6c17d502d24953c1e0a643a72ba3744a6440bdc40421e4f61a38175c359169f3

Analysis

max time kernel
116s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 02:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c76d0d5eef50533613f2e967adcef250_NEIKI.exe
Size

379KB
MD5

c76d0d5eef50533613f2e967adcef250
SHA1

1461f87c013da28373bcae8f5a0bbdaec6592c53
SHA256

6c17d502d24953c1e0a643a72ba3744a6440bdc40421e4f61a38175c359169f3
SHA512

05d71593d8f29da94bd85deeb4691e4a15a3fb2a63243ee57ba2dae631ef6975dcc1dd3ef89d77460ee82f53a60f5c2e4e491df475cfcbe8bd540bea352fd622
SSDEEP

6144:AwynAtMrOVRkidy9yIGWlUixVheNKPu+ff0Jf:AwKfOVRo9yRYxheiue0f

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c76d0d5eef50533613f2e967adcef250_NEIKI.exe"	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c76d0d5eef50533613f2e967adcef250_NEIKI.exe"	c76d0d5eef50533613f2e967adcef250_NEIKI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\SysWOW64\de-DE\CMDL32g711codc.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\RCX445B.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_7500cffa210c6946\compositebusMicrosoft10.0.19041.1.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX7A7D.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AcrobatAdobe19.10.20064.310990.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX8D6D.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\fr-FR\RCX54F6.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\Microsoftoperativo.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\VisualMicrosoft.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\extractoradoberfp.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAcrobat.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\it-IT\RCX5DD3.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\InkObjWindows.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX7BB6.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\CheckerseBook.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AdobeAcrobat.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterdlllibcef.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\RCX7059.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\RCX79DF.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX84F0.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\RCX66DE.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VisualVisual.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\RCX66EF.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX8433.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAcrobat.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX8453.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Common Files\System\fr-FR\Windowsdexploitation.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\RCX5E13.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AdobeNPPDF32.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\OperatingTipTsf.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\RCX5DC3.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\RCX673E.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AnnotUpdater.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterdlllibcef.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\fr-FR\Windowsdexploitation.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX5545.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\RCX5565.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\extractoradoberfp.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\MicrosoftVisualStudio.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\RCX6FF9.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\RCX7039.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\ToolsStudio.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\VisualMicrosoft.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Common Files\System\ado\it-IT\MicrosoftWindows.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\WindowsTipTsf.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft.visualbasic.resources_b03f5f7f11d50a3a_4.0.15805.0_fr-fr_7f62245ba2442987\VisualBasicresources.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..recording.resources_31bf3856ad364e35_10.0.19041.1_es-es_0d954b35cc0b2be7\Windowsuireng.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..cemanager.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_817e3ffcf4436432\devmgrMicrosoft.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..atahelper.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_19d1108b72748726\SystemOperating.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..nnectedaccountstate_31bf3856ad364e35_10.0.19041.746_none_cd491ecc6fc3ff21\SystemOperating.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\wow64_microsoft-xbox-gameoverlay.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_87c1b1ffd88fee0d\Systemgamepanel.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fa84bcd97ed5458c\vdsutilMicrosoft.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..mework-msctfmonitor_31bf3856ad364e35_10.0.19041.546_none_6d8a080bdbe94d8b\WindowsSystem.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_es-es_8bb05bb98f250445\operativolpksetup.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\msil_system.data.datasetextensions.resources_b77a5c561934e089_10.0.19041.1_it-it_c95dc925f3c01000\resourcesDataSetExtensions.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msdt_31bf3856ad364e35_10.0.19041.1_none_5b736f76bce3fff9\Systemmsdt.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-webauthn_31bf3856ad364e35_10.0.19041.1_none_b51692778b21e562\Windowswebauthn.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..on-logger.resources_31bf3856ad364e35_10.0.19041.1_it-it_dc341f8991c15c9d\MicrosoftSistema.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\de\PresentationUIresources.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\DataSvcUtilFramework.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-webdavredir-helper_31bf3856ad364e35_10.0.19041.1_none_ea8fc0989dcc16c5\OperatingSystem.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..laboration-rdpencom_31bf3856ad364e35_10.0.19041.746_none_6d582c4fb817442e\MicrosoftSystem.