2766d859d6e8c9e2f62df1f2c2351a4bd2ff4b269a199049111d40af74ebba6b

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
Size

937KB
MD5

c82ac52c53951e50ef5f24e9dabeb100
SHA1

d4dbf04026c7626a2fed88119ebd5f3acf7170c1
SHA256

2766d859d6e8c9e2f62df1f2c2351a4bd2ff4b269a199049111d40af74ebba6b
SHA512

1bd89480b7d49bc83554da480d5ffc19b92811baf704fb4544a3ce66b9b399bae76a9a4a5f8dad90ed0de5b70c269bb576e82332a511e945f8b5d1f7a63c6f2e
SSDEEP

12288:jwKfOVRo9yRY0q6EQUj0ESA/RfAoF2ePMM:jxWVeyRY0P29rMM

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe"	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe"	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vsmraid.inf_amd64_3d2bbc45931b8232\RAIDvsmraid.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RCX6057.tmp	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\InternetExtendScript.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\InternetExtendScript.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasksoperativo.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFrameworkPrinting.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX544D.tmp	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AdobeAcrobat.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\RCX54EB.tmp	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\ieinstalExplorer.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\RCX54BB.tmp	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX5EA1.tmp	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\NPPDF32Adobe.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX6133.tmp	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX4A97.tmp	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAcrobat.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoaderVSTOMessageProvider.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImplAdobe.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\ieinstalExplorer.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\RCX4A28.tmp	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\RCX4AE6.tmp	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAcrobat.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX69FE.tmp	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rastls.resources_31bf3856ad364e35_10.0.19041.1_en-us_652b6f63c7d7c5dd\OperatingMicrosoft.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sensors-core_31bf3856ad364e35_10.0.19041.84_none_a1f047577b4c323b\stackWindows.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tetheringstation_31bf3856ad364e35_10.0.19041.1_none_ab796000a895d829\TetheringWindows.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\msil_system.data.services.client.resources_b77a5c561934e089_10.0.19041.1_it-it_475377c0b5b74e99\SystemSystem.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..webauthui.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_640e94869c5ec046\AuthBrokerWindows.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_bth-user.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_46b4b36d4666453a\BthUdTaskWindows10.0.19041.1.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shimgvw.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a97a9fa659ab5c3\Microsoftshimgvw.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-displaymanager_31bf3856ad364e35_10.0.19041.1_none_e6693fa43780b3b9\DisplayManagerWindows.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..vel-winrt.resources_31bf3856ad364e35_10.0.19041.1_en-us_51a6d42ef77aa329\OperatingMicrosoft.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..extension.resources_31bf3856ad364e35_10.0.19041.1_it-it_231ddca9293eaea1\HostWindows.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mshidumdf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9f3c98dc9f38b0d8\dexploitationMSHIDUMDF10.0.19041.1.160101.0800.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_dual_chargearbitration.inf_31bf3856ad364e35_10.0.19041.1_none_d564cdfecfd2a164\MicrosoftOperating10.0.19041.1.160101.0800.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..wslconfig.resources_31bf3856ad364e35_10.0.19041.1_es-es_2a7fe6f7f689fa48\SistemaWindows.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1023_ar-sa_4301d6d98604e74e\MicrosoftOperating10.0.19041.1023.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rascmdial.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b5da353744e679a0\MicrosoftRManager.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-winproviders-assoc_31bf3856ad364e35_10.0.19041.1_none_ed201c08d7451e1c\WindowsOperating.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..tivexcore.resources_31bf3856ad364e35_10.0.19041.1_it-it_b65d87bef006c786\mstscaxWindows.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_addinutil_b77a5c561934e089_4.0.15805.0_none_fcd173bc1b434b81\AddInUtilMicrosoft4.8.4084.0.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..-workflow.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b4275f91403bc9fb\WindowsWorkflowService.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-scanprofiles_31bf3856ad364e35_10.0.19041.1_none_07acec2f26e030c3\ServiceMicrosoft.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..terdriver.resources_31bf3856ad364e35_10.0.19041.1_en-us_80342690e638a891\FVEVOLOperating.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..mitymessaging-rtapi_31bf3856ad364e35_10.0.19041.746_none_33d5b78c9348a0c5\WindowsRuntime10.0.19041.746.160101.0800.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-pifmgr_31bf3856ad364e35_10.0.19041.1_none_6faecd0ec2608e23\PIFMGRMicrosoft.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userenv.resources_31bf3856ad364e35_10.0.19041.1_en-us_79e35164c2cf79d2\Microsoftuserenv10.0.19041.1.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..torserver.resources_31bf3856ad364e35_10.0.19041.1_it-it_fd0fa0f6840753c4\TsUsbHubMicrosoft.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-profsvc_31bf3856ad364e35_10.0.19041.1266_none_70772af2e7de61d2\OperatingWindows.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmi-time-provider_31bf3856ad364e35_10.0.19041.1_none_a3232837c7d9e95a\SystemOperating.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.PowerPoint\15.0.0.0__71e9bce111e9429c\PrimaryOffice15.0.4569.1507.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\IME\en-US\WindowsSpTip.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_netfx4-aspnet_state_exe_b03f5f7f11d50a3a_4.0.15805.0_none_5ffcb7ce21b4d707\FrameworkMicrosoft4.8.4084.0.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..aphostres.resources_31bf3856ad364e35_10.0.19041.1_es-es_29c0dca63bd2aaff\APHostResMicrosoft10.0.19041.1.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..rtup-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_0b126399ccf94de6\WindowsWindows10.0.19041.1.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ilerepair.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9b526280ec0756f6\MicrosoftMsiCofire.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RCX48DF.tmp	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..anagerdll.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2869d70b4768a56c\MSCTFUIMANAGERSystme.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_hyperv-vpcibus_31bf3856ad364e35_10.0.19041.928_none_69618fc17b5a02e5\MicrosoftSystem.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\RCXF8B8.tmp	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ment-diagnosticcsps_31bf3856ad364e35_10.0.19041.153_none_a40582717286afd1\WindowsMicrosoft.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-printing-workflow_31bf3856ad364e35_10.0.19041.264_none_ce69c319c7966f51\OperatingWindows.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\msil_system.management.i..mentation.resources_b77a5c561934e089_10.0.19041.1_ja-jp_0fadbf48207921da\ManagementSystem.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..ellibrary.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0247cb2a57e5f85a\OperatingMicrosoft.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sysdmremote.resources_31bf3856ad364e35_10.0.19041.1_de-de_bd5e9e5a990f956f\MicrosoftBetriebssystem.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..publicapi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_64ec1f38a45489dd\WindowsSystem.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_10.0.19041.1_de-de_badda34149446b4c\wshelperWindows.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..se-client.resources_31bf3856ad364e35_10.0.19041.1_it-it_5c7a67d4e76e444c\SistemaMicrosoft.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..ne-dsacls.resources_31bf3856ad364e35_10.0.19041.1_es-es_3917f34286a67bd2\operativoSistema10.0.19041.1.160101.0800.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\StudioMFC100U.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..minsnapin.resources_31bf3856ad364e35_10.0.19041.1_en-us_be26cccd36d2d946\OperatingWindows.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_system.windows.presentation.resources_b77a5c561934e089_4.0.15805.0_de-de_db73783b09c8503f\resourcesMicrosoft.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_system.activities.presentation.resources_31bf3856ad364e35_4.0.15805.0_fr-fr_a20ca294169b6271\PresentationActivities340.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ngerprintcredential_31bf3856ad364e35_10.0.19041.1_none_518abbfab883365f\MicrosoftSystem.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-container_31bf3856ad364e35_10.0.19041.1202_none_19c021b26fc94580\WindowsSystem.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mschedexe.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_00ce168c9524b853\SystmeMSchedExe.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msf-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_12d9fb5bb223d74f\MicrosoftFramework10.0.19041.1.160101.0800.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..k-handler.resources_31bf3856ad364e35_10.0.19041.1_en-us_35063d68209f80fa\MemoryDiagnosticWindows10.0.19041.1.160101.0800.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_es-es_433f2d4d2df42bab\MicrosoftWindows10.0.19041.1.160101.0800.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.SecureString\v4.0_4.0.0.0__b03f5f7f11d50a3a\MicrosoftSystem.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..putinking.resources_31bf3856ad364e35_10.0.19041.1_en-us_63a8b80d85c960ac\WinRTMicrosoft.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_10.0.19041.1266_none_9a152e76298cd801\wmlaunchSystem.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..mcore-dll.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c6d5de1cbae0560a\SystemWindows.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wsp-fileserver_31bf3856ad364e35_10.0.19041.84_none_30e5e60f38dfec50\WSPFSMicrosoft10.0.19041.84.160101.0800.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmi-view-provider_31bf3856ad364e35_10.0.19041.1_none_0c3f9626056b2ee6\viewprovWindows10.0.19041.1.160101.0800.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sctasks_31bf3856ad364e35_10.0.19041.1_none_4030851754b3e0fb\schtasksOperating.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..i-appcore.resources_31bf3856ad364e35_10.0.19041.1_it-it_faea7c8d3b31585a\operativooperativo.exe	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
4328	c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe

