Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
25/06/2024, 08:51
General
-
Target
49ff9d53a798c36bdc34c13bab7ef793febe7336626653b2e4adf8eacfe550a1_NeikiAnalytics.exe
-
Size
90KB
-
MD5
6f37a87b612fc6a8f99d71525dcc4510
-
SHA1
e1e2bc68d468f04e9d145ccbb410733c3ecc5ca1
-
SHA256
49ff9d53a798c36bdc34c13bab7ef793febe7336626653b2e4adf8eacfe550a1
-
SHA512
21f2e2f6be267055789c0d1b67e5a8214911babdd5e7ecc2c01911b1ec0c873a708f1983659dffe9da9b34775dd0e58c5b2e1bb8f3d6a54ccb12b7a907cf1233
-
SSDEEP
768:Qvw9816vhKQLro34/wQRNrfrunMxVFA3b7glw:YEGh0o3l2unMxVS3Hg
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\49ff9d53a798c36bdc34c13bab7ef793febe7336626653b2e4adf8eacfe550a1_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\49ff9d53a798c36bdc34c13bab7ef793febe7336626653b2e4adf8eacfe550a1_NeikiAnalytics.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E79C0345-BB50-49e7-AF34-435A602D4285}.exeC:\Windows\{E79C0345-BB50-49e7-AF34-435A602D4285}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B37434B3-E5B1-46f6-ABAC-CF198B8AB607}.exeC:\Windows\{B37434B3-E5B1-46f6-ABAC-CF198B8AB607}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1B0CB99A-4056-4a5d-A9FB-E900F2C0E286}.exeC:\Windows\{1B0CB99A-4056-4a5d-A9FB-E900F2C0E286}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B5B22E4C-0BA7-4d42-A3E2-BE39C7F3CDD0}.exeC:\Windows\{B5B22E4C-0BA7-4d42-A3E2-BE39C7F3CDD0}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{45ABC542-56E1-4a29-A05C-1C4CC957BA8C}.exeC:\Windows\{45ABC542-56E1-4a29-A05C-1C4CC957BA8C}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{B32A5480-AD40-4bb2-9A78-BC8C0ACB1FCC}.exeC:\Windows\{B32A5480-AD40-4bb2-9A78-BC8C0ACB1FCC}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{88F7FEF1-88C0-4ab3-9BB7-9D35BED3E34D}.exeC:\Windows\{88F7FEF1-88C0-4ab3-9BB7-9D35BED3E34D}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0F35641D-E48A-4c63-ABDC-B0CA45266CE4}.exeC:\Windows\{0F35641D-E48A-4c63-ABDC-B0CA45266CE4}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{102DD81A-D92E-45e6-AEB8-50D731F30EDE}.exeC:\Windows\{102DD81A-D92E-45e6-AEB8-50D731F30EDE}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{34CE1BA8-8A94-4f33-BF20-F083BC032F7A}.exeC:\Windows\{34CE1BA8-8A94-4f33-BF20-F083BC032F7A}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9F1E34EF-E274-46bd-BA01-27D5682C004A}.exeC:\Windows\{9F1E34EF-E274-46bd-BA01-27D5682C004A}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{04C10465-E419-4637-8A0F-433D5197868B}.exeC:\Windows\{04C10465-E419-4637-8A0F-433D5197868B}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9F1E3~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{34CE1~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{102DD~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0F356~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{88F7F~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B32A5~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{45ABC~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B5B22~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1B0CB~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{B3743~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E79C0~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\49FF9D~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5fb4fa9c37f00b8b2edc68453a816630f
SHA1de38730a8d4ddad83694311f2cc5c647e7dcf9e8
SHA25624c6a9b9bbabcd1889bf8687b7301b4582824b157c4d2c46df36339539344e66
