Overview

overview

8

Static

static

3

4e45fe95f4...cs.exe

windows7-x64

8

4e45fe95f4...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20/06/2024, 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e45fe95f4de42f7035c05f1f988f84b84079126ad427a78e8bf6782ddb499d4_NeikiAnalytics.exe

  • Size

    116KB

  • MD5

    fae3794fb88bc70ae89e006fe8b45270

  • SHA1

    bdbfefaa7fafb37e9c3c39fec111c0ff18871a99

  • SHA256

    4e45fe95f4de42f7035c05f1f988f84b84079126ad427a78e8bf6782ddb499d4

  • SHA512

    86fb10a27a3022ab194e05db35cb19d74af26af3a8ca76cba3c518dc0726e8a82d11a09af6e43a2d67a888f4e5e69ca8243beefc7873b5ac439b061af6c2a473

  • SSDEEP

    768:Qvw9816vhKQLrou4/wQRNrfrunMxVFA3b7glwRjMlfwGxEI5nWAwxt6sDntNiLJN:YEGh0oul2unMxVS3HgdoKjhLJhL

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in Windows directory 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e45fe95f4de42f7035c05f1f988f84b84079126ad427a78e8bf6782ddb499d4_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4e45fe95f4de42f7035c05f1f988f84b84079126ad427a78e8bf6782ddb499d4_NeikiAnalytics.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\{1D1CC657-CA06-4236-BD4D-C4F8EA9FB11A}.exe
      C:\Windows\{1D1CC657-CA06-4236-BD4D-C4F8EA9FB11A}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\{141013D2-FE38-435e-98A8-8D6F9D45539A}.exe
        C:\Windows\{141013D2-FE38-435e-98A8-8D6F9D45539A}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\{B64533F8-CC80-4ff1-9486-57C7367CE572}.exe
          C:\Windows\{B64533F8-CC80-4ff1-9486-57C7367CE572}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\{E657BB03-48A9-4351-A3DA-4EB5B301E59C}.exe
            C:\Windows\{E657BB03-48A9-4351-A3DA-4EB5B301E59C}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3064
            • C:\Windows\{C4F88F33-5011-41b7-9854-687FE814ED57}.exe
              C:\Windows\{C4F88F33-5011-41b7-9854-687FE814ED57}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2940
              • C:\Windows\{02EF0BE8-A622-4b07-8605-DA841B5C393F}.exe
                C:\Windows\{02EF0BE8-A622-4b07-8605-DA841B5C393F}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:620
                • C:\Windows\{F9F786F7-C330-4d7a-8E88-EAF33F4D3300}.exe
                  C:\Windows\{F9F786F7-C330-4d7a-8E88-EAF33F4D3300}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1244
                  • C:\Windows\{BB8CEB5D-E903-43e5-9CE3-F08DC93C68AA}.exe
                    C:\Windows\{BB8CEB5D-E903-43e5-9CE3-F08DC93C68AA}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2796
                    • C:\Windows\{ED39B6A6-86F2-4d5d-98E0-F9229D855BC4}.exe
                      C:\Windows\{ED39B6A6-86F2-4d5d-98E0-F9229D855BC4}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2060
                      • C:\Windows\{CC73E47D-6A93-45b8-8B91-F7048856E3AF}.exe
                        C:\Windows\{CC73E47D-6A93-45b8-8B91-F7048856E3AF}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2476
                        • C:\Windows\{0E690B34-A9E4-4d2a-B396-8FCBF4B5E176}.exe
                          C:\Windows\{0E690B34-A9E4-4d2a-B396-8FCBF4B5E176}.exe
                          12⤵
                          • Executes dropped EXE
                          PID:1124
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{CC73E~1.EXE > nul
                          12⤵
                            PID:944
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{ED39B~1.EXE > nul
                          11⤵
                            PID:2008
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{BB8CE~1.EXE > nul
                          10⤵
                            PID:2072
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{F9F78~1.EXE > nul
                          9⤵
                            PID:1952
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{02EF0~1.EXE > nul
                          8⤵
                            PID:2756
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{C4F88~1.EXE > nul
                          7⤵
                            PID:1920
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{E657B~1.EXE > nul
                          6⤵
                            PID:2984
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{B6453~1.EXE > nul
                          5⤵
                            PID:568
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{14101~1.EXE > nul
                          4⤵
                            PID:2840
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Windows\{1D1CC~1.EXE > nul
                          3⤵
                            PID:2684
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4E45FE~1.EXE > nul
                          2⤵
                          • Deletes itself
                          PID:1504

