Overview

overview

8

Static

static

1

3307bdebd5...cs.exe

windows7-x64

8

3307bdebd5...cs.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    68s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 03:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3307bdebd55d47753e1ee05fdf7d8df4452eb7eea54136f144ff25c1ea6a295b_NeikiAnalytics.exe

  • Size

    79KB

  • MD5

    30f794a31659eaa8fab0b44b4b62e920

  • SHA1

    33f4072791196d52f5138b484721cdb9e24c8404

  • SHA256

    3307bdebd55d47753e1ee05fdf7d8df4452eb7eea54136f144ff25c1ea6a295b

  • SHA512

    e215685424d555f02dd94c1de03f0e0e63e8ad14007e4e291e60d3b5eb7dda336aec0e590462b96c86e8737b0655a248d7f9fbfd757c187350e7bd5be493acb6

  • SSDEEP

    768:4vw9816vhKQLroX4/wQpWMZ3XOQ69zbjlAAX5e9zz:wEGh0oXloWMZ3izbR9Xwzz

Score
8/10
persistence

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 12 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3307bdebd55d47753e1ee05fdf7d8df4452eb7eea54136f144ff25c1ea6a295b_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3307bdebd55d47753e1ee05fdf7d8df4452eb7eea54136f144ff25c1ea6a295b_NeikiAnalytics.exe"
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\{DFFA42A0-0759-43d7-BFB6-E1EE294D514E}.exe
      C:\Windows\{DFFA42A0-0759-43d7-BFB6-E1EE294D514E}.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Windows\{F1D91755-1CD8-4731-A202-FB7059980A64}.exe
        C:\Windows\{F1D91755-1CD8-4731-A202-FB7059980A64}.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4572
        • C:\Windows\{917BEDF7-A9F6-4002-813B-A34985696207}.exe
          C:\Windows\{917BEDF7-A9F6-4002-813B-A34985696207}.exe
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3000
          • C:\Windows\{7EF6EA86-54FC-460b-80AF-8408941F6E80}.exe
            C:\Windows\{7EF6EA86-54FC-460b-80AF-8408941F6E80}.exe
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2724
            • C:\Windows\{73F0AB07-9C5B-41a0-A034-73ED948B0642}.exe
              C:\Windows\{73F0AB07-9C5B-41a0-A034-73ED948B0642}.exe
              6⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1844
              • C:\Windows\{31B89CD1-5987-44a8-9676-A7E2B003A772}.exe
                C:\Windows\{31B89CD1-5987-44a8-9676-A7E2B003A772}.exe
                7⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2920
                • C:\Windows\{1BBFF7E4-BB12-4b03-85D9-3FDFED49F98F}.exe
                  C:\Windows\{1BBFF7E4-BB12-4b03-85D9-3FDFED49F98F}.exe
                  8⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4920
                  • C:\Windows\{C86C31D2-003D-4282-87A1-C4DFE9AE279C}.exe
                    C:\Windows\{C86C31D2-003D-4282-87A1-C4DFE9AE279C}.exe
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2948
                    • C:\Windows\{71D87664-75BB-4110-B7A2-A7B079161377}.exe
                      C:\Windows\{71D87664-75BB-4110-B7A2-A7B079161377}.exe
                      10⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Executes dropped EXE
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:388
                      • C:\Windows\{A3CAB53F-5E38-47bf-9914-E1510BB9B05E}.exe
                        C:\Windows\{A3CAB53F-5E38-47bf-9914-E1510BB9B05E}.exe
                        11⤵
                        • Boot or Logon Autostart Execution: Active Setup
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3368
                        • C:\Windows\{3EE329E8-84DA-4ca6-A9C7-124BB93EB83C}.exe
                          C:\Windows\{3EE329E8-84DA-4ca6-A9C7-124BB93EB83C}.exe
                          12⤵
                          • Boot or Logon Autostart Execution: Active Setup
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3776
                          • C:\Windows\{69E833F7-13B7-442b-ADBE-1547A7DBD8F9}.exe
                            C:\Windows\{69E833F7-13B7-442b-ADBE-1547A7DBD8F9}.exe
                            13⤵
                            • Executes dropped EXE
                            PID:4476
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{3EE32~1.EXE > nul
                            13⤵
                              PID:4352
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{A3CAB~1.EXE > nul
                            12⤵
                              PID:3176
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{71D87~1.EXE > nul
                            11⤵
                              PID:2068
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{C86C3~1.EXE > nul
                            10⤵
                              PID:4344
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{1BBFF~1.EXE > nul
                            9⤵
                              PID:864
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{31B89~1.EXE > nul
                            8⤵
                              PID:1764
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{73F0A~1.EXE > nul
                            7⤵
                              PID:1168
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{7EF6E~1.EXE > nul
                            6⤵
                              PID:3656
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{917BE~1.EXE > nul
                            5⤵
                              PID:3064
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{F1D91~1.EXE > nul
                            4⤵
                              PID:1996
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Windows\{DFFA4~1.EXE > nul
                            3⤵
                              PID:3088
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3307BD~1.EXE > nul
                            2⤵
                              PID:3708

