4bf737d9c8d0feff3422f193c385e61b54fb3e984d1b20ad55b899d3a93f906e

Analysis

max time kernel
145s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 12:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
Size

729KB
MD5

e41b7e50831acf64703413d95a25a0b0
SHA1

90d01b8823234fde5f3e61eb7afdf4a3da6dc310
SHA256

4bf737d9c8d0feff3422f193c385e61b54fb3e984d1b20ad55b899d3a93f906e
SHA512

675c98e45180e468f1432ad87a5a89684d5d41c15e764b07da1426acedbd9b39ab5d80f5d66508ffd2133d063921ea810e5aefe05a68a88c721eecb8d27fee0f
SSDEEP

6144:4wynAtMrOVRkidy9yIGWlUiCIII1SLHco6FLY6shZBWlK3b++2kLDZPHQXq9iHqn:4wKfOVRo9yRYcIIGLUh7Wk/LwqZl

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe"	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe"	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\MicrosoftCommands.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\RCX83B4.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\System32\DriverStore\FileRepository\termkbd.inf_amd64_a0634dcf2da1127e\Operatingterminpt.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mtconfig.inf_amd64_fe91941ed205cd9b\SystemMicrosoft.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_amd64_9c09bd1df352f065\Storageiastorv8.6.2.1019.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqliteLogSession.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\RCX43D0.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUIVisual.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AcrobatAdobe.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateWCChromeNativeMessagingHost19.10.20064.310990.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\datamatrixpmpqrcodepmp.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX620F.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAiod.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX76D3.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\AdobeAdobe19.10.20064.310990.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\WindowsSistema.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\NPPDF32Acrobat.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX6D6C.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX43F0.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\RegistrationRegistration2.8.401.10.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\RegistrationRegistration2.8.401.10.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAiod.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Media Player\uk-UA\WindowsWindows12.0.19041.1.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\RCX4D87.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\RCX5857.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateWCChromeNativeMessagingHost19.10.20064.310990.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\RCX4DB6.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\HMMAPIInternet.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\RCX58C7.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX64FF.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqliteLogSession.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAcrobat.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\RCX4381.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCX5877.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RCX6338.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\AdobeAdobe19.10.20064.310990.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX4DD7.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_6a5974f1d460135b\Sistemahvhostsvc.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wwansvc.resources_31bf3856ad364e35_10.0.19041.1_de-de_33a681070e9ce46a\MicrosoftWwanSvc.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1040\alinkuiVisual.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\cs-CZ\systmbootmgr.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\es-ES\WindowsMicrosoft.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\ja\RCX31A9.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-homegroup-listsvc_31bf3856ad364e35_10.0.19041.610_none_4cbb0d74d942a05c\OperatingListSvc.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..s-package.resources_31bf3856ad364e35_10.0.19041.1_it-it_dec556cc09177eda\WindowsSistema.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Branding\shellbrd\RCX200A.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_microsoft.visualbas..lity.data.resources_b03f5f7f11d50a3a_10.0.19041.1_de-de_5a77f4f3e3aa30c2\resourcesDATA.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationUI.Resources\3.0.0.0_es_31bf3856ad364e35\resourcesFramework.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-dot3ui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_49083a62c5e2e9bd\dot3dlgWindows10.0.19041.1.160101.0800.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_multipoint-wms.admincommon.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1f0d00327483c2ca\AdminCommonresources.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_system.web.abstractions.resources_31bf3856ad364e35_4.0.15805.0_ja-jp_e365a1c147a09f3e\MicrosoftRFramework.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\RCX8327.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Activities\v4.0_4.0.0.0__31bf3856ad364e35\SystemFramework.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\pl-PL\operacyjnybootmgr.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCX69C8.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Tpm.Commands.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\resourcesresources.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationUI.Resources\3.0.0.0_es_31bf3856ad364e35\RCX30ED.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-cdp-api_31bf3856ad364e35_10.0.19041.117_none_c4877fb7073128d2\WindowsOperating.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-ldifde.resources_31bf3856ad364e35_10.0.19041.1_de-de_92c0fed770a35565\Betriebssystemldifde.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershell.security_31bf3856ad364e35_10.0.19041.1_none_d14b1c0ee3ee3d38\PowerShellSecurity.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host.resources_31bf3856ad364e35_10.0.19041.1_es-es_585e9da53b0a5055\operativoWWAHost.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\nl-NL\bootmgrbootmgr10.0.19041.1.160101.0800.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\tr-TR\Windowsbootmgr10.0.19041.1.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-regctrl_31bf3856ad364e35_10.0.19041.746_none_f8afbe5113672b1f\SystemWindows.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wlanpref.resources_31bf3856ad364e35_10.0.19041.1_de-de_01cc256f97efbe04\wlanprefwlanpref.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationHostv0400WindowsBase.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\sl-SI\Windowssistem.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-netsh_31bf3856ad364e35_10.0.19041.1_none_159203c1973658cd\Systemnetsh.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Drawing.Resources\2.0.0.0_es_b03f5f7f11d50a3a\RCX3237.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wlanconnectionflow_31bf3856ad364e35_10.0.19041.746_none_682e205fc6a0eac3\WlanConnWindows.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_microsoft.applicati..ulewizard.resources_31bf3856ad364e35_10.0.19041.1_en-us_52a6881a1d366196\resourcesresources10.0.19041.1.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\IME\OperatingSpTip.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cttune.resources_31bf3856ad364e35_10.0.19041.1_it-it_76f931d237c9d4e4\SistemaWindows.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\da-DK\WindowsOperativsystem.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmi-wmiclnt_31bf3856ad364e35_10.0.19041.546_none_d3eefbf5eecbb6e3\wmiclntwmiclnt10.0.19041.546.160101.0800.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..onenumberformatting_31bf3856ad364e35_10.0.19041.746_none_591fe31438fc1380\componentGlobalization.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..xthandler.resources_31bf3856ad364e35_10.0.19041.1_it-it_8cb23c6df4808b9b\Windowsoperativo.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..engineres.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_68cdd3bea7f2f25a\MicrosoftWindows.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..mgmttools.resources_31bf3856ad364e35_10.0.19041.1_de-de_9aa08acbf02326cb\TSPSDataAccessresources.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..ovdatamodel-library_31bf3856ad364e35_10.0.19041.264_none_8c2e2c91b5f05dfa\WindowsWindows.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-xcopy_31bf3856ad364e35_10.0.19041.1_none_233b627ec80a87f1\XCOPYxcopy.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\ru-RU\bootmgrmemdiag.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1040\RCX201A.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\nl-NL\Microsoftmemdiag.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\Systembootvhd.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_lt-lt_1ef72b241f8f50b1\WindowsCOMCTL32.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_11.0.19041.1_none_7b8a5c016543670b\PNGFILTPNGFILT.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-charmap.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3fb2d4d08a23e9ef\dexploitationSystme.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack-inetsrv_31bf3856ad364e35_10.0.19041.262_none_130cd005c5daec14\Microsoftiissetupai.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\de-DE\bootmgrWindows10.0.19041.1.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-coreos_31bf3856ad364e35_10.0.19041.1_none_e597fe1d120f8fad\WindowsMicrosoft.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systemmanagement_31bf3856ad364e35_10.0.19041.264_none_3f765fc92b46b35e\WindowsOperating10.0.19041.264.160101.0800.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..serverapi.resources_31bf3856ad364e35_10.0.19041.1_de-de_fe979a3db8570501\BetriebssystemMicrosoft.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\MicrosoftBuild.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ic-module.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_71442cd756cd9823\WindowsWindows.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..pellcheck.resources_31bf3856ad364e35_10.0.19041.1_de-de_359acd1afb50279a\WindowsBetriebssystem.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.19041.1_none_81a41345d0e50bd5\SystemMicrosoft.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..container.resources_31bf3856ad364e35_10.0.19041.1_en-us_aedc447f1d8c3dd6\Operatingmicrosoftwindowsstoragetieringevents.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ldhangul-tipprofile_31bf3856ad364e35_10.0.19041.1_none_4042b144251bb591\imkrotipWindows10.0.19041.1.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\IME\RCX6A17.tmp	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ncrypt.resources_31bf3856ad364e35_10.0.19041.1_en-us_7feb0e02f5d5e82c\Windowsncrypt.exe	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
624	e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e41b7e50831acf64703413d95a25a0b0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX620F.tmp

