337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe
Size

91KB
MD5

f3384879e45ffa0dc17f2812d67a2ef0
SHA1

345338b35a7fc6383cb2055d8d325d0a9b27422a
SHA256

337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071
SHA512

24281e76667bc5960bcd9b3b1f90c34e054c606d670309023108d489c0eb56a1690904a55b9dfe016d3da0e134974f4fa24812d04ac286b435f1819870a4eb50
SSDEEP

768:5vw9816uhKirowL4/wQNNrfrunMxVFA3b7t:lEGkmowLlCunMxVS3Ht

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}\stubpath = "C:\\Windows\\{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe"	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}\stubpath = "C:\\Windows\\{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe"	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}\stubpath = "C:\\Windows\\{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe"	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}\stubpath = "C:\\Windows\\{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe"	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}\stubpath = "C:\\Windows\\{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe"	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E07F903B-BF89-4100-AB87-F9805A1C7062}	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}\stubpath = "C:\\Windows\\{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe"	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1CC4753-F582-4f3a-87DB-9BB531601D3E}\stubpath = "C:\\Windows\\{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe"	{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}\stubpath = "C:\\Windows\\{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe"	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98D7AAFB-9043-40a4-970E-7748E78BCB87}\stubpath = "C:\\Windows\\{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe"	{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E07F903B-BF89-4100-AB87-F9805A1C7062}\stubpath = "C:\\Windows\\{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe"	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1CC4753-F582-4f3a-87DB-9BB531601D3E}	{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98D7AAFB-9043-40a4-970E-7748E78BCB87}	{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B58B85E1-1FC2-4afc-A46E-170B0D21A587}	{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B58B85E1-1FC2-4afc-A46E-170B0D21A587}\stubpath = "C:\\Windows\\{B58B85E1-1FC2-4afc-A46E-170B0D21A587}.exe"	{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2632 cmd.exe

pid	process
2632	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe{B58B85E1-1FC2-4afc-A46E-170B0D21A587}.exe

pid	process
2956	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe
2028	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe
2420	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe
1228	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe
1972	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe
1044	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe
2036	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe
2716	{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe
1360	{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe
1420	{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe
1060	{B58B85E1-1FC2-4afc-A46E-170B0D21A587}.exe

Drops file in Windows directory 11 IoCs

Processes:

