7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7_NeikiAnalytics.exe
Size

88KB
MD5

67138b2b2b5b99318d379d66f98061f0
SHA1

3a978978dd8f9c4fdc069a23bacc2725e6256a1a
SHA256

7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7
SHA512

593d9bb66d23f7ee00dfaba09ddb3fd09fd65364dbfaec672783d1d74e5dccc3db6617e4e33a06466a51119e7e063e0ff8204add1839cb2ca51fb0e76232f709
SSDEEP

768:uvw981E9hKQLrow4/wQDNrfrunMxVFA3r:aEGJ0owlYunMxVS3r

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}	{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}\stubpath = "C:\\Windows\\{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe"	{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1A865C5-536E-474d-BB93-8184D373BFE9}\stubpath = "C:\\Windows\\{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe"	{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AD9BDBA-A116-46d3-92A9-0CEB025B57BE}\stubpath = "C:\\Windows\\{3AD9BDBA-A116-46d3-92A9-0CEB025B57BE}.exe"	{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}\stubpath = "C:\\Windows\\{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe"	{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}	{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8396E4F-89FF-44e0-9746-FB56F37E35D4}\stubpath = "C:\\Windows\\{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe"	{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AD9BDBA-A116-46d3-92A9-0CEB025B57BE}	{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F041CB2-DF84-4916-9B9C-22460538FA7E}\stubpath = "C:\\Windows\\{7F041CB2-DF84-4916-9B9C-22460538FA7E}.exe"	{3AD9BDBA-A116-46d3-92A9-0CEB025B57BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}\stubpath = "C:\\Windows\\{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe"	{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}	{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1A865C5-536E-474d-BB93-8184D373BFE9}	{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}\stubpath = "C:\\Windows\\{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe"	{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F041CB2-DF84-4916-9B9C-22460538FA7E}	{3AD9BDBA-A116-46d3-92A9-0CEB025B57BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}\stubpath = "C:\\Windows\\{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe"	{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC710F61-AFE5-4430-9A60-D31A000C4C4D}	7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC710F61-AFE5-4430-9A60-D31A000C4C4D}\stubpath = "C:\\Windows\\{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe"	7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}	{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0EC794-8089-4cea-A69E-08EE6E770A32}	{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A0EC794-8089-4cea-A69E-08EE6E770A32}\stubpath = "C:\\Windows\\{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe"	{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}	{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}\stubpath = "C:\\Windows\\{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe"	{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}	{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8396E4F-89FF-44e0-9746-FB56F37E35D4}	{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe

Executes dropped EXE 12 IoCs

pid	Process
1904	{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe
1924	{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe
2704	{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe
4584	{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe
4324	{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe
5012	{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe
4568	{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe
1856	{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe
2344	{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe
4184	{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe
4540	{3AD9BDBA-A116-46d3-92A9-0CEB025B57BE}.exe
4220	{7F041CB2-DF84-4916-9B9C-22460538FA7E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe	{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe
File created	C:\Windows\{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe	{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe
File created	C:\Windows\{3AD9BDBA-A116-46d3-92A9-0CEB025B57BE}.exe	{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe
File created	C:\Windows\{7F041CB2-DF84-4916-9B9C-22460538FA7E}.exe	{3AD9BDBA-A116-46d3-92A9-0CEB025B57BE}.exe
File created	C:\Windows\{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe	{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe
File created	C:\Windows\{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe	{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe
File created	C:\Windows\{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe	7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7_NeikiAnalytics.exe
File created	C:\Windows\{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe	{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe
File created	C:\Windows\{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe	{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe
File created	C:\Windows\{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe	{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe
File created	C:\Windows\{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe	{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe
File created	C:\Windows\{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe	{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2524	7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1904	{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe
Token: SeIncBasePriorityPrivilege	1924	{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe
Token: SeIncBasePriorityPrivilege	2704	{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe
Token: SeIncBasePriorityPrivilege	4584	{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe
Token: SeIncBasePriorityPrivilege	4324	{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe
Token: SeIncBasePriorityPrivilege	5012	{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe
Token: SeIncBasePriorityPrivilege	4568	{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe
Token: SeIncBasePriorityPrivilege	1856	{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe
Token: SeIncBasePriorityPrivilege	2344	{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe
Token: SeIncBasePriorityPrivilege	4184	{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe
Token: SeIncBasePriorityPrivilege	4540	{3AD9BDBA-A116-46d3-92A9-0CEB025B57BE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1904	2524	7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7_NeikiAnalytics.exe	97
PID 2524 wrote to memory of 1904	2524	7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7_NeikiAnalytics.exe	97
PID 2524 wrote to memory of 1904	2524	7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7_NeikiAnalytics.exe	97
PID 2524 wrote to memory of 884	2524	7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7_NeikiAnalytics.exe	98
PID 2524 wrote to memory of 884	2524	7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7_NeikiAnalytics.exe	98
PID 2524 wrote to memory of 884	2524	7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7_NeikiAnalytics.exe	98
PID 1904 wrote to memory of 1924	1904	{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe	99
PID 1904 wrote to memory of 1924	1904	{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe	99
PID 1904 wrote to memory of 1924	1904	{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe	99
PID 1904 wrote to memory of 4944	1904	{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe	100
PID 1904 wrote to memory of 4944	1904	{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe	100
PID 1904 wrote to memory of 4944	1904	{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe	100
PID 1924 wrote to memory of 2704	1924	{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe	104
PID 1924 wrote to memory of 2704	1924	{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe	104
PID 1924 wrote to memory of 2704	1924	{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe	104
PID 1924 wrote to memory of 4392	1924	{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe	105
PID 1924 wrote to memory of 4392	1924	{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe	105
PID 1924 wrote to memory of 4392	1924	{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe	105
PID 2704 wrote to memory of 4584	2704	{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe	106
PID 2704 wrote to memory of 4584	2704	{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe	106
PID 2704 wrote to memory of 4584	2704	{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe	106
PID 2704 wrote to memory of 3068	2704	{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe	107
PID 2704 wrote to memory of 3068	2704	{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe	107
PID 2704 wrote to memory of 3068	2704	{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe	107
PID 4584 wrote to memory of 4324	4584	{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe	108
PID 4584 wrote to memory of 4324	4584	{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe	108
PID 4584 wrote to memory of 4324	4584	{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe	108
PID 4584 wrote to memory of 3816	4584	{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe	109
PID 4584 wrote to memory of 3816	4584	{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe	109
PID 4584 wrote to memory of 3816	4584	{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe	109
PID 4324 wrote to memory of 5012	4324	{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe	111
PID 4324 wrote to memory of 5012	4324	{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe	111
PID 4324 wrote to memory of 5012	4324	{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe	111
PID 4324 wrote to memory of 4800	4324	{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe	112
PID 4324 wrote to memory of 4800	4324	{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe	112
PID 4324 wrote to memory of 4800	4324	{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe	112
PID 5012 wrote to memory of 4568	5012	{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe	113
PID 5012 wrote to memory of 4568	5012	{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe	113
PID 5012 wrote to memory of 4568	5012	{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe	113
PID 5012 wrote to memory of 1644	5012	{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe	114
PID 5012 wrote to memory of 1644	5012	{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe	114
PID 5012 wrote to memory of 1644	5012	{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe	114
PID 4568 wrote to memory of 1856	4568	{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe	124
PID 4568 wrote to memory of 1856	4568	{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe	124
PID 4568 wrote to memory of 1856	4568	{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe	124
PID 4568 wrote to memory of 4884	4568	{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe	125
PID 4568 wrote to memory of 4884	4568	{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe	125
PID 4568 wrote to memory of 4884	4568	{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe	125
PID 1856 wrote to memory of 2344	1856	{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe	126
PID 1856 wrote to memory of 2344	1856	{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe	126
PID 1856 wrote to memory of 2344	1856	{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe	126
PID 1856 wrote to memory of 4824	1856	{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe	127
PID 1856 wrote to memory of 4824	1856	{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe	127
PID 1856 wrote to memory of 4824	1856	{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe	127
PID 2344 wrote to memory of 4184	2344	{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe	128
PID 2344 wrote to memory of 4184	2344	{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe	128
PID 2344 wrote to memory of 4184	2344	{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe	128
PID 2344 wrote to memory of 4524	2344	{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe	129
PID 2344 wrote to memory of 4524	2344	{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe	129
PID 2344 wrote to memory of 4524	2344	{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe	129
PID 4184 wrote to memory of 4540	4184	{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe	133
PID 4184 wrote to memory of 4540	4184	{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe	133
PID 4184 wrote to memory of 4540	4184	{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe	133
PID 4184 wrote to memory of 5044	4184	{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe	134

C:\Users\Admin\AppData\Local\Temp\7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7d3177d8ac87854a965451872ab5b5d06e7b2dcca17b2d26519049e0474a8dc7_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe
  C:\Windows\{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe
    C:\Windows\{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe
      C:\Windows\{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe
        
        C:\Windows\{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Windows\{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe
        
        C:\Windows\{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe
        
        C:\Windows\{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe
        
        C:\Windows\{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe
        
        C:\Windows\{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe
        
        C:\Windows\{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe
        
        C:\Windows\{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\{3AD9BDBA-A116-46d3-92A9-0CEB025B57BE}.exe
        
        C:\Windows\{3AD9BDBA-A116-46d3-92A9-0CEB025B57BE}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
        
        C:\Windows\{7F041CB2-DF84-4916-9B9C-22460538FA7E}.exe
        
        C:\Windows\{7F041CB2-DF84-4916-9B9C-22460538FA7E}.exe
        13⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AD9B~1.EXE > nul
        13⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8396~1.EXE > nul
        12⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FE19~1.EXE > nul
        11⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1A86~1.EXE > nul
        10⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E06A~1.EXE > nul
        9⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C811~1.EXE > nul
        8⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A0EC~1.EXE > nul
        7⤵
        
        PID:4800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF18C~1.EXE > nul
        6⤵
        
        PID:3816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E537~1.EXE > nul
        5⤵
        
        PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8AB64~1.EXE > nul
      4⤵
      PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FC710~1.EXE > nul
    3⤵
    PID:4944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7D3177~1.EXE > nul
  2⤵
  PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A0EC794-8089-4cea-A69E-08EE6E770A32}.exe

Filesize
88KB

MD5
7cf257065db3f3279e3f8cd31e3e4758

SHA1
905cfdda8889af2325f53792ac3fe6dc10003d41

SHA256
f39598dbe1cb02fbbd6dfe468d0e67a77070d82fdd4299f88cd325ecb901d6bc

SHA512
488b45269a10af045e5b23c248069fef5e90fecc7f70d6a03b156bc6f4dcf3973ca439fd72e6bfa77ca86e2df8ac36067a47a432f415832fbf9c3d870ec030ad

Download Submit
C:\Windows\{2FE19919-AD39-4f4f-B7F4-CEA3CD7FDBFB}.exe

Filesize
88KB

MD5
a276ce310ffce7053f065fdfa41ec4e3

SHA1
935bdc7107fc787a0a43e43f8ae4ecaa69492cac

SHA256
807ac59fb530d231a4bd5911eee1269b1cb4ee0d4c2359ce99f2f2241c074e3c

SHA512
ff5046cb19ec0fef01b3393f76e7f2604d49b10e2639b072a888ce97f8240505d930339ab4ee8b5a3ef72e2ae526a11f959e28c09a94c0581f611e95360c1830

Download Submit
C:\Windows\{3AD9BDBA-A116-46d3-92A9-0CEB025B57BE}.exe

Filesize
88KB

MD5
a98c613fefb072af6e7f6482f61cd4d8

SHA1
ac4242a17f926fce1b3eeec30d45b802f864fe3e

SHA256
ae594f213be87d46d9ac13b71aaf191e8ca8748f1880134fd3136bf6eb833aa8

SHA512
cba4292a2eae090696d846ea81943789e9cbdcece9c9888cdcd09deb80677e06d61c0229fa722701d44ca8e33d8b92cc0e5c3027b10ccac07620150c9bac7652

Download Submit
C:\Windows\{5E537DC3-DCCB-48a6-85B1-D542FB9B6048}.exe

Filesize
88KB

MD5
be5e4f0405303c81d385834cc8acdc4a

SHA1
b5c8587d3e8a102c4ead2107df2e716223fc4c25

SHA256
5e6c3413bb94c3a8c5c92b99b07bc5d332b1ed5296eb9c95d1ab86de18e68e4f

SHA512
1d4c5addc8378b600f036ef08fa543c6d7a3e6a0ba284f95ca2c1bf5f090417098043b93be5cbbe7411aeb16b1e3a547765cfcd2713333e232a17b5022d4766d

Download Submit
C:\Windows\{7E06AF0B-FC41-4424-B57C-1FAB2A7DFFE2}.exe

Filesize
88KB

MD5
b08d67d63be360a58ac87202a61e581e

SHA1
2f97c266bc9c55b20b85c5691d050cd74d63ed08

SHA256
baf3de8035e8c9cb4410e21b7dbafe90104e2bd07ce28c5743e748ca052ecfc5

SHA512
b1a3a1c6fa758419066c25102cb9290877563a71275eaebf9a9a51dc777a7c7db55fec9ebfc2cbd7dfd4db4954af9d7d50590bb08a18efb4383b1006ff628685

