000000013F5F4000-memory.dmp upx behavioral1/memory/2668-59-0x000000013F690000-0x000000013F9E4000-memory.dmp upx behavioral1/memory/2500-64-0x000000013FA70000-0x000000013FDC4000-memory.dmp upx C:\Windows\system\YSWigTx.exe upx \Windows\system\JgvpQEi.exe upx behavioral1/memory/2700-85-0x000000013F820000-0x000000013FB74000-memory.dmp upx C:\Windows\system\yOOMcAL.exe upx behavioral1/memory/2628-99-0x000000013F140000-0x000000013F494000-memory.dmp upx \Windows\system\moMTPYd.exe upx C:\Windows\system\mKiEWlD.exe upx \Windows\system\JKuvdJs.exe upx C:\Windows\system\JvMfNOH.exe upx C:\Windows\system\LBVdRdv.exe upx C:\Windows\system\HXOgalD.exe upx behavioral1/memory/1936-94-0x000000013FF50000-0x00000001402A4000-memory.dmp upx C:\Windows\system\XsMGdOL.exe upx behavioral1/memory/1420-139-0x000000013F8E0000-0x000000013FC34000-memory.dmp upx behavioral1/memory/2648-92-0x000000013FC50000-0x000000013FFA4000-memory.dmp upx C:\Windows\system\dPAuMmU.exe upx behavioral1/memory/2096-101-0x000000013F620000-0x000000013F974000-memory.dmp upx behavioral1/memory/1144-86-0x000000013FAB0000-0x000000013FE04000-memory.dmp upx behavioral1/memory/2640-80-0x000000013FE60000-0x00000001401B4000-memory.dmp upx behavioral1/memory/2560-71-0x000000013FA00000-0x000000013FD54000-memory.dmp upx behavioral1/memory/2800-69-0x000000013FF00000-0x0000000140254000-memory.dmp upx behavioral1/memory/2212-58-0x000000013F480000-0x000000013F7D4000-memory.dmp upx C:\Windows\system\cyOLuai.exe upx C:\Windows\system\nqRYbVm.exe upx behavioral1/memory/2748-140-0x000000013F2A0000-0x000000013F5F4000-memory.dmp upx behavioral1/memory/1420-47-0x000000013F8E0000-0x000000013FC34000-memory.dmp upx behavioral1/memory/2580-46-0x000000013FDD0000-0x0000000140124000-memory.dmp upx C:\Windows\system\nXVGyzj.exe upx C:\Windows\system\hqWUxrZ.exe upx C:\Windows\system\swYuLwA.exe upx behavioral1/memory/2668-141-0x000000013F690000-0x000000013F9E4000-memory.dmp upx behavioral1/memory/2500-142-0x000000013FA70000-0x000000013FDC4000-memory.dmp upx behavioral1/memory/2560-144-0x000000013FA00000-0x000000013FD54000-memory.dmp upx behavioral1/memory/1144-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp upx behavioral1/memory/1936-147-0x000000013FF50000-0x00000001402A4000-memory.dmp upx behavioral1/memory/2096-149-0x000000013F620000-0x000000013F974000-memory.dmp upx behavioral1/memory/2212-151-0x000000013F480000-0x000000013F7D4000-memory.dmp upx behavioral1/memory/2800-152-0x000000013FF00000-0x0000000140254000-memory.dmp upx behavioral1/memory/2640-153-0x000000013FE60000-0x00000001401B4000-memory.dmp upx behavioral1/memory/2700-154-0x000000013F820000-0x000000013FB74000-memory.dmp upx behavioral1/memory/2668-156-0x000000013F690000-0x000000013F9E4000-memory.dmp upx behavioral1/memory/2628-155-0x000000013F140000-0x000000013F494000-memory.dmp upx behavioral1/memory/2500-159-0x000000013FA70000-0x000000013FDC4000-memory.dmp upx behavioral1/memory/2560-158-0x000000013FA00000-0x000000013FD54000-memory.dmp upx behavioral1/memory/2648-161-0x000000013FC50000-0x000000013FFA4000-memory.dmp upx behavioral1/memory/2748-160-0x000000013F2A0000-0x000000013F5F4000-memory.dmp upx behavioral1/memory/1420-157-0x000000013F8E0000-0x000000013FC34000-memory.dmp upx behavioral1/memory/1144-162-0x000000013FAB0000-0x000000013FE04000-memory.dmp upx behavioral1/memory/2096-163-0x000000013F620000-0x000000013F974000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exedescription ioc process File created C:\Windows\System\LBVdRdv.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\JvMfNOH.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\dPAuMmU.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\JKuvdJs.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\nXVGyzj.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\cyOLuai.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\YSWigTx.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\JgvpQEi.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\yOOMcAL.