Overview

overview

8

Static

static

3

51179732bc...cs.exe

windows7-x64

8

51179732bc...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 09:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe

  • Size

    60KB

  • MD5

    730443f70a591776eff905e8d1653990

  • SHA1

    5ba86c737086259edd474afa2452b5d81c3d482f

  • SHA256

    51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321

  • SHA512

    b1db6ad43818e2ece52ded004651064f29e68837d693d797b5fa6e26ba4d36133794e2ec155eef618bc45f3b4ca1708afa399d79e7a425ee7cb5c2dcedefe5e3

  • SSDEEP

    768:vvw9816vhKQLroCQ4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVd:nEGh0oCQlwWMZQcpmgDagIyS1loL7Wr

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Windows\{FF8B19C8-B1B4-4eff-AD3C-68C23C3176D5}.exe
      C:\Windows\{FF8B19C8-B1B4-4eff-AD3C-68C23C3176D5}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\{DBD20F75-0246-40aa-895F-785357E94661}.exe
        C:\Windows\{DBD20F75-0246-40aa-895F-785357E94661}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4032
        • C:\Windows\{530EEABA-F396-4d94-895C-D2AA3BFEEC33}.exe
          C:\Windows\{530EEABA-F396-4d94-895C-D2AA3BFEEC33}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1092
          • C:\Windows\{CE4C619F-7B69-4ed6-8768-E298CDB67DD1}.exe
            C:\Windows\{CE4C619F-7B69-4ed6-8768-E298CDB67DD1}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3804
            • C:\Windows\{BF2B04AB-469A-4269-A906-5F1A09FEB079}.exe
              C:\Windows\{BF2B04AB-469A-4269-A906-5F1A09FEB079}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3156
              • C:\Windows\{EFAF0F3B-EE85-4b2e-8FB3-1A87F4747D8E}.exe
                C:\Windows\{EFAF0F3B-EE85-4b2e-8FB3-1A87F4747D8E}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2796
                • C:\Windows\{C5AB32A5-C7A3-4db6-A7B5-8CC09261138A}.exe
                  C:\Windows\{C5AB32A5-C7A3-4db6-A7B5-8CC09261138A}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2124
                  • C:\Windows\{79F6F035-3B88-463b-9CF3-3AF701ABFFC8}.exe
                    C:\Windows\{79F6F035-3B88-463b-9CF3-3AF701ABFFC8}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3672
                    • C:\Windows\{17A7AB09-FD95-473f-8A16-A245BF5851BC}.exe
                      C:\Windows\{17A7AB09-FD95-473f-8A16-A245BF5851BC}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1284
                      • C:\Windows\{95BE712E-F6EC-43db-9ED9-32C795DC57A0}.exe
                        C:\Windows\{95BE712E-F6EC-43db-9ED9-32C795DC57A0}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1164
                        • C:\Windows\{E93B9265-FE29-4443-BD91-70F7A124BC83}.exe
                          C:\Windows\{E93B9265-FE29-4443-BD91-70F7A124BC83}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4860
                          • C:\Windows\{E7C9F9E4-CD5A-4dd3-994E-CEE3B049C7B8}.exe
                            C:\Windows\{E7C9F9E4-CD5A-4dd3-994E-CEE3B049C7B8}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4532
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{E93B9~1.EXE > nul
                            13⤵
                              PID:2512
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{95BE7~1.EXE > nul
                            12⤵
                              PID:4268
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{17A7A~1.EXE > nul
                            11⤵
                              PID:1764
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{79F6F~1.EXE > nul
                            10⤵
                              PID:676
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C5AB3~1.EXE > nul
                            9⤵
                              PID:4808
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{EFAF0~1.EXE > nul
                            8⤵
                              PID:4112
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{BF2B0~1.EXE > nul
                            7⤵
                              PID:4748
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{CE4C6~1.EXE > nul
                            6⤵
                              PID:4260
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{530EE~1.EXE > nul
                            5⤵
                              PID:2284
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DBD20~1.EXE > nul
                            4⤵
                              PID:1916
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{FF8B1~1.EXE > nul
                            3⤵
                              PID:516
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\511797~1.EXE > nul
                            2⤵
                              PID:3592