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\{02EF0BE8-A622-4b07-8605-DA841B5C393F}.exe
                        Filesize

                        116KB

                        MD5

                        2673287daa14c44a69c55d61c5faa83e

                        SHA1

                        f42a70f8a02123feed03db36542974a1c5f26639

                        SHA256

                        c8ad7aeb39ca5b990cdc1dabb530470fa7ea24c4d809d0787a86ffe2d43561ea

                        SHA512

                        f04f55bf474d37bfbf3c87a88710315f584ba0f17877979d49c74835bb9f107ee5e90627420806f39b378065780b47a5e25643623cc12dce6b7c7a9b209db5d5

                        Download Submit

                      • C:\Windows\{0E690B34-A9E4-4d2a-B396-8FCBF4B5E176}.exe
                        Filesize

                        116KB

                        MD5

                        75061d6c68034b35e1d33eab7f007c83

                        SHA1

                        b99e54ef98230fff19097f6fd8bca71d4f405548

                        SHA256

                        dc47018402626dbc24720fd7bf11823135e228d621d9dcc2198b26a8033646c4

                        SHA512

                        7b4d90056d6a2ae2948e0ef86eeedb3396eaaf744abfb144779522f4fc126135f2ae70db980be129381d704b91addce8fb658cec85cfc5b353320461100e8f10

                        Download Submit

                      • C:\Windows\{141013D2-FE38-435e-98A8-8D6F9D45539A}.exe
                        Filesize

                        116KB

                        MD5

                        766adfd92f0c1b4bc1a8c2db54e57806

                        SHA1

                        e5d93c0222e4e1861512c0a983c975978f81bf34

                        SHA256

                        93da756022e3dd0632dd809caf1a850e77560921abe2e29fff437179d2c9eef9

                        SHA512

                        44b5631f503598bde322c659713cbd5820b59aa26ab9b8964a3d86d4e4d3b435816bcc4dc4b9aa4cc243345d2005c711934862733996603fb6cbbb460e14c9ef

                        Download Submit

                      • C:\Windows\{1D1CC657-CA06-4236-BD4D-C4F8EA9FB11A}.exe
                        Filesize

                        116KB

                        MD5

                        d9206aa6781a4bec951f9132d6eff17b

                        SHA1

                        e0536921e3ab4a9b7f91f2475867ca201a9fc5c9

                        SHA256

                        c5449447a4d71c5c6f9a4ed4a15bb52c200160d11e64831a12fd4b83731e329b

                        SHA512

                        ecbf0def5b6ba066061413d686e648049c2d3f34f2881cfb356736c599ba6879350e98202f1a626d99a9fa7f78ba2a0ce41a9f3787614280ea6e527f46233de2

                        Download Submit

                      • C:\Windows\{B64533F8-CC80-4ff1-9486-57C7367CE572}.exe
                        Filesize

                        116KB

                        MD5

                        e20c8487a0152b3ee40bd585548c6a9f

                        SHA1

                        ceb578b1585fa1e47f689369548892867ce10dd7

                        SHA256

                        3805f47b2352205b2a7a2dcf412d1c18475da83f958ac553ac22adc080058cab

                        SHA512

                        5d6b2acc6177120d8107992abcf020ca4c3cc3d830e788ecc8d7525354802052871d5d62c5ab9ae3b5e38465f045ff84ed58ae7dd4606dba7c64ecd81dce6b0c

                        Download Submit

                      • C:\Windows\{BB8CEB5D-E903-43e5-9CE3-F08DC93C68AA}.exe
                        Filesize