{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe

description	ioc	process
File created	C:\Windows\{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe
File created	C:\Windows\{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe
File created	C:\Windows\{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe	{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe
File created	C:\Windows\{B58B85E1-1FC2-4afc-A46E-170B0D21A587}.exe	{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe
File created	C:\Windows\{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe
File created	C:\Windows\{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe
File created	C:\Windows\{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe
File created	C:\Windows\{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe	{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe
File created	C:\Windows\{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe
File created	C:\Windows\{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe
File created	C:\Windows\{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2160	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2956	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe
Token: SeIncBasePriorityPrivilege	2028	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe
Token: SeIncBasePriorityPrivilege	2420	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe
Token: SeIncBasePriorityPrivilege	1228	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe
Token: SeIncBasePriorityPrivilege	1972	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe
Token: SeIncBasePriorityPrivilege	1044	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe
Token: SeIncBasePriorityPrivilege	2036	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe
Token: SeIncBasePriorityPrivilege	2716	{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe
Token: SeIncBasePriorityPrivilege	1360	{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe
Token: SeIncBasePriorityPrivilege	1420	{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2160 wrote to memory of 2956	2160	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe
PID 2160 wrote to memory of 2956	2160	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe
PID 2160 wrote to memory of 2956	2160	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe
PID 2160 wrote to memory of 2956	2160	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe
PID 2160 wrote to memory of 2632	2160	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	cmd.exe
PID 2160 wrote to memory of 2632	2160	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	cmd.exe
PID 2160 wrote to memory of 2632	2160	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	cmd.exe
PID 2160 wrote to memory of 2632	2160	337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe	cmd.exe
PID 2956 wrote to memory of 2028	2956	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe
PID 2956 wrote to memory of 2028	2956	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe
PID 2956 wrote to memory of 2028	2956	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe
PID 2956 wrote to memory of 2028	2956	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe
PID 2956 wrote to memory of 2528	2956	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe	cmd.exe
PID 2956 wrote to memory of 2528	2956	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe	cmd.exe
PID 2956 wrote to memory of 2528	2956	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe	cmd.exe
PID 2956 wrote to memory of 2528	2956	{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe	cmd.exe
PID 2028 wrote to memory of 2420	2028	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe
PID 2028 wrote to memory of 2420	2028	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe
PID 2028 wrote to memory of 2420	2028	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe
PID 2028 wrote to memory of 2420	2028	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe
PID 2028 wrote to memory of 2376	2028	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe	cmd.exe
PID 2028 wrote to memory of 2376	2028	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe	cmd.exe
PID 2028 wrote to memory of 2376	2028	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe	cmd.exe
PID 2028 wrote to memory of 2376	2028	{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe	cmd.exe
PID 2420 wrote to memory of 1228	2420	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe
PID 2420 wrote to memory of 1228	2420	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe
PID 2420 wrote to memory of 1228	2420	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe
PID 2420 wrote to memory of 1228	2420	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe
PID 2420 wrote to memory of 548	2420	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe	cmd.exe
PID 2420 wrote to memory of 548	2420	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe	cmd.exe
PID 2420 wrote to memory of 548	2420	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe	cmd.exe
PID 2420 wrote to memory of 548	2420	{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe	cmd.exe
PID 1228 wrote to memory of 1972	1228	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe
PID 1228 wrote to memory of 1972	1228	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe
PID 1228 wrote to memory of 1972	1228	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe
PID 1228 wrote to memory of 1972	1228	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe
PID 1228 wrote to memory of 1664	1228	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe	cmd.exe
PID 1228 wrote to memory of 1664	1228	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe	cmd.exe
PID 1228 wrote to memory of 1664	1228	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe	cmd.exe
PID 1228 wrote to memory of 1664	1228	{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe	cmd.exe
PID 1972 wrote to memory of 1044	1972	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe
PID 1972 wrote to memory of 1044	1972	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe
PID 1972 wrote to memory of 1044	1972	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe
PID 1972 wrote to memory of 1044	1972	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe
PID 1972 wrote to memory of 1584	1972	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe	cmd.exe
PID 1972 wrote to memory of 1584	1972	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe	cmd.exe
PID 1972 wrote to memory of 1584	1972	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe	cmd.exe
PID 1972 wrote to memory of 1584	1972	{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe	cmd.exe
PID 1044 wrote to memory of 2036	1044	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe
PID 1044 wrote to memory of 2036	1044	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe
PID 1044 wrote to memory of 2036	1044	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe
PID 1044 wrote to memory of 2036	1044	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe
PID 1044 wrote to memory of 876	1044	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe	cmd.exe
PID 1044 wrote to memory of 876	1044	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe	cmd.exe
PID 1044 wrote to memory of 876	1044	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe	cmd.exe
PID 1044 wrote to memory of 876	1044	{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe	cmd.exe
PID 2036 wrote to memory of 2716	2036	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe	{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe
PID 2036 wrote to memory of 2716	2036	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe	{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe
PID 2036 wrote to memory of 2716	2036	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe	{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe
PID 2036 wrote to memory of 2716	2036	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe	{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe
PID 2036 wrote to memory of 2692	2036	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe	cmd.exe
PID 2036 wrote to memory of 2692	2036	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe	cmd.exe
PID 2036 wrote to memory of 2692	2036	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe	cmd.exe
PID 2036 wrote to memory of 2692	2036	{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\337fb0bf4bda50bde739e48c156f3c920803e74fe078ef0c6428fed956c10071_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe
C:\Windows\{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe
2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe
C:\Windows\{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe
C:\Windows\{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe
4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe
C:\Windows\{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe
5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe
C:\Windows\{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe
6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe
C:\Windows\{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe
7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe
C:\Windows\{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe
8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe
C:\Windows\{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe
9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe
C:\Windows\{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe
10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe
C:\Windows\{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe
11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\{B58B85E1-1FC2-4afc-A46E-170B0D21A587}.exe
C:\Windows\{B58B85E1-1FC2-4afc-A46E-170B0D21A587}.exe
12⤵
- Executes dropped EXE
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{98D7A~1.EXE > nul
12⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E1CC4~1.EXE > nul
11⤵
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CD6EF~1.EXE > nul
10⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8B840~1.EXE > nul
9⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{65235~1.EXE > nul
8⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{05D69~1.EXE > nul
7⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E07F9~1.EXE > nul
6⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BEAC5~1.EXE > nul
5⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{39EDE~1.EXE > nul
4⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BCB1B~1.EXE > nul
3⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\337FB0~1.EXE > nul
2⤵
- Deletes itself
PID:2632