                          Network

                          MITRE ATT&CK Matrix ATT&CK v13

                          Initial Access

                          Execution

                          Persistence

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Active Setup

                          1
                          T1547.014

                          Privilege Escalation

                          Boot or Logon Autostart Execution

                          1
                          T1547

                          Active Setup

                          1
                          T1547.014

                          Defense Evasion

                          Modify Registry

                          1
                          T1112

                          Credential Access

                          Discovery

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Impact

                          Resource Development

                          Reconnaissance

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Windows\{1BBFF7E4-BB12-4b03-85D9-3FDFED49F98F}.exe
                            Filesize

                            79KB

                            MD5

                            8174911a2d88c0221db5b034c5c7c8c4

                            SHA1

                            84eb7dc484810edc4fc18f80ced7615422f84415

                            SHA256

                            00ad69e39a2924310e3178af5f0280b82420b943ca0d3ba3c4ad0a75253199ff

                            SHA512

                            3450367bc08d9b85aa1b2ae06df402f5540feccf088f67866676c6c6916ac98d246edb534d178c39c67f19d64d238a21e05c6cc7896f8c68a45d1c15dc96d27a

                            Download Submit
                          • C:\Windows\{31B89CD1-5987-44a8-9676-A7E2B003A772}.exe
                            Filesize

                            79KB

                            MD5

                            9ac5400cf3b708b654eb8cf964cdffc8

                            SHA1

                            af1c82d75e8f9fc3fb99f3b9f0877959eca63315

                            SHA256

                            53cb831ae0771c4c699270a15d71a869312ae4476302746c1b4cee2e6d24edd8

                            SHA512

                            f09d0c569926bd1d1d3f194a1b17986ce88136fadf660cf34b37a16109c4c8f6726750bf695c0168c323f8d2972884b1182988d566204f6992575f5021ce4e8b

                            Download Submit
                          • C:\Windows\{3EE329E8-84DA-4ca6-A9C7-124BB93EB83C}.exe
                            Filesize

                            79KB

                            MD5

                            035740a6a00db83e51f30d9623e7e71f

                            SHA1

                            75d5022eefe7c29e8bb2c8a2089f58bfc0ee18d1

                            SHA256

                            c3019deae35d082c3127a6767228d81645b7a99f4e5f15683f5f63482a63561a

                            SHA512

                            ff3e01cd5ae8a598ab63ae539a2ea60c99bd27a34c637d02c0459f691fb87d4b62a78ddda08897d685a36ad49ceb6ab83734ce79033a242cf99182dd3edf2607

                            Download Submit
                          • C:\Windows\{69E833F7-13B7-442b-ADBE-1547A7DBD8F9}.exe
                            Filesize

                            79KB

                            MD5

                            102c78294f8a1c9ba678df217db431bb

                            SHA1

                            dee80cafbeaac1beeef1dcaccee0f8d2c4c45560

                            SHA256

                            d48e9dca9a2bf3c7a572e6c136bf926d622a559755e4c46b439680b3456ebd55

                            SHA512

                            d6ccbe0b5b94c559f18209276b6bf82f96f3cbc6fe7d371c88303370781dcc3c6e8a1332dcf04b9b3832242b8a22b34654501ab3df844ac7b7958e097faaf0b7

                            Download Submit
                          • C:\Windows\{71D87664-75BB-4110-B7A2-A7B079161377}.exe
                            Filesize

                            79KB

                            MD5

                            887f4c7105d6ac1680d0f54aa8c68676

                            SHA1

                            bce98b6c0e2279daf2c8a47a391d93e577fbfc73

                            SHA256

                            2af0167622662df4c6d401140259d0a63e4a6146f945aa30b621b42d168238a1

                            SHA512

                            2d2215c563a0748276d999e37eb6dd46e331b56395d53d1c5c7e2e3da4c0c95ce53cd1b0dc69d13ab888b323ea86fa652dbc3757bc2c3c8b3d04ee28f14621a9

                            Download Submit
                          • C:\Windows\{73F0AB07-9C5B-41a0-A034-73ED948B0642}.exe
                            Filesize