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\moMTPYd.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\GQzgjbK.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\oIzCHmN.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\HXOgalD.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\hqWUxrZ.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\OiDOppc.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\wNzvhMC.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\nqRYbVm.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\XsMGdOL.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\mKiEWlD.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\rfjxxRc.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe File created C:\Windows\System\swYuLwA.exe 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exedescription pid process Token: SeLockMemoryPrivilege 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe Token: SeLockMemoryPrivilege 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exedescription pid process target process PID 2580 wrote to memory of 2212 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe GQzgjbK.exe PID 2580 wrote to memory of 2212 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe GQzgjbK.exe PID 2580 wrote to memory of 2212 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe GQzgjbK.exe PID 2580 wrote to memory of 2800 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe oIzCHmN.exe PID 2580 wrote to memory of 2800 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe oIzCHmN.exe PID 2580 wrote to memory of 2800 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe oIzCHmN.exe PID 2580 wrote to memory of 2640 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe rfjxxRc.exe PID 2580 wrote to memory of 2640 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe rfjxxRc.exe PID 2580 wrote to memory of 2640 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe rfjxxRc.exe PID 2580 wrote to memory of 2700 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe swYuLwA.exe PID 2580 wrote to memory of 2700 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe swYuLwA.exe PID 2580 wrote to memory of 2700 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe swYuLwA.exe PID 2580 wrote to memory of 2648 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe hqWUxrZ.exe PID 2580 wrote to memory of 2648 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe hqWUxrZ.exe PID 2580 wrote to memory of 2648 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe hqWUxrZ.exe PID 2580 wrote to memory of 2628 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe OiDOppc.exe PID 2580 wrote to memory of 2628 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe OiDOppc.exe PID 2580 wrote to memory of 2628 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe OiDOppc.exe PID 2580 wrote to memory of 1420 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe nXVGyzj.exe PID 2580 wrote to memory of 1420 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe nXVGyzj.exe PID 2580 wrote to memory of 1420 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe nXVGyzj.exe PID 2580 wrote to memory of 2748 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe wNzvhMC.exe PID 2580 wrote to memory of 2748 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe wNzvhMC.exe PID 2580 wrote to memory of 2748 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe wNzvhMC.exe PID 2580 wrote to memory of 2668 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe nqRYbVm.exe PID 2580 wrote to memory of 2668 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe nqRYbVm.exe PID 2580 wrote to memory of 2668 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe nqRYbVm.exe PID 2580 wrote to memory of 2500 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe cyOLuai.exe PID 2580 wrote to memory of 2500 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe cyOLuai.exe PID 2580 wrote to memory of 2500 