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\es\MicrosoftEntity.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..s-devices.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_ffc5663afa9b4b10\MicrosoftWindows.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\es\RCX8AA0.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..face-winnt-provider_31bf3856ad364e35_10.0.19041.1_none_fae851163a7ac3e4\Operatingwinnt10.0.19041.1.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-accountaccessor_31bf3856ad364e35_10.0.19041.1_none_87a61a4f66ea2bfb\MicrosoftWindows.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-directui.resources_31bf3856ad364e35_10.0.19041.1023_lv-lv_642b8f0070c4d4ce\XamlXaml.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-heif-image-codec_31bf3856ad364e35_10.0.19041.1_none_85c05aa70604277e\WindowsmsHeif.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\RCX42B5.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..se-client.resources_31bf3856ad364e35_10.0.19041.117_en-us_f7f9409ddc9bebab\OperatingWindows.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ReachFramework.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\Frameworkresources.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.19041.1202_none_cd68049c9076546f\csiagentCMI2MIGXML10.0.19041.630.160101.0800.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_multipoint-srcres.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_52815966eba09793\MicrosoftWindows.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\de\RCX8A8E.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\msil_system.deployment.resources_b03f5f7f11d50a3a_10.0.19041.1_it-it_7321395057349b84\Microsoftresources.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\Boot\PCAT\de-DE\bootmgrmemdiag10.0.19041.1.160101.0800.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\de\RCXD623.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..ndservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_197fd21ccc8a2cbb\SistemaPlaySoundService.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\WindowsWindows.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..lperclass.resources_31bf3856ad364e35_10.0.19041.1_en-us_a931b4a7342696f8\OperatingMicrosoft.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-k..container.resources_31bf3856ad364e35_10.0.19041.1_es-es_a97ce0da126a7795\microsoftwindowskernelpnpeventsSistema.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\wow64_microsoft.dtc.power...non_msil.resources_31bf3856ad364e35_10.0.19041.1_de-de_0b24a3d95bf1396c\PowerShellPowerShell.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\RCX44D9.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\Boot\PCAT\zh-TW\Systemmemdiag.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_windows-media-speech-winrt.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_194bae21a22b2450\WindowsWindows.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shpafact_31bf3856ad364e35_10.0.19041.1_none_876712f895a64cb7\SystemWindows.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-networkicon.resources_31bf3856ad364e35_10.0.19041.1_it-it_2d5c90257f379a82\operativoSistema.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\Boot\EFI\zh-TW\Operatingbootmgr.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-powershell-sip_31bf3856ad364e35_10.0.19041.1_none_1e5fae61a2104eff\Systempwrshsip.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..cemanager.resources_31bf3856ad364e35_10.0.19041.1_es-es_64424a2cd2d3590f\spacemanMicrosoft.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\WindowsRuntimeWindowsRuntime.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-whitebox.resources_31bf3856ad364e35_10.0.19041.1_en-us_f026eed63a284726\Microsoftrmactivate.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..cy-engine.resources_31bf3856ad364e35_10.0.19041.1_de-de_d2cacc8ae5deb431\CertPolEngWindows.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-storagespaces-altspace_31bf3856ad364e35_10.0.19041.1_none_9282c99683143585\altspaceWindows.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\Boot\PCAT\hr-HR\Microsoftbootmgr10.0.19041.1.160101.0800.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-opengl.resources_31bf3856ad364e35_10.0.19041.1_de-de_ac47b89785596af4\BetriebssystemMicrosoft.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..sthandler.resources_31bf3856ad364e35_10.0.19041.1_it-it_2c0ee936a728ea3d\MicrosoftInputSwitchToastHandler10.0.19041.1.160101.0800.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sysdm.resources_31bf3856ad364e35_10.0.19041.1_de-de_433a40b696028b91\sysdmsysdm.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..favorites.resources_31bf3856ad364e35_11.0.19041.1_ja-jp_a9b0104d2c198480\InternetWEBCHECK.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_757c5d95e22dd802\XPathServices10.0.19041.1.160101.0800.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\de\MSBuildFramework.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1031\RCXD4D9.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..ion-agent.resources_31bf3856ad364e35_10.0.19041.1_en-us_069fe9582df130f2\SystemOperating10.0.19041.1.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\msil_system.servicemodel.web.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a728c0955ad88a77\MicrosoftSystem.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-autoplay_31bf3856ad364e35_10.0.19041.1_none_66e83389c17b2091\OperatingWindows.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dedup-common_31bf3856ad364e35_10.0.19041.1_none_e9c4f8f3d005906b\SystemWindows.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ReachFramework.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\RCX8A8F.tmp	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1031\StudioVisual.exe	c76d0d5eef50533613f2e967adcef250_NEIKI.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	c76d0d5eef50533613f2e967adcef250_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe
1688	c76d0d5eef50533613f2e967adcef250_NEIKI.exe