C:\Users\Admin\AppData\Local\Temp\c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c82ac52c53951e50ef5f24e9dabeb100_NEIKI.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAcrobat.exe

Filesize
939KB

MD5
21c7d8dacbe0f779f7149dc8e5f65fdc

SHA1
300a7fc4089372004c10912da15290f05da7fb04

SHA256
977b3426cfc42aa7037f9e22c0c82e26b0a36f4764b8cfa3b21878706db228a4

SHA512
6cf306d9d1597ceca352f8a7c2dd68a741557cad5d7e872b4e460cd933744fe0d1f4b5c09df0de44d24d0baa17c0b11c8fa3be05067d628cab5f42989a19f519

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX5EA1.tmp

Filesize
939KB

MD5
865a0c70199593fcefd632ad7c7b992b

SHA1
dddafa8413d9014a6d070d1f9e1509b43d2c5e36

SHA256
d80d3787ab74205620c7da2e496071cceddfd9688c72b56be3ab9c629ba60fec

SHA512
9c752554f66e50d0062c92013d706a05e79e8b82f910ded35bac7a794fffd27e5eb64c3ab26f0c27da45124e7a51b5f25a63a978c446e178ffe147d9543b40c3

Download Submit
C:\Program Files (x86)\Internet Explorer\it-IT\ieinstalExplorer.exe

Filesize
937KB

MD5
c82ac52c53951e50ef5f24e9dabeb100

SHA1
d4dbf04026c7626a2fed88119ebd5f3acf7170c1

SHA256
2766d859d6e8c9e2f62df1f2c2351a4bd2ff4b269a199049111d40af74ebba6b

SHA512
1bd89480b7d49bc83554da480d5ffc19b92811baf704fb4544a3ce66b9b399bae76a9a4a5f8dad90ed0de5b70c269bb576e82332a511e945f8b5d1f7a63c6f2e

Download Submit