                            79KB

                            MD5

                            ef7425ec635523e37d94ee88547e6427

                            SHA1

                            69b6a4ecee2fa10689034bc69177be37f192d62b

                            SHA256

                            ca101206813123a5565ce5d9c4381b6830ea66d336627c50141199f3952a6dd5

                            SHA512

                            ee31d6bdfe20a60ad03a3a5a3dd888c18457c84a37c7f6f13577b5ec3796826efe74ef25182ae1d0a77dc1f240b974d9ffb1c886b423d9a8eca65f15881acbf1

                            Download Submit
                          • C:\Windows\{7EF6EA86-54FC-460b-80AF-8408941F6E80}.exe
                            Filesize

                            79KB

                            MD5

                            a4b11685867090a976dbcd36ef52953f

                            SHA1

                            2863a972e978a15ebe8b5c8c2a8b94767753fbbe

                            SHA256

                            d5cede21041d011283533dc77a39dd926b2fb68e452c0c61ccb487f64dbf590b

                            SHA512

                            965569556fb2a1af2ddd6030d88824a510b153a5d51461059ccd14872255c018d4878c4444c4bc0faee4f63024dfb7a1add7e539b5844d1ac28b209a8d603c88

                            Download Submit
                          • C:\Windows\{917BEDF7-A9F6-4002-813B-A34985696207}.exe
                            Filesize

                            79KB

                            MD5

                            d4165d871c41cec417cf2386af74f7eb

                            SHA1

                            59dfba4f36f5b43575f971febe2aa4025116ee0c

                            SHA256

                            484e26f0105bd3f3099b3ea8d8d58f9738b1d247de9eaad03e0b5ba89769399a

                            SHA512

                            777521543fa3ddf738b192a16a17bb1525f998c8021d64830285e6ec4e9749080559ab2e53aa481572d738d13161904ae0447f22068a0d8af8182b4f0642058e

                            Download Submit
                          • C:\Windows\{A3CAB53F-5E38-47bf-9914-E1510BB9B05E}.exe
                            Filesize

                            79KB

                            MD5

                            b3b2d124c9a76100ad6f271e859973a6

                            SHA1

                            36069267dd67ecb51980c068b9274a4d241fc8d5

                            SHA256

                            8a331808358d4284eb41fe02a42a1f98f3a03072dbc8e559be7498a674aa0ddd

                            SHA512

                            223034acfa6b7e965445d3030c74cdb84ff62ca305cb175c6595e12f82d5cab4335217014bace10ac82bb7702bea411f5482012345bc6c8cca1ddf85157eac46

                            Download Submit
                          • C:\Windows\{C86C31D2-003D-4282-87A1-C4DFE9AE279C}.exe
                            Filesize

                            79KB

                            MD5

                            5c0faab48be426d831b943fa80260b49

                            SHA1

                            6e9f673f26dbe37181e76cc51d4c4d171c28df39

                            SHA256

                            5a0e6f3739ee4740a4341716f7c8943d2b83098000167118b78e84e654c6e1f0

                            SHA512

                            c8338c0575b20ad673f17861135caad749872ed291f751ebac6ac7f4b0c51a8a5162a0c56994bbe338b9933c30d44f3f11bb2bf0eb037d4233cc16b22693ec6e

                            Download Submit
                          • C:\Windows\{DFFA42A0-0759-43d7-BFB6-E1EE294D514E}.exe
                            Filesize

                            79KB

                            MD5

                            1a9f4d66de0dd7b9f68545a56705ccee

                            SHA1

                            573070b83d205de5f0fba172ebef06331df536d8

                            SHA256

                            3a8c5134be66cfcdbd401d62a65b664afa36af73a9f1cb6f188268c0dd5a8561

                            SHA512

                            cf0f035a2e6824c88e175e17df9ed194adb8b284524d371115f7500c18fd07cb4ebda9219f12e29cdc2d8717c923f4b8becffd51a412fd1ba80aec836b773417

                            Download Submit
                          • C:\Windows\{F1D91755-1CD8-4731-A202-FB7059980A64}.exe
                            Filesize

                            79KB

                            MD5

                            bb8b9ec29260dbacb6f63e813c1d124b

                            SHA1

                            44222f353de1e7f713e4b8ef06062ed0dfddfb72

                            SHA256

                            1c7c0077bc9a6e6cb71f0a307bc9766ec5d7f164adbfe66d840d151aa17a4b0d

                            SHA512

                            f89d8709f0f75b6c213b7c26792358d89544fd8ea14df0fcd5b575cc7fd25e4c3999e107a5e1898e68cd7a8e2c11c9a63ef43d7a450a0fcd39c13ad8749cba58

                            Download Submit