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{17A7AB09-FD95-473f-8A16-A245BF5851BC}.exe
                            Filesize

                            60KB

                            MD5

                            9af2cea11b665fc6ff480c7b49d8d5db

                            SHA1

                            33ff49f2c5b7b1e09b77893e8d588426f0112019

                            SHA256

                            1c7b56eb2ca72c45d82389a71e2319915b4a798503678d32b73c01e11c9c2d1e

                            SHA512

                            438fed7c165f31eb2c1db2bbfaae6e148908c31c3b85010dc0154f91f2b89f05c686c6c86bfc40b7487e28dc7fa62fdd07cdc8be34f5df232135b48295a91553

                            Download Submit

                          • C:\Windows\{530EEABA-F396-4d94-895C-D2AA3BFEEC33}.exe
                            Filesize

                            60KB

                            MD5

                            c6457d288630d480d8d85d4e457b0a8b

                            SHA1

                            6d1fd3e520dfa9c19d7952ccd7315880ba81cf4d

                            SHA256

                            2a0ff76b5d8f27de284008c602c82373440be1fde91d0c77342356e9aa38f9bc

                            SHA512

                            10ced1506abec8ef10bad8d524bc3b86c256af1c470b69b599acc345701292ee02740b37fd0d2907a2a35438de5e8056e1659dacdf228b160169bb4bf12ab0c7

                            Download Submit

                          • C:\Windows\{79F6F035-3B88-463b-9CF3-3AF701ABFFC8}.exe
                            Filesize

                            60KB

                            MD5

                            9b86d2658856b8e23be02dc0ac06a7c6

                            SHA1

                            3ce5255d02b4c28316964790fce059fd53afe292

                            SHA256

                            9ebec81d1714c08633cc15cf4a25621fb10d4bff86857a496e3e6805973668fc

                            SHA512

                            783fa6f4a75b6ca58756e874236ce48a619aeb0ac1f3fb052b670d10ad0ae7b431c853f5949aafdc582a0870311b4cf2f154118af595cb57b33bcc7b67053d86

                            Download Submit

                          • C:\Windows\{95BE712E-F6EC-43db-9ED9-32C795DC57A0}.exe
                            Filesize

                            60KB

                            MD5

                            f8f092f59df275773b6d0da6025a01bb

                            SHA1

                            2159f121900734f35930c34093ab0ba023466baa

                            SHA256

                            89b6e3ae2996a816c01cf96f8bcce30699faad183f59e747267d19536a5b7bc5

                            SHA512

                            145223d91b025a99925570f63887a7c564e07615250cc4203820144b9f3275d638da14bd47dfaf22f92b583ea580a80738937dcf6fe91051011ee9cf6447fc7e

                            Download Submit

                          • C:\Windows\{BF2B04AB-469A-4269-A906-5F1A09FEB079}.exe
                            Filesize

                            60KB

                            MD5

                            4a3522b7d8398ff83bdc6cadab46a700

                            SHA1

                            a49f24baf6f66916d9e6bad29c56ff403f4e79f2

                            SHA256

                            d4581178ab1f8439c4f1c5aa2c780815287737a1508d3106087e7decd1b827ed

                            SHA512

                            1fec7bcddf5303d34da91f31fb9a73ab3779f826362625400b172a3a51772d9d046a09d1fa0aab2934a706cda88eedeef6159bba243aff2c4cb421aa91e95a4e

                            Download Submit

                          • C:\Windows\{C5AB32A5-C7A3-4db6-A7B5-8CC09261138A}.exe
                            Filesize

                            60KB

                            MD5

                            bdca36c9929c2e6657f7b0203b233cda

                            SHA1

                            28b2e9771ba751fc94bbf0a7eeb35ebb67c87da8

                            SHA256

                            865822c54692331f725153ecf40997a924fd9d75348a2de45e30c02370f69978

                            SHA512

                            f200e702525d363e43ffb6542ea3299edeb8c30d62da7fadbff0ac44a8f3f15eb1bdadb92a950e749e1d2f3190528b1423601b911f708fac53245765c2fc21b4