C:\Users\Admin\AppData\Local\Temp\c76d0d5eef50533613f2e967adcef250_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c76d0d5eef50533613f2e967adcef250_NEIKI.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterdlllibcef.exe

Filesize
7.7MB

MD5
d1043c262d3481add1753ae04cd338f2

SHA1
b91218e66b61ad14727566181d0964b4074cd30a

SHA256
540b5e1570553900bb44685b145104f23bab19f97f4e50a52c9b3ae6b6e81943

SHA512
ef3fc94cbbd8d084c7c7ccd8cb9c740c5cdb788d33be63291a78e83ebc429001fa2ea5393c89efbae5cbc718afd66b78f7d9a24ebdb176a92bf3f5c243ece856

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\extractoradoberfp.exe

Filesize
318KB

MD5
ec86698ec84da963245b58d3124ffd08

SHA1
ea481601fbfd8d28a1703b79085c4e757dc90e9a

SHA256
a44e9f1a8c6a5fcec8df3effca07bf41208a773d88bdef89ca1fd2477d2500b2

SHA512
e87a17e2cb3e52e8fb042c6b2bb84f3676d6b8f608dd13ca0327eb5683a7da78a7239b29692f06587f62f9fa3d474bcaa6aaa3d67a3c48af648ec2a499757bd5

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\RCX66EF.tmp

Filesize
380KB

MD5
cd27a935a9d9a5247bad3f36a0bf1218

SHA1
46b5328ee6c9d13b16870640f9affe20a381ed25

SHA256
9a097952756fb14bd6dabf988718dd1d21daf75c4bdeabbfa3b500838b1fa22c

SHA512
7f331b60897da23e5342d0e0918f14a764157ad566c9f604bbac332008fef5c0f8efd926f6f26d6758958b8c365479d2c9a41de9be1edb042780f63c7d305375

Download Submit
C:\Program Files (x86)\Common Files\System\fr-FR\Windowsdexploitation.exe

Filesize
379KB

MD5
c76d0d5eef50533613f2e967adcef250

SHA1
1461f87c013da28373bcae8f5a0bbdaec6592c53

SHA256
6c17d502d24953c1e0a643a72ba3744a6440bdc40421e4f61a38175c359169f3

SHA512
05d71593d8f29da94bd85deeb4691e4a15a3fb2a63243ee57ba2dae631ef6975dcc1dd3ef89d77460ee82f53a60f5c2e4e491df475cfcbe8bd540bea352fd622

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\es-ES\Microsoftoperativo.exe

Filesize
380KB

MD5
5355de4f2f466a0421ac9bc6f456a749

SHA1
cf77a9389200fc16d20f3b1a4be78583854deddd

SHA256
115d720567ffc59d0bd5558898bfe4c79d821ef92b6daf61011da3e015595211

SHA512
1387ab6bace2adbfcfd947b44264d939be6e018eb31102155d3ae5f02756fa094ab0d85edb341e34bd23de3b7cd460e5a50a6ca35462d29240864db74dd1b9e4

Download Submit