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05D69432-3BDB-4b8a-9D97-A5BD8435BBF2}.exe
Filesize
91KB

MD5
0299a67a81aa5dfe5768091afc1530f2

SHA1
50c709045ded8c797d59d5e5ff1a515119597261

SHA256
0c95aa218b55a1a22f3b248a261a3a897d3312e1a6f6165c2560a4bf41d7730c

SHA512
ece534d670cf851cc590c3488383dd869fa869fc8de2d6c63a17de3d1b8958c14181a57c78f20ceabea66d0f2356ad80754b55dfb86a49f6633b691c6c29cec4

Download Submit
C:\Windows\{39EDEE8B-5192-491c-B7D3-7AD40D1246AE}.exe
Filesize
91KB

MD5
5907a6eb8e23c904a6611b70c358be09

SHA1
11120934ed71666f7e7809c9f02dbc4e0d24a581

SHA256
52b8a8c59720c8ec0b53ce448305dac59433151b027510b47e37c3f77f16860c

SHA512
74d51677af1983104bea8de540f8bdfd1b1cac338c505733b8d47c1eb869022567aca5e59475293b820c3753a0bcb93df1cf6bca766d418912e80bb0c61bd957

Download Submit
C:\Windows\{65235F1D-D80F-4fb7-8B53-F3F2DF0DFCAA}.exe
Filesize
91KB

MD5
1bad9bccb5ed5e7250eb6a42a14ea930

SHA1
c5f1763e4a7bc7a220dc04676fbf1b8ef926e0a5

SHA256
acdeaabae4a55ed5fcf868f8949978f49950cfb135f81e54e4402bd1b6d3549b

SHA512
6bec38428a25bb4b4c3bf672b2738d0cfaa23465b7298fc52630c5cad745f53ac35417e80311cea99689a1c85757cd2216ef66cf41861481e5efbbbd8a02c54f

Download Submit
C:\Windows\{8B8408E5-FF6D-47d2-BEC6-F832E1A37CD4}.exe
Filesize
91KB

MD5
aed28f759159de08b91cb60e99188e25

SHA1
a2be373d68d8d2fda78d51b59649ed63d2dff244

SHA256
b5895a1982d236558b05c174e55d5e92f8ec36b5ca91351dbbfa76048b4cde75

SHA512
b814d533ce25cc054ccba003fd13abf425f76517d800bbb32a1aae6bdce7b8020cce4d0c12b6d9305d02ee5fb238c4df7f0d7a8aea0c27926cc41976f9406cc9

Download Submit
C:\Windows\{98D7AAFB-9043-40a4-970E-7748E78BCB87}.exe
Filesize
91KB

MD5
af4f2dce177dab6e743ff0b38b9caace

SHA1
030f07cd635d8330cce323bcb67b8651ec9643bf

SHA256
2d08e42d8c8bba6efd5e0ee1700079acaa103904193adc3ba63d94fc7ab202b1

SHA512
d3ce1b2b59739a44b5c2591150f9d63f1030e0d17ab395bcd2d8c3a43c52543dfbc8c3e557a48cdb23a47c23bce687aea3632698957b5c04636fbb723500ecf6