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe cyOLuai.exe PID 2580 wrote to memory of 2560 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe YSWigTx.exe PID 2580 wrote to memory of 2560 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe YSWigTx.exe PID 2580 wrote to memory of 2560 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe YSWigTx.exe PID 2580 wrote to memory of 1144 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe JgvpQEi.exe PID 2580 wrote to memory of 1144 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe JgvpQEi.exe PID 2580 wrote to memory of 1144 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe JgvpQEi.exe PID 2580 wrote to memory of 1936 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe dPAuMmU.exe PID 2580 wrote to memory of 1936 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe dPAuMmU.exe PID 2580 wrote to memory of 1936 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe dPAuMmU.exe PID 2580 wrote to memory of 2096 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe yOOMcAL.exe PID 2580 wrote to memory of 2096 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe yOOMcAL.exe PID 2580 wrote to memory of 2096 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe yOOMcAL.exe PID 2580 wrote to memory of 976 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe moMTPYd.exe PID 2580 wrote to memory of 976 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe moMTPYd.exe PID 2580 wrote to memory of 976 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe moMTPYd.exe PID 2580 wrote to memory of 1928 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe XsMGdOL.exe PID 2580 wrote to memory of 1928 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe XsMGdOL.exe PID 2580 wrote to memory of 1928 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe XsMGdOL.exe PID 2580 wrote to memory of 1844 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe LBVdRdv.exe PID 2580 wrote to memory of 1844 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe LBVdRdv.exe PID 2580 wrote to memory of 1844 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe LBVdRdv.exe PID 2580 wrote to memory of 2720 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe HXOgalD.exe PID 2580 wrote to memory of 2720 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe HXOgalD.exe PID 2580 wrote to memory of 2720 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe HXOgalD.exe PID 2580 wrote to memory of 2256 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe JvMfNOH.exe PID 2580 wrote to memory of 2256 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe JvMfNOH.exe PID 2580 wrote to memory of 2256 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe JvMfNOH.exe PID 2580 wrote to memory of 2868 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe mKiEWlD.exe PID 2580 wrote to memory of 2868 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe mKiEWlD.exe PID 2580 wrote to memory of 2868 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe mKiEWlD.exe PID 2580 wrote to memory of 1568 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe JKuvdJs.exe PID 2580 wrote to memory of 1568 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe JKuvdJs.exe PID 2580 wrote to memory of 1568 2580 13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe JKuvdJs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\13bac35cdeae107cd56f33b442b9dc20_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\System\GQzgjbK.exeC:\Windows\System\GQzgjbK.exe2⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\System\oIzCHmN.exeC:\Windows\System\oIzCHmN.exe2⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\System\rfjxxRc.exeC:\Windows\System\rfjxxRc.exe2⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\System\swYuLwA.exeC:\Windows\System\swYuLwA.exe2⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\System\hqWUxrZ.exeC:\Windows\System\hqWUxrZ.exe2⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\System\OiDOppc.