Download Submit
C:\Windows\{7F041CB2-DF84-4916-9B9C-22460538FA7E}.exe

Filesize
88KB

MD5
2a997134a6ce51577b6337ecf0a2a3a4

SHA1
cff4a95d84dde06fe5d60d4629976e0bb42c37c3

SHA256
b3734f76aeabba6a6eceeb43d95082866807c90859a993457fa471585a538e03

SHA512
d5992487b4cee060940b29dc875f7fc555f637ef088d987c32df3715299b878fffd58c4d5b9ad826240a9f8436529f48cdb1e57b0c649ad60090a7377e1a1f5d

Download Submit
C:\Windows\{8AB64DBE-0FF1-481a-BC59-AA23AF5A30E8}.exe

Filesize
88KB

MD5
b4a7af09a964a81bf194d39fcea48d9c

SHA1
1e2cb20df0dd7c45507a3685298551d352ca11f8

SHA256
c318060b8331f47e0d73f7fa158092e6329e88e7f0e8ca5301f085d9fd6d01a2

SHA512
88e6990745efdea42193a80558d29238eedc1640ecccee86088f6349b14b9e5c9666559cdadd091cc40d7f06331667b1c3250f6680fbcae2d2a6a00d277aaf80

Download Submit
C:\Windows\{9C811A5E-FF79-484e-BCA8-72F3D99FDF12}.exe

Filesize
88KB

MD5
08ec1d862603898d454a73b45f58fd91

SHA1
3f0f96e61422b856d04b9dcf02e18827628506f9

SHA256
5578498309c9fe1379f7ac3de9f171115aa88439e7c548118489341cb5b93d6a

SHA512
e77210d8bdb9306b83c30bfd0cda31dfc320ee353d5e614d9418be5305aac1cfba28882567893bf535fd679a7eb8703f0ecb3f4fc95d9ecd181ad83f015bc437

Download Submit
C:\Windows\{C8396E4F-89FF-44e0-9746-FB56F37E35D4}.exe

Filesize
88KB

MD5
a1c05f564c58b179bd9aa74d744a90f8

SHA1
edc247d616b9618f3cc871dcebb8b7322311c739

SHA256
2edce9c5219d515d28af4579e66c7bd53fb35d4adebc2eb58119fc99973ce1f4

SHA512
29f8bffecc0a6267ce12929359f534c2c3458ee8e78b97228f9f2fb279d889d7f06e819f4f5c5371dc21c552b12517ede6a7a82b5ac92ebb0813f681fd77e2a5

Download Submit
C:\Windows\{DF18CD73-9D97-45c4-BFAE-D7C07F3C6C37}.exe

Filesize
88KB

MD5
526db52841ff0f42761f2486af567e6b

SHA1
6ce85bc7746f3d53847f4fcfc73f1f78e35eabba

SHA256
7ba4f2b586f620ae0ce5b64f77bb9b0d7bd1a4905e0d51f2a35b95279737c043

SHA512
3ae478dc8bb9d5e6662005ee39c1560d1dbaf34ee44f4b5c4fc5a4c0bcbd2f85c2a204575c4f5f5e464bc7abf93790d3c2d6fc877c755da25337d8ef763fb159

Download Submit
C:\Windows\{F1A865C5-536E-474d-BB93-8184D373BFE9}.exe

Filesize
88KB

MD5
4b63930aec636375e04763bfb770b6e6

SHA1
2d69e5b42be0724f4fc8b3df56068a18b7bd7375

SHA256
4c18c4a0196db3726e40024bc6d4193ec79453cf627b38abf3d03df8218760fb

SHA512
6fff803f25258ac00fda7fe7cb3cc29051fb81901594ba51bbbf69a0ff4dce1032ddf37aaf75422f022f406bb460b23ad2e3897c6184809656639f149bb40980

Download Submit
C:\Windows\{FC710F61-AFE5-4430-9A60-D31A000C4C4D}.exe

Filesize
88KB

MD5
dde6e67337f64e1245c478bcdafa2aac

SHA1
76f08971caae7e0a2b120894d86a1118e0a928b7

SHA256
e12cc89557ef2c9ac523a7af0a60dae7832b9e7d69002acf51313a758abc6a91

SHA512
17e4e5ba6be17b85fff8237a9f13bc7d6472ddfbca3465f36443ac488be6317496db5763abee9e4a2c074879870e0326d6bb5115bc4b9997a8af5ca3dcc54ac4

Download Submit
memory/1856-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1856-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1904-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1904-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1924-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1924-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2524-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2524-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2704-21-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4184-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4184-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4220-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4324-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4324-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4540-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4540-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4568-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4568-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4584-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4584-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5012-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5012-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads