1d33540c6650095df1ad66291f0f0ccb502ae41cc465fd3aae618723aca1f215

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
Size

529KB
MD5

ca397037e6d2df6f398d388d524b3100
SHA1

9e632c01e4e33bf229de71c7633fbff1ba4d9736
SHA256

1d33540c6650095df1ad66291f0f0ccb502ae41cc465fd3aae618723aca1f215
SHA512

052c30be4c5745f1ec2227f57e626bc2d204872f6744b19c23cd817f60b9299f2acb0aca9aed035a5ba815220aa49dbb2fd30a2023ae5882b32296b5f3f84a77
SSDEEP

6144:WwynAtMrOVRkidy9yIGWlUiWxAIDWnx4vK:WwKfOVRo9yRYoeGi

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe"	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe"	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX5D05.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chromeelfdlld3dcompiler47.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX5D63.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Unicodert3d19.10.20064.310990.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\RCX3E95.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\RCX4976.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eulaicuuc58.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ja-JP\RCX3647.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX6EAC.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\MicrosoftDAO360.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\UpdaterUpdate.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\RCX400D.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHostAdobe.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\MSDIA100Visual.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Unicodert3d19.10.20064.310990.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RCX536D.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX65D1.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAcrobat.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\ja-JP\OperatingMicrosoft.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\qrcodepmpdatamatrixpmp.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\AdobeAcrobat19.10.20064.310990.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{4FFE2A4B-9EB2-4C55-A0FC-3C25EA99F21F}\UpdateSetup.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RCX49B5.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{4FFE2A4B-9EB2-4C55-A0FC-3C25EA99F21F}\UpdateSetup.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\MicrosoftStudio.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\CheckerUpdater2.8.401.10.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chromeelfdlld3dcompiler47.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\RCX35A9.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AdobeNPPDF32.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX5BDB.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX4A24.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHostAdobe.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX2CFB.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\IEXPLOREiexplore.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\RCX35F8.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\Explorerieinstal.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\MicrosoftSystem.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\MicrosoftWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\RCX52EF.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\MicrosoftSystem.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\UpdaterUpdate.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCX538D.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{4FFE2A4B-9EB2-4C55-A0FC-3C25EA99F21F}\RCX2D4C.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\RCX407C.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AcrobatNPPDF32.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX65E1.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\Explorerieinstal.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCX2D1C.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAdobe.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\CheckerUpdater2.8.401.10.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eulaicuuc58.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..rience-program-data_31bf3856ad364e35_10.0.19041.264_none_4f49f316e1e9e24b\MicrosoftSystem.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\en-US\WindowsSystem.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Windows\Branding\Basebrd\it-IT\RCX3800.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\hr-HR\bootmgrbootmgr.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\es-MX\Windowsbootmgr.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devices-midi_31bf3856ad364e35_10.0.19041.264_none_c8bbc444fa8867f7\DevicesDevice.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\pt-PT\memdiagmemdiag.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\de-DE\bootmgrWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..vicediscovery-dnssd_31bf3856ad364e35_10.0.19041.746_none_020a8c9455f465ee\DnssdWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..t-storage.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_931a1977e297932f\WindowsStorage.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\et-EE\bootmgrMicrosoft.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-powercfg_31bf3856ad364e35_10.0.19041.1_none_1ded72a14aa7d349\WindowsOperating10.0.19041.1.160101.0800.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\v4.0_3.0.0.0_it_31bf3856ad364e35\RCX5E23.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\RCXA530.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\ru-RU\bootmgrWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\el-GR\sstabootmgr.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR\RCX386F.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-pnputil.resources_31bf3856ad364e35_10.0.19041.1_de-de_e9addfd366a145cf\pnputilpnputil.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-retaildemo-retailinfo_31bf3856ad364e35_10.0.19041.746_none_c0be8d4515a93129\RetailInfoWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..aphostres.resources_31bf3856ad364e35_10.0.19041.1_de-de_8b59541b812e6f90\WindowsBetriebssystem10.0.19041.1.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ololens-environment_31bf3856ad364e35_10.0.19041.1_none_cf88ffd1a030f641\SystemWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sysdm.resources_31bf3856ad364e35_10.0.19041.1_de-de_433a40b696028b91\Microsoftsysdm.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\en-US\bootmgrOperating.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\sr-Latn-RS\WindowsMicrosoft10.0.19041.1.160101.0800.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_microsoft.virtualization.client.settings_31bf3856ad364e35_10.0.19041.1266_none_647a4b0d75bb4bd8\VirtualizationSettings.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Branding\Basebrd\en-US\BASEBRDWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\ServiceModelInstallRCWorkflowServiceHostPerformanceCounters.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\nl-NL\WindowsbesturingssysteemMicrosoft.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\IME\IMEJP\DICTS\OperatingWindows10.0.19041.1.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\da-DK\WindowsWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\uk-UA\bootmgrWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..crosoftedgedevtools_31bf3856ad364e35_10.0.19041.1_none_65a5646e8443d0f8\MicrosoftEdgeCPMicrosoft11.00.19041.1.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ement-dmoleaututils_31bf3856ad364e35_10.0.19041.1_none_81e9739acc34ebf2\dmoleaututilsdmoleaututils.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_mmcex.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_09ff729ea391f5f0\resourcesWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\RCXA56F.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\sk-SK\Operatingbootmgr.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\cs-CZ\Microsoftsystm.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\en-GB\WindowsSystem.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-printdialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_3b03b28c788655c6\WindowsSystem.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC\de\MICROSOFTMICROSOFT.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\fr-FR\dexploitationWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCX3820.tmp	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\hr-HR\Windowssustav10.0.19041.1.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\lv-LV\bootmgrWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\lt-LT\OperacineWindows10.0.19041.1.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\hu-HU\opercisopercis10.0.19041.1.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..monnoia64.resources_31bf3856ad364e35_10.0.19041.1_en-us_0b018d9a63164212\sapisapisvr.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-deviceupdateagent_31bf3856ad364e35_10.0.19041.1_none_0e74f8fe5c3e60f7\MicrosoftWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Branding\Basebrd\fr-FR\MicrosoftWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-r..onmanager.resources_31bf3856ad364e35_10.0.19041.1_es-es_ee2df928d70b68e7\ConnectionCMSTPLUA.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ry-client.resources_31bf3856ad364e35_10.0.19041.1_de-de_d2d07069f2f8d937\diagtrackMicrosoft.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\es-ES\bootmgrbootmgr10.0.19041.1.160101.0800.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\fr-FR\memdiagbootmgr.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\fi-FI\memdiagkyttjrjestelm.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\pl-PL\memdiagbootmgr.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_10.0.19041.1_ru-ru_b1ef3035e92014fd\tipresxMicrosoft.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..onservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ac89dd73bb92dfa\WindowsWindows.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Timer\v4.0_4.0.0.0__b03f5f7f11d50a3a\SystemThreading.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\MicrosoftPresentationHostv0400.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\Resources\en-US\SystemOperating.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\Misc\PCAT\Windowsbootspaces.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\lt-LT\Windowssistema.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\en-GB\Windowsbootmgr.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_929ec170f5687671\SystemWinsockHC10.0.19041.1.160101.0800.exe	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
1280	ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ca397037e6d2df6f398d388d524b3100_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX5BDB.tmp