Download Submit
C:\Windows\{B58B85E1-1FC2-4afc-A46E-170B0D21A587}.exe
Filesize
91KB

MD5
4ae93f82ec1c67ff2bfa4f5e2564abbc

SHA1
20ded79a7d4d84199a9ad2afbb0cdc6688c73f39

SHA256
74e40d171ac855762043cdd3699c26407d59e5724ce28425e50fb6737e55266b

SHA512
e31c90e63b4646a748bfd49361fdd1b51dac0d12d9abe3b7ac4e235bf45bf7f30f77f0726cd2d1a24ca222aa8ce94b0c6ef3d30f74b447c32448f63eb7c08b0e

Download Submit
C:\Windows\{BCB1BAD4-4D88-45d0-B4E9-33DC506B5A4E}.exe
Filesize
91KB

MD5
4b6dd48a4771fc7a145b8e947cb9336d

SHA1
4cf6ad7bcf5375e00416bf612502642e26964734

SHA256
8e218fd56bde0ae34051abc3255c08af1c1c4ccfe046750e92297a163c34074d

SHA512
7a9bec456273181b51a2062b7f18e10d0ea21532748e52b0eaed443605721598ec174482c47214815c4b5eaf9589d9c02e1e0e69e3697278fd0907f11265dca3

Download Submit
C:\Windows\{BEAC59E0-4F02-456f-8154-7E7F5B0BC725}.exe
Filesize
91KB

MD5
d1c7c2b14dbe1786dc30a4d099573242

SHA1
eddbd07dddec72f203b29cccc90b6a5db6b7d12d

SHA256
593ded907e9671e8b871094c5844f99bd33e787f2d759542cdc62aefd9a0d034

SHA512
d0b45213eda58a831b3c2bc4950a0cec669f07135dcbc52b410373f6b2aa7c1810221f4f6b7ef7233d4f01d9dc736e6cb4ebd86d018934c5df5a38f6422d43aa

Download Submit
C:\Windows\{CD6EF587-47F3-4058-BB23-E3AA3A24A1F8}.exe
Filesize
91KB

MD5
329ae3339962a5b07ded7651fc44f416

SHA1
5de7ed86a3fd51594337488b37be92a0bd8ef275

SHA256
535e91d5033f2fd1dbbd74d8b7e8b4fceba25a6be4c684e9f34e7ce471e5345c

SHA512
4dc83e940af0d5ccd5fe215c520cc4aa09aeabbecbff53367efb057c458313524f015ffaa612156dea4fe2ef16f396c6bcf6c8ad4ea8c44d3991da0dfaecdeb1

Download Submit
C:\Windows\{E07F903B-BF89-4100-AB87-F9805A1C7062}.exe
Filesize
91KB

MD5
240c90d22bd867b7dee46e320545297e

SHA1
be1714d28b94f6fba087185a726415c414ea1ca3

SHA256
a95559b0420262187b6cbdd52680f7097a3350a22eb691d307768e674fc236f0

SHA512
5731fcaa6975dbf482ec35cc6f482a7703f889b805e848168225a189877fefc2ddeaff2b5b19fe66849a57efc28ce1bd30e463e535025dd7d40cc98b68e96d1d

Download Submit
C:\Windows\{E1CC4753-F582-4f3a-87DB-9BB531601D3E}.exe
Filesize
91KB

MD5
609d3a2c71e0255c824613d4ff05d6c8

SHA1
0f78758af5cfa85ec925debb93ea09cfb4a00ca2

SHA256
6c95680925e7fc64b6f8563237cc304c1af855bddc63769916260d05a92f7759

SHA512
4ad20828e9e85a4c885c6484760e76d550f8e1d0989c5c5ab7d3c36d882d53b8108bdd15a527bc4ba4473f3502c9b8a2cd2d0bb71971e8caf4a8a23bf718a6e1

Download Submit
memory/1044-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1044-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1228-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1360-83-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1420-93-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1420-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1972-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2036-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2160-7-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2160-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2160-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2160-8-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2420-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2420-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2716-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2956-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads