Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01/07/2024, 08:31
General
-
Target
436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe
-
Size
90KB
-
MD5
7599eb90a5085483f75ac7a0c6599f20
-
SHA1
1193c5bbff60bd2d5a9ffc3371e8217c11faef8e
-
SHA256
436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c
-
SHA512
a6cc2080038e7dfa72e948def0b09c7dbbefe0d3a2e22f03403a4a2f116bc67fea4c94a2bcc274c63624dd4f57d83ab8a86eca11e583138f105098ee698a2ab3
-
SSDEEP
768:Qvw9816vhKQLroH4/wQRNrfrunMxVFA3b7glws:YEGh0oHl2unMxVS3Hgz
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6E7ECBF5-9389-4e3a-A9A5-8A3AAAE21991}.exeC:\Windows\{6E7ECBF5-9389-4e3a-A9A5-8A3AAAE21991}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{CD476261-1E67-4517-BCC2-836B475AF573}.exeC:\Windows\{CD476261-1E67-4517-BCC2-836B475AF573}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9319F59E-0909-4f39-B418-1CD6760555B2}.exeC:\Windows\{9319F59E-0909-4f39-B418-1CD6760555B2}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{0A1157CD-45D4-45e9-A540-383F7AAB6821}.exeC:\Windows\{0A1157CD-45D4-45e9-A540-383F7AAB6821}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{6EA05A81-4CD9-4930-AA8D-B1B6074D5537}.exeC:\Windows\{6EA05A81-4CD9-4930-AA8D-B1B6074D5537}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{D06F3CF1-F14A-4430-9E51-FBAEE5992A89}.exeC:\Windows\{D06F3CF1-F14A-4430-9E51-FBAEE5992A89}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{F9828CC0-9B88-441b-B9A3-377147089A17}.exeC:\Windows\{F9828CC0-9B88-441b-B9A3-377147089A17}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2235B744-A71C-4c0b-9A65-C5B90B2E35C2}.exeC:\Windows\{2235B744-A71C-4c0b-9A65-C5B90B2E35C2}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{1B57E8DF-895C-48c2-8D12-FFEE8E79C68A}.exeC:\Windows\{1B57E8DF-895C-48c2-8D12-FFEE8E79C68A}.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{50019ED7-4CE6-44d8-AA08-810A6E859532}.exeC:\Windows\{50019ED7-4CE6-44d8-AA08-810A6E859532}.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{52E4CEB9-7A81-4d7f-9ACD-92E2F6FB0682}.exeC:\Windows\{52E4CEB9-7A81-4d7f-9ACD-92E2F6FB0682}.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{20F0EB55-9508-4c10-997D-BFF021E5DBC2}.exeC:\Windows\{20F0EB55-9508-4c10-997D-BFF021E5DBC2}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{52E4C~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{50019~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1B57E~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2235B~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F9828~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D06F3~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6EA05~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{0A115~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9319F~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{CD476~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6E7EC~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\436D7B~1.EXE > nul2⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4152,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5edd4d6ad665b975dc3e2a1c12da8b834
SHA16ce63864a2675b17abb07e271b40ab569b4d7324
SHA25624e639f7fdc79ae1d1c2374057b82d95b116da8421a8df365948ba5974d218b1
SHA512a86137c5640155f2f1666793ebd8426f19a486e13e4be8b665becfe7909e0f14fc300f5c553548b038e7a80b6273508114c262e381c0a9453dacdcda5a62aa92
-
Filesize
90KB
MD52ece25f8b0e11dce0a966792132eda03
SHA1a487b1996980653c38f735a24c9319f94eb1bb64
SHA256eda03ade14dca3ef1dc3cdbdbb3d52ae725a0f1e7c5f308d1a2fa9811b753f3a
SHA51256f83076b7c3b2fd52cd1d2a6acfc81f0524216ab82f8279401c6b6e3700cb6be94ba1d37826f5f60faf8734a44109828a59ac1b14e8607b01d40ad15a429ee1
-
Filesize
90KB
MD5ea027797d8163cd6e6977d6284d09fa5
SHA1e00ab301ad1ea7d341a7950f2b03986e311a75bb
SHA256f509de7a91da1c8d3c5c14ab2c26ff68174050a64fc7e8cd5fc466e23c7f6dde
SHA5121d2751fa3acfa03a98a0659e7aa956e5f157aad3f24ef6ab8d4cb64259a18f9362214b8ad8e9b6d74a46c28300d8c51b66da6545602fa32094522924f32497b8
-
Filesize
90KB
MD540db8b0050485706ae672ac4892f9a7b
SHA1b2a74b9f3272b91c5f670bd6b98fa78fd65059ee
SHA2563656612aa94c4f5a58503c9fcd31935f55ae516fd79d8c7a46fd06719061417e
SHA512f6a62601e0855143ba419eb5e03747bec66d6dc789029af40660ed61205726304e5ccbdf77ce54db4369288676d671f5b1b3069279f69a9ee86bafcc44413526
-
Filesize
90KB
MD5e060bf22f8a3f5eafd8f5b58ea53bcce
SHA139b0efce5e602bb410c0df2cc707f0b35bfa41cc
SHA2568f54c512fc968c8faf83487c795c9f86549a1da66bc25c6f77d244e748cacc46
SHA512a75f9f68d7a0f240ceb18cc68b891d7b65e2f91344c8d3885301c4c4c057306072c1e26bfa1fa8c249d25086681c82ddc53fc904d9c271f8c2f57a618712062c
-
Filesize
90KB
MD5026331f73fb739602abe45b45f4c6ad9
SHA13886b9ee76e2a48739c15ad67207e3d94a1413fa
SHA256841dc5793618e488fda52bc91414754baa2ea9ccaf544293389ac8bfa2f37409
SHA512155fccd0a17961a4e74072af028850eb4ccaa10461fece136962a57ed7a32d1472411411464b8f388b13f9b8a673df942433f094436b00701e59e809bf860b70
-
Filesize
90KB
MD59f91a3d388c4eb8e368bf8b99a2ef28f
SHA1cd68b3468ca4977b95884348ddb1ff1faff1518a
SHA2564c119f797c1ced7422ce180fde268be756454e47eca2c9df0d1cd98696890516
SHA512b321d16024b13287c05b1d905a06b47de29bfd3eb991ce2f9c7b47a876cd983bc8c40f0735ad671b2e5c292f828334a6300b0abf10385d723738b1408f63353a
-
Filesize
90KB
MD547bffe34c38bfa80c6676cefd7f38001
SHA19314dd2f5d5f0e52c027982ca9d080341393b8e7
SHA256bd77615fcfa86bc0920258464b05868a49533042b312815f3e24d8d01a22d6e2
SHA512aaef215d579ba7a27fe8479368e503dcaee6422d81da3e8dbaaacef12b7cd4fdaed544f4ce5bcc196d11cb39923eb2b31580cfd2cd7498a44c39cd7a4291f6f0
-
Filesize
90KB
MD5ea6b82b054c0f1c28d74237cfb513dfb
SHA1ee277007c5983434cde30f2b99b39496bfe37a60
SHA256bac248e3b7511754f26daa48f343fa91bb27e4de15fe4c5e040ff3df6f033456
SHA512852dcbe4f411d2e02e350819e9f59d47897b18226beca8b35062672135f120f6fd65024a5097516a2dc05389efbfcfba892ae2576bd542c964d7e968d5a29808
-
Filesize
90KB
MD58db2d8c7d703cb5967f8c6001129b269
SHA14591abf63528c9e936f314f00aa17893afe93f7b
SHA25664dc87f41b3e21d3b70c7a952475e27ed48714cc0cfeb639fe421dbd32338ba0
SHA512a580c38264080d5402f28c60950a2184942db69c122ae76fdd97d416c786efc7c69423554acdee2306cb6b8c7af680b448b8714c1ee9124fc3b8e4800fb256f7
-
Filesize
90KB
MD52eb9b3238f167b3c5b4902284fa13941
SHA1315819337d3428fe4bb15ec93d12a8707ff639ba
SHA2564ceeabdd355785d4dbc990ddf92725c9e79bb3eb1fb54eafb0faac39b0cafb6d
SHA51280338fff18aa1c9ad91779414ab36fca1b69fed32b1271155cb905edebe169d2e8fbef583672092f99358e33b778cffbda6c6a8b37b054487864ba1d61bda3f5
-
Filesize
90KB
MD56a9ca74f0a4395ad4e9212a3b4e78e21
SHA14d642029d20009147bec8f4632180ba228ebf943
SHA256c2b59d111b79b7b731a4cb169137042d07dc9d29896e9e4009f33e6465afc885
SHA512d691d3c4fa18b3cb146953253a5bb2f7ca0091f85a9b5ed8abb2e1cf28e68977d6b7c8bd2b07d413e5e401e58f4781e7573dee9a580e8959d6269ae7e368855f