Filesize
531KB

MD5
2a5bb7512a4a7f3ea439a2ca047b0f3a

SHA1
3428f85c237034db4d4d1d43ee4a6b38bbfbdf58

SHA256
a9e0e9fa7b977fb8560083e1bdc8e429e200fc74c40e8f1541367991b3ab5ea5

SHA512
67b96f661d2ccb39bde35bd92cd434aa41ac8ccd1766b5af21d8828c6c329f33ef5924371ee782fef8c0ef76aae9310b228cbc5cb56708daee4735e971649071

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VC\RCX35A9.tmp

Filesize
531KB

MD5
37a9c035b5419fc17b081be1b8fb1749

SHA1
cbb3bdb4a357696cb17705a508fb83358cb3df2c

SHA256
58412ad4c2861665215349c14a1d9beb67709de23d77a34dce7fa1e8e81b217a

SHA512
53c3e86c959361f1f164c2d2587557c0910ca1f350ce0e512c3bce2abfd0f3c103c8f6216844a66f379d7b13a7821ac1ab317f56b15b1d15155de3dc7c1dddb4

Download Submit
C:\Program Files (x86)\Internet Explorer\en-US\Explorerieinstal.exe

Filesize
529KB

MD5
ca397037e6d2df6f398d388d524b3100

SHA1
9e632c01e4e33bf229de71c7633fbff1ba4d9736

SHA256
1d33540c6650095df1ad66291f0f0ccb502ae41cc465fd3aae618723aca1f215

SHA512
052c30be4c5745f1ec2227f57e626bc2d204872f6744b19c23cd817f60b9299f2acb0aca9aed035a5ba815220aa49dbb2fd30a2023ae5882b32296b5f3f84a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\79ZXHV21\getfile[2].htm

Filesize
42KB

MD5
e5a9aad4fe457cf504ba102242492084

SHA1
e5d078bc24d899e935d95bf0f285882f12ede3e1

SHA256
672979c9d1a75a00941db1169d1b9fb45ea0fe935eb63bc1643e701c8d9ee65d

SHA512
be10a799e8c3be1db867f91ae052ccd7d1f3c85cd75801e70fe88a1baee56fc1f7ffac5422c2a127c3449f3b1b4e672ec7f70bd87e8d7eb7d9912f58633b1440

Download Submit