                            Download Submit

                          • C:\Windows\{CE4C619F-7B69-4ed6-8768-E298CDB67DD1}.exe
                            Filesize

                            60KB

                            MD5

                            420d558fbbbcf7ab592dffddced21965

                            SHA1

                            0227ee1f7c6d97757976408ce2aa974145ba7a1b

                            SHA256

                            841763ba4b6820f5636fbc013bafe3c3376e12c5577f92652840bd029fcd702d

                            SHA512

                            aef2e13bfe02c96d2e419cf57f08b13050ff023a076f70c91fe379d48672822ddeb6994c78ed282d19679cef9cffdda003500b2afe70c32be18fdf31633468a1

                            Download Submit

                          • C:\Windows\{DBD20F75-0246-40aa-895F-785357E94661}.exe
                            Filesize

                            60KB

                            MD5

                            aa68186ac62a358691bcb9df757f34a4

                            SHA1

                            18746f276a38887361c49cdc8660709f03026c30

                            SHA256

                            0973db7d0b89f16f3c0f158d4dfa12263d9ad7bac1a59c656580e229558f586d

                            SHA512

                            1ba6da1885795a4bfa1d48a031e6baff1ac937cf72f0faea6c2e63bc81b3f3658b36bad37be895c5255328d94673fa2232fec1f5372362e35c04cf741c162c82

                            Download Submit

                          • C:\Windows\{E7C9F9E4-CD5A-4dd3-994E-CEE3B049C7B8}.exe
                            Filesize

                            60KB

                            MD5

                            aebe7847748d1f821cbdfa84058c812d

                            SHA1

                            5eaf837073d093c11f70e3fbc71626f14ca035a3

                            SHA256

                            db41191ff63e9790e468793ef04d30bf4af53acf251eedf022265150269aa1eb

                            SHA512

                            417dadd0ad6811829f81ca80e1c1d313f3f7f953a83077a66e453835070d97122cfcfa4b8c8173a8787fe9b23e88d9fb549a229f55e578c48359ba93c89c20e6

                            Download Submit

                          • C:\Windows\{E93B9265-FE29-4443-BD91-70F7A124BC83}.exe
                            Filesize

                            60KB

                            MD5

                            231d524738722629f6fa233b3990effb

                            SHA1

                            69fcb46516766b0c72dc420a6f59a95911fb9220

                            SHA256

                            96247a2b9e438736dfa6830ee801ead8d8c511f48b16af4f1816200448a5a5f3

                            SHA512

                            fd8597798438aaead666ba2c09ee859b447a692bb02772ff9cc69c53e6bb731a91cab6cdb78f9e3b5c9033423c1876c1c3bf1202e51a1f65e406664443ce6bf7

                            Download Submit

                          • C:\Windows\{EFAF0F3B-EE85-4b2e-8FB3-1A87F4747D8E}.exe
                            Filesize

                            60KB

                            MD5

                            810f315e307e0935a6de12ab298b9013

                            SHA1

                            6a473f6f883f8eacd874dd9937ed0f5bf9b5839e

                            SHA256

                            73e37c5271d44864f73217d92eb4ec1bd5894085e9da5f7556ffa4d335a020e2

                            SHA512

                            cccdcaa5e96557b1ea7946a60c59fb4213765f07921b69c578cc858c65c152d1eacda017a02a1c8aed4badf518d552c7035d366b04c3edf308b89b7bc5852e2e

                            Download Submit

                          • C:\Windows\{FF8B19C8-B1B4-4eff-AD3C-68C23C3176D5}.exe
                            Filesize

                            60KB

                            MD5

                            c798a30dd235191447288652675b233c

                            SHA1

                            4b3c49e284f4d68a3faef1eae8d4366661a9744d

                            SHA256

                            cade34794bafd899ca5802d7418384ad20b2e4b44ff8af4244030594fdfc067e

                            SHA512

                            bcc7675709be81df11c64b24cef6ccffd8c3b00e404c5fb0110f45c1e1c16dada4c776d04e2869e1f4b862c890912028652c156b36d77a1baf97e86fb5f3d1f6

                            Download Submit