                        116KB

                        MD5

                        2b462b50fbaa05abf9d1360a14beccb9

                        SHA1

                        399afed4f6d7d70317d0e1a395abdd45aaa86b98

                        SHA256

                        0d285bb5be17fd484957ff454ceba07e85047b2c9884acb5d3d6aea59c779246

                        SHA512

                        9a07cbb52b6bf6391f1e6eb376a514d70c3c25ee3bd5f14077359299563ceb5e2ebc24ffa9c86cacd952b9bb682250b34fcaf4b419462088c12f273c977004bb

                        Download Submit

                      • C:\Windows\{C4F88F33-5011-41b7-9854-687FE814ED57}.exe
                        Filesize

                        116KB

                        MD5

                        da4a25d6f48381b979a064f8ebeb0874

                        SHA1

                        92b18b2fedf526de78d520e90c116c1afcb402bc

                        SHA256

                        b8d623c4a7310120fc4429fa27996c3c8fcb3b08ad155810eaa4116862fea5fb

                        SHA512

                        aab53d6abe817b465b3691dc0fc8a29cac160c76d764c8637247848ac0f975200e3e8defdc7fc9508e0efb4044af147b7e77480a3644f4cf751f88843b765262

                        Download Submit

                      • C:\Windows\{CC73E47D-6A93-45b8-8B91-F7048856E3AF}.exe
                        Filesize

                        116KB

                        MD5

                        ea642e35ff00514edb57616352359e73

                        SHA1

                        293a0299edbed2c750fb7e44160ea05cd4a8e154

                        SHA256

                        5e080e3422c8eaf4ece4f3b7cfe352a63d36112edbd0a778ee4d107d1d5844ab

                        SHA512

                        c01339a18134a7c3e56056d4b5d803918a89973f5d0b517b887a740b7fce5ba34dc68b6f41189454ee15f8d1749a0561f343a58df92c462f8507c7fb2727cfbe

                        Download Submit

                      • C:\Windows\{E657BB03-48A9-4351-A3DA-4EB5B301E59C}.exe
                        Filesize

                        116KB

                        MD5

                        154f8f819972dd83adb102dc5a010360

                        SHA1

                        cf686278095ae922ea20bbfdc4852098b899e29a

                        SHA256

                        1f2938da7e5e8381d31f53a1a2e1ca6d4bb67531645884a354aaeae9d550f9a2

                        SHA512

                        0fffd3337cdbffb5cec05d7731ae0c34f655cfc644c4efebc13bfeb5d2a4419d035bd3a17aa68a377047b13ee5846168edb9190edb42b3efaf55042595c0bf26

                        Download Submit

                      • C:\Windows\{ED39B6A6-86F2-4d5d-98E0-F9229D855BC4}.exe
                        Filesize

                        116KB

                        MD5

                        63983c3626f4d07d528f91ec6f5a3b0c

                        SHA1

                        9658ddb6b160de38127afdc0b43b964ad0994b1e

                        SHA256

                        27030e50d32bf18946f569a8b44bfa94359d55c869fdeaf68687326c1d8b88e3

                        SHA512

                        e0c140255e697a57a787c85a04eca4ed3efc2ec757c06798a5b5240dc9fb2dae6180c95ce3184b25f96ecb89dccb402b3ea946a8cf5b2e00e7db57976b915b00

                        Download Submit

                      • C:\Windows\{F9F786F7-C330-4d7a-8E88-EAF33F4D3300}.exe
                        Filesize

                        116KB

                        MD5

                        7a264f5423dc55d701c5fc71b14f5a25

                        SHA1

                        c98583d3464dcf422331db23f56634bca4db22eb

                        SHA256

                        a8760aa6c43fdf89a38686a42a26e2f8ee43ff435c95623be300aab1204eb649

                        SHA512

                        791256d1fe496d7296665b7b7456cd7e136653dabc68a5d8e8052643041f5c730c055c0f976579bb745876c0faf0d89c843ebe0aeda3a4e750a2b701278731f3

                        Download Submit