Filesize
730KB

MD5
99e861b62dc50f9dd0aa3e0c854e23bb

SHA1
47ce28611d6bb71603d434cca44e47d9972db775

SHA256
344f20c5179db25a0b1ec86310b1be86a561bd830fe01aba1b4be57cfcba9ebf

SHA512
f276293a6dc0f1b0c4280cce568160aca119377ad2a9e81f736afc365c4ab15d6f56d4e45690f13a9a3d3a523167be5003c1fc5576986888eb73a951a3bbf1ce

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\AdobeAdobe19.10.20064.310990.exe

Filesize
729KB

MD5
e41b7e50831acf64703413d95a25a0b0

SHA1
90d01b8823234fde5f3e61eb7afdf4a3da6dc310

SHA256
4bf737d9c8d0feff3422f193c385e61b54fb3e984d1b20ad55b899d3a93f906e

SHA512
675c98e45180e468f1432ad87a5a89684d5d41c15e764b07da1426acedbd9b39ab5d80f5d66508ffd2133d063921ea810e5aefe05a68a88c721eecb8d27fee0f

Download Submit
C:\Program Files (x86)\Windows Defender\es-ES\RCX43F0.tmp

Filesize
730KB

MD5
cc557000d8c6b3821cdb3e837df93198

SHA1
680033c4b193c5ce9db3aee6c8ea51c2c3eeed4b

SHA256
078df1daea385f4669f6b16ba2e696569244ec5fdb4c85722a4a13299cf8ded5

SHA512
69ffb00d5e0cc3cb36f229464cc4585a7724642192eecd52df0de10383d4b00c6a5c892505fc9a8e896622c88cfb7adc4cafb2d6e416cfaccfb4bcdb51b0b803

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationHostv0400WindowsBase.exe

Filesize
710KB

MD5
2081b062c41027fe20b0c8917301f531

SHA1
a6901dd4315593367c61cff4d2a8c1d2c96a1092

SHA256
f0a071786e10615bcd7772dc83b03967934f48875189df7520dc691f2997405d

SHA512
da3fa1abe6248c30316234fbe80e56f348b90e06602621ff1bf11bd06d9a67ea85c551a83e8de1a514daeed6229397d5aa2206bebdfe24bc16d4633d063022c4

Download Submit