exeC:\Windows\System\OiDOppc.exe2⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\System\nXVGyzj.exeC:\Windows\System\nXVGyzj.exe2⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\System\wNzvhMC.exeC:\Windows\System\wNzvhMC.exe2⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\System\nqRYbVm.exeC:\Windows\System\nqRYbVm.exe2⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\System\cyOLuai.exeC:\Windows\System\cyOLuai.exe2⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\System\YSWigTx.exeC:\Windows\System\YSWigTx.exe2⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\System\JgvpQEi.exeC:\Windows\System\JgvpQEi.exe2⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\System\dPAuMmU.exeC:\Windows\System\dPAuMmU.exe2⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\System\yOOMcAL.exeC:\Windows\System\yOOMcAL.exe2⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\System\moMTPYd.exeC:\Windows\System\moMTPYd.exe2⤵
- Executes dropped EXE
PID:976 -
C:\Windows\System\XsMGdOL.exeC:\Windows\System\XsMGdOL.exe2⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\System\LBVdRdv.exeC:\Windows\System\LBVdRdv.exe2⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\System\HXOgalD.exeC:\Windows\System\HXOgalD.exe2⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\System\JvMfNOH.exeC:\Windows\System\JvMfNOH.exe2⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\System\mKiEWlD.exeC:\Windows\System\mKiEWlD.exe2⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\System\JKuvdJs.exeC:\Windows\System\JKuvdJs.exe2⤵
- Executes dropped EXE
PID:1568
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD55ce1f87b6bf59b103b7b53e6f205b163
SHA13cc3ddb4410823adb1c18991903abdda8316778f
SHA256f854ea7c898e8a2e168ee9d7414e473e0bf0da5275d39fe44d6e514e49d5c623
SHA5123780bed5f4c8beb03f3cb1c897c866079b2a2e8517b17353d589779f9b72434e1fad98db6086f83178edc3540345c0fa81a13e535b348a570a317f38030f0637
-
Filesize
5.9MB
MD550e951998ecb8f3a14741c1d7b4ef419
SHA1f730750ae291380cf481be5bba1ba2164b50960f
SHA256ecf00b59176a3178a6085c46f6eec32b864d2684b84fdfa5059708beb69e3776
SHA512873f6235cb080502853eea7d2f1c37431312ce5ea5dda1988f20d4709babfa39f3dcede6e299fdc5cd2295b29baab49f7ab1b9ac077ed59c4715ae946ab5a8dc
-
Filesize
5.9MB
MD540ff7747609a0a83405281886cfdc277
SHA182c2a3a716e1d47769549cfafa2a8823a0eb343c
SHA2563a5f65f955f0e781c00cfbfbfa97715a9274b8602cd07f056e736dadf321fbbd
SHA512d883b2cc1f47a8750f56919d00723a6012bac8cc3f7889e9bdf45adf6cd0493a630150aac3f8473b7626eaba5ebaede97628ee5700f6b3e32ff364214fc3142e
-
Filesize
5.9MB
MD56c73a9ae5e2df7e08ed49f4a9bbc5210
SHA1def015471d0feebae3b04c3109b7aa055dfaba51
SHA256ff0d16b54c57b03ddd9917e804074e714aec9aa2e22d032fad3e18c51ef51fa5
SHA51261b97196e92f561a5cc109562caf81743fd0a1cbd727a9b3ad443c2ab63395db82d3b03aae117beb9e30c1d836c109119bc108068d3f036ac180fde8defd9973
-
Filesize
5.9MB
MD574d628cb25b2fcb798fc8e3f8d55e556
SHA14dcd6040cf2998322e5b5ad38c9f759b8fbd41f7
SHA256355bec6097c2646d216d60466f91081e0f14ca5f3a224eb6642bfa2e1031304c
SHA5120190d0c96802da4f138912152366d4f5b33dbf357c2036acad84320686a93d815393e3fdf5a122b40dbb437632d8b3a0958879e21dbeca2a41d0a56aabf115fd
-
Filesize
5.9MB
MD5e1f846a5e907bdb0656e6b6fa735e7e8
SHA19c16453d21573266776e3380dc621d53a6f9353b
SHA2560849fd275dd19676a1433624f0985c667576963479b1b4bae392cf63afe98883
SHA512c0132a52296c61274a4ae7c4712265685ab5f8f34bfd2cccdc2353b362e8274f043e68e1f8e64941cd0beb5f0f2cf02a1ad7b82e1ceee7d085cc78de7dcb0983
-
Filesize
5.9MB
MD5fd0c291614254b13fe8af5c620939383
SHA1a434728b2478a098f941f29af8985718e5df785e
SHA256950372ee7bcbab3313cf4ed5fa8a0791cd65fc2e1e9a99c89a7b92373e63b051
SHA51211515a1e203895336fc682a01eb9a2a7fdb5f1016e692c45f7825e25f67ae280ec6654b958664fa27dec4266387cfc4420e002cceefabf23a4f8d875c03a7375
-
Filesize
5.9MB
MD5b855c422427b12584f2d61d873915709
SHA1e005f00295ed3a92548933ece356f6499e023b11
SHA256670f969c1ef9ffe3c3a3ad9a18c61423e51fe0f212535e7f6bbe6bbaa4456ff4
SHA5121245b7eefa36d22015638e2bdf3686fefa0daeec5c3b1260442f438a334a4cc7d27ebcd7ce775ac50d3aa63883ae5904e46d4d5df2b521bdd13a658534e53eb1