SHA512a0e74892efade67caf0b8d96bf93c052b7ad9553c2dee6527ddebd840eded59515b904ef5f6cfdbf905d31784b839dc99bb01ec63cda4cad3b3190567c90dd3e
-
Filesize
90KB
MD56a4766c608bb8f19b727f9a633cc7477
SHA12d840ec4c46469f6c43ebaf93e00b57d40a3cc7b
SHA25610f9a39ab84753cf81ec3f719a5b5d49adb9eed375747f22f678e8443108ad85
SHA51294e19fe58d30f7f792cc20cb46199bf0be468723e7bffd4b3acac835e437b160d2f50b93b6f050fd3aa9a1dbfa979d8082a2f7779a2b8f72a858e9417730d453
-
Filesize
90KB
MD548312ce2c4aa544819e0dfa56bef3c40
SHA146d66d9df683a74da61648bb826f43d8491965b6
SHA256649dbe7d1c553cc489aa5ee92e638c11a11abf45679e1bfdcf9dde7bc728888a
SHA5120839335c90db932485879f9bab06c0d25c04ed466812a581bb7ada4730a45371ec53c67a44ce4ab7945534caf52700d13a9b386de482de6df37851a517893026
-
Filesize
90KB
MD5a08d9e7a0cff0e2b5f38582dca84511b
SHA18d21456b10e093aff1e0f170a8f03acbde6a0662
SHA25664b4a9137d16ecac5d178c456f136e9cd1c230d18a5aac6c4cc02df02bbf6ff6
SHA512f96d585657dabe9503e1fd216d0681ccee3cef581093ba78e361cfa38b4c92033bb51be3a00d3a8345703f1d3670d1465c270da8149479abb5248a40427f695a
-
Filesize
90KB
MD51d24567b56c45328fbf00f05a3d66988
SHA19e52ce0e06e7b788e2602d6b4ca070043cdf2ceb
SHA2560e178d4ea65e0326b991a094b5bd059577aec4d64d195910aff89f3dbdd14e8d
SHA512384ef86a8dc7af769dbd96e6c2ba0d55d221b17cc82af21a9cf6d63aceee7526c039f4ce90637727710c70883b6bd31d9e5f9a817f53283de4779e94c6b3cd7d
-
Filesize
90KB
MD53773afd0ee224e03356c27aad87cd504
SHA1949641ff1b119f6d0a33ed7c8461416514b6bd97
SHA256766159344754a16c6f291f919eb02d06b92a4880cde291d4c0a7b30f0e4be644
SHA512ef4a9a89b64c5a428e60bfdf9606f0e528d8b49347f20c28ac5524a52def2c2bd97020c60429f43f9759d88b1389d23d6962e3241c96db2fbea12fd7973d71cc
-
Filesize
90KB
MD58268941b74c79e1f1b0cdd0da9b3a45c
SHA16186431d7ad26fb96f044dbb3e4580fb5941eb84
SHA256cfaa8f6201ebc5e35460c4966fdf7168e556585e66fd3c4edeb3aa0875b05a9e
SHA512e3e7ad80913e4a5f6534deec6bb0fb73a4747e94b0cc3ea10992696311ef824115bf6333b3bc4c71e264aac4b494e3d19429648d5c9ee6af94b7a2a6f39dc33a
-
Filesize
90KB
MD588f45ad02a156710c6be046f674c3c3f
SHA1b569adb4b007d0054ec08186f96257a6630754db
SHA25634b4790e66d5a79a397ae63bfb27a8af33fccaa881ad10a1b371a24603e34bd3
SHA51208107ecf046bc68ee1d159f908e81491a3aec170658cd10cbbceeb69b6aa6a2cf5a6ac3ca90a57c6b0578e4b414115fab60110159a41546f876ba40a557b181b
-
Filesize
90KB
MD5fc0fceacb7cbb72570d286a1799af320
SHA137af6d2cf065638a70320cc3fa33443ebcdc9dc9
SHA2566519a5bdf0fdb2dc8610fba9e749bab8ef649bba7409b23de8bd0b28881245fe
SHA5129545c39fc613ee0820c01d0274b8f1d48905d4353c1d5971f1e7c75bc844dfba454206f6d00d2454794e582cee7b8179cd023816f54b79971fe1410f647c19ba
-
Filesize
90KB
MD5ae84dbc94f7ef52a126905e2988a4bc9
SHA1210f2aa81f231b7cfbe0d7c962caab45850ab938
SHA25601d265407a667cce3926016261eaf95979a47db9ae146c7ad654dfde79ef790b
SHA512aa3d17b2ff3e42c501f28bde285de883d817d099f3d134a71369cff1225b619f4bb23b7869370e15a269986be02586084031449d29ca74e468f1687cb860ffbc
-
Filesize
90KB
MD53a3737f125da7479be1c7ade23aa3bb8
SHA17446f3305bbd48328bcea239ed939592f93aa3e2
SHA2567240f2dc6e82118803e876fba9fe50bad3250fbb3c8475feb748b7cdd2ffb272
SHA5127db37890f31d7622427192c602b73968ae1f727b0093e54db61e0bd61e4dd61e1724040a1c57d5b2de9c95bdb1993d4fa6c58e125e635915bf6489795b3ba9bb
-
Filesize
90KB
MD5253d486a170e581fdadd236a89824c69
SHA176efffaf3158d1330184ec4a2253451ff2997cfc
SHA256d498c8541256417fe0249b480654417ebfd0a94d24b5f3656545bad151610fe9
SHA512208fac05f745e7a1a39eabb095b6451f94d68cc5c8a914154747d56446b2fdfcd3b70d9074a0f90fc2bf19e8e856ae628c2bb6acfb27b91674b2158a1cdd30fe