-
Filesize
5.9MB
MD537b3462d032cbb79fbfa866eda3589e9
SHA1825b4048cd278a5c78112ff783ed6dd3a4f1e898
SHA25681c4a1b3acf2426a7d886a6c02f4015c45d5c71ea5bac50845f70b5f7e3706b5
SHA5125f3672cf240a4e2cd97b39230f572eb68414cd35232c85bcb94975d3cf54ed52bf8e1f4318a2828504572f50026d8dda4fa65842cdf6771d54697f91510863c2
-
Filesize
5.9MB
MD571717b70205b2f50f0a65368b1afdbd6
SHA18bfdbf254af73d6734c302fa8b8b94c6a09ae9b7
SHA256c24af59abed05f2dc4138462f149f5e535ae0ffa357e51e64dca89e41a4671a1
SHA5126a384298c0bdbe0a18cfe5207e900f3490e858cb19ff4ca8105d3d1d219f9d458519e6e303eedddecb561e71d24899981b1a14f8f97bce8d47d14bbf3806960c
-
Filesize
5.9MB
MD5dfd20e9622d2839a33f448f8b05541a0
SHA1ed394f741605dbb501a9dda799545756c3a136bf
SHA2561a11dfb9a3447470fba54e937b8d48bb30c471e9deece0271341936e1cdbfd8d
SHA512ae2ab1dd5182e98aa4d34928762288efdd1e6676c21350a539ada48defba33f80762c6b3d02c16509b082d41a4e0867784b54414f868b13ed4ffe87eab87699f
-
Filesize
5.9MB
MD55f3018055cc3da8c473ac06afc011f1b
SHA1a8da2e6d0ed7322e0545cf1ad646c70a8022c623
SHA2562a945337806817637090e7c5b7dcd849dbe17828c5aa080cda01f2b6c3d4c090
SHA51236084382d3fb803b0bf45d9b0c1a2bda56afe8f7cc244331e5fe9bf460555c5abfe00b3a12d035342f0991308843b26a7edd10d06f39520996ebf7dc537f6e75
-
Filesize
5.9MB
MD51eeff0dba5b458c255efdb6833580ce5
SHA1c0a28b57371b8608203753ce9fba89ece267fc67
SHA2566ee0ee7187c7be114212de31bcfb0830222ecdfb38d7b0d07a5e5908a2047f98
SHA5127b6f2682ca37a972de0842a8e1981870db81237c9ce1ea6a55146ab1c951d6c58001e2b835dc6e642eb5ef2f66b2260ecb4891a7f99c8824f215ac20dabe8d91
-
Filesize
5.9MB
MD5a0432f9b1eb602886de2d27e09b0c17c
SHA174799fae20a9b72557fcbdb7b8878c95327a3593
SHA25697b0ee38ff3297b940dd24fad14b970d33ec4a83713aedb95f9f6d5d0173b4c5
SHA5128df2c3b3e9a77896d3cd3b65f60bb73402bc9ad7445a0d33c0b3a765806186e350844a2ccfb5972284685bcc510150e64d2fc793f061ea76325de87aa6483ed4
-
Filesize
5.9MB
MD5c7fa63502267d0696fcc19b51eb9a8c4
SHA163f65ae19a52d7a4838b9531b2c879fe71afdefe
SHA2569b2650ec6ac2f5ac6a3fcbc203b200d58ad53b0be23e8792d58543a0b8b21953
SHA512cf07a7ecc2f571652e0eec480927ce53c50d85a0b94d1b17e6f0eb831d0a89c582a30e622bfc6da2453c1ba182c7010dbf7b090dc942136de6bba67dd814ce7e
-
Filesize
5.9MB
MD5d928ce657cf2084416f7d962f39f3843
SHA19ec858e1d84cb21da4ae12af9c125d30cfa8b92e
SHA2560334113744c2b6220f7d28269ac4667d25762654370438a4ce995b8a503e444d
SHA51298d2a83466c101b2e3d3833a099f958fcdc973bf27803ad4349fa44a7e316bb69619fdb0176b6e710e04588256d5595032dd634b77730150bdd60f06b1989360
-
Filesize
5.9MB
MD56b383d5f107422c6b058654481ec76ac
SHA1a407a89f527ee7bf21bb9e61855892ae526d6925
SHA2563f5cc4f9234832b4f600de2846a9269cf691bd357d8cc07202a97f65a3511a6d
SHA512fbeefa85c721505b3fd8ec2112e0fd95f71526eb13781665aeb1b1aaf11601d7f4beb2ea92ded1adf4b7cf8a76a198a81232a1ecb794dc21b65c2ae445d57944
-
Filesize
5.9MB
MD570eb635b413bb97b20d90217051b7f31
SHA182eaba2c36e858f2638b96ece37c0276a5e23d1f
SHA25671e6ebab0156def00a1fdf623161b665dd6c33eab5cd3adf4c6023b915aa1d19
SHA512221fc757be968606a1c59235d04f3b46dfa525cb6b9d8d9de5237328762c9a6171ad3c6c15623da9047ce1d68bda32238f3213ac4deb986dc1abc0cc9e4ffb30
-
Filesize
5.9MB
MD5a2c5d922ae1031d3d32e002125bfbce6
SHA1dbf0093662ff6d8579c6e58bff8501d22f551b87
SHA256760de03fd641d752a2ed5b50299d682569cf6e79d68b3a4da125cef2f258c661
SHA512ecee1b9f4d6595e969f528836cf4e505f18e7d651932dafc8901a041ad790b9738c4032e44c4144ada8fb480640b907e56aba6545d99efa5b04209d073d6bb2b
-
Filesize
5.9MB
MD50d262b7f54c27855568db67669c7fe42
SHA1a8f07d0b7905c378cf0c68c91831bf3ceeee19da
SHA2560d0faab1afde0af2b0b8e7a18d7a076e10d99eb2593cebba3e17104d5b778242
SHA5127d10fcc45a4f6b8b90bf7bd9c68ff41a190472916112eebf4239a3c5d44baf6d5d63aa0602c50e69142ba39f934806a79f0d0e869a91611973303966064a5809
-
Filesize
5.9MB
MD500ca85913cb26362a9cdd772942361ac
SHA105814d937475b4ef5aed57911c201bf24bfdbff1
SHA2563de677492e24edf10b6d649ff76f626d50b9d26c2c50c97e6ea591d350c2ef0b
SHA512eccc2bd1aa3b9e25fa13ef73e0cb2b8b9902e603b0d8b2b602d729277977b926e5d2700add5dce4a69d916bb3f56a4cd758db3cc7fce02fc389b860bcbc63d4d