b813584c8f17d9c3dff3cb31b3e959427057a19ee452a761d6f2e4ad4eba5503

Analysis

max time kernel
148s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
Size

783KB
MD5

04195e0cf9c073345ebd70318d334b40
SHA1

d02e7fc21d7406c4b364fa38afccae548a6a5b2d
SHA256

b813584c8f17d9c3dff3cb31b3e959427057a19ee452a761d6f2e4ad4eba5503
SHA512

e5b8a70ceb343a86bc3cef961de7c52dc11be99e4d3369b5a75521cffbfeb01daaf183bb96a110f916e999281687f8487fa3b64fc119beb95170b0d41a2543f1
SSDEEP

12288:+wKfOVRo9yRYCQ7E4O8b8ITDnlOB1ZhIRPAN:+xWVeyRYCQ7E4O8b8ITDnlO3N

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe"	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe"	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IME\IMETC\MicrosoftOperating.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC\MicrosoftOperating.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC\RCX1A55.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX6EC2.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffiltSystem.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UtilitiesAdobeXMP.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX51F9.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\RCX5AD5.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX6557.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAiod.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\HMMAPIieinstal.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX776D.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\ado\ja-JP\MicrosoftWindows.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX51E9.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCX5B53.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AcrobatAdobe.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\LinkLibrary.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\ja-JP\RCX5B83.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX6605.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAcrobat.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLibccmeecc91.603136.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\InternetExplorer.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\DynamicComponents.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX65C6.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX6E72.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLibccmeecc91.603136.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UtilitiesAdobeXMP.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCX5229.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\DynamicComponents.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AcrobatAdobe.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Boot\EFI\ro-RO\operareoperare10.0.19041.1.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\InstallUtil.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\RCXAB34.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\IME\IMEKR\DICTS\WindowsMSHWKOR.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\IME\IMEKR\DICTS\RCX8502.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..ager-core.resources_31bf3856ad364e35_10.0.19041.1_de-de_611d295eb89454f6\WindowsMicrosoft.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\InstallUtil.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\Microsoftresources.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\SystemFramework.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\es-MX\Windowsoperativo10.0.19041.1.160101.0800.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_multipoint-wms.admincommon.resources_31bf3856ad364e35_10.0.19041.1_de-de_d399575692acaefe\BetriebssystemAdminCommon.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Regasm.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\Regasmresources.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Tpm.Commands.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\SistemaMicrosoft.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\de\EntityMicrosoft.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\sv-SE\memdiagWindows.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iologgingdll.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4d7f0ec96be8b1a2\WindowsMicrosoft.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\SystemSystem.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-onex.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_4710ce8e434e7e84\Microsoftonex.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.resources\v4.0_4.0.0.0_es_b77a5c561934e089\resourcesWindows.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\sk-SK\bootmgrbootmgr.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Printing.Resources\3.0.0.0_it_31bf3856ad364e35\Microsoftresources.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Branding\Basebrd\RCX8541.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_microsoft.web.confi..apphostfileprovider_31bf3856ad364e35_10.0.19041.844_none_c3a02bbfab307832\ConfigurationServices.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\ImmersiveControlPanel\uk-UA\SettingsMicrosoft.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\bg-BG\bootmgrbootmgr.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wmvxencd_31bf3856ad364e35_10.0.19041.1_none_09d58e7a0e38d4a6\SystemOperating.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1151_none_71aa7fdbb41824a0\InputDialPenWorkspace.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\RCX1AB5.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\SecureBootSecureBoot10.0.19041.1.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\es-MX\SistemaWindows10.0.19041.1.160101.0800.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..sprovider.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a287203c21f0ea99\SystemMicrosoft10.0.19041.1.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\wpfgfxv0300wpfgfxv0300.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\da-DK\bootmgrMicrosoft10.0.19041.1.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\Systemresources2.0.50727.91496.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.resources\v4.0_4.0.0.0_es_b77a5c561934e089\RCX6270.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..g-cmdline.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0bef72ece9f0005a\WindowsOptimizer10.0.19041.1.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ngstation.resources_31bf3856ad364e35_10.0.19041.1_en-us_b15a5a5f138ce7c2\OperatingWindows.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Cmdletization.OData.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\MicrosoftWindows.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Branding\Basebrd\it-IT\Windowsoperativo10.0.19041.1.160101.0800.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..anup-task.resources_31bf3856ad364e35_10.0.19041.1_de-de_6f69dadb8c567ce7\SetupCleanupTaskWindows10.0.19041.1.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\RCX38F2.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\RCX3CCB.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\es-ES\bootmgrbootmgr.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.19041.207_none_0527f99c13420d2f\KernelbaseWindows.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Printing.Resources\3.0.0.0_it_31bf3856ad364e35\RCX1A85.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\nb-NO\memdiagWindows.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\SecureBootWindows.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\RCXF0F9.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\de\RCXF148.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Branding\Basebrd\WindowsOperating10.0.19041.906.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..r-library.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c647cb4afca3ab52\dexploitationdexploitation.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Regasm.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\RCX6220.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Workflow.ServiceCore.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\RCXAAF3.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Tpm.Commands.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\RCXAB23.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\RCXF0E8.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\fr-CA\Systmebootmgr10.0.19041.1.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-msmpeg2vdec_31bf3856ad364e35_10.0.19041.1288_none_101395a1a19285d9\SystemWindows10.0.19041.1288.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\WindowsWIADEFUI.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-c..bluetooth-telemetry_31bf3856ad364e35_10.0.19041.1_none_7f46914fc08cffef\WindowsWindows10.0.19041.1.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Cmdletization.OData.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\RCX61C2.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\de-DE\MicrosoftBetriebssystem.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\fi-FI\Windowsbootmgr.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\sv-SE\Operativsystemetmemdiag.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_windowssearchengine.resources_31bf3856ad364e35_7.0.19041.1_de-de_48b54de946d57db3\WindowsSearchIndexer.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Workflow.ServiceCore.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\ServiceCoreWindows10.0.19041.1.exe	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\Branding\Basebrd\it-IT\RCX3826.tmp	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
2020	04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\04195e0cf9c073345ebd70318d334b40_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AcrobatAdobe.exe

Filesize
783KB

MD5
04195e0cf9c073345ebd70318d334b40

SHA1
d02e7fc21d7406c4b364fa38afccae548a6a5b2d

SHA256
b813584c8f17d9c3dff3cb31b3e959427057a19ee452a761d6f2e4ad4eba5503

SHA512
e5b8a70ceb343a86bc3cef961de7c52dc11be99e4d3369b5a75521cffbfeb01daaf183bb96a110f916e999281687f8487fa3b64fc119beb95170b0d41a2543f1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLibccmeecc91.603136.exe

Filesize
742KB

MD5
ff4c4191650ea46f334ea9fc36700562

SHA1
5a751a0ff99e1a858eb7dd5742ca97d1a422f414

SHA256
e9ee7c1864113d8534e37194d715216bc2eb9a4da11295a336a957c684ef4c04

SHA512
12008be4df505fa8b8c8190d546ed548fd002ab6dda946aa07f29868bbbbdaa333cc04a2eabde8d08336489095e6bbb2c3cbc60390b3630a036dee21c94d10f5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UtilitiesAdobeXMP.exe

Filesize
1.3MB

MD5
b15fe328d187dbc21d84d25346412dac

SHA1
f946e27883b809cbb673a2eb08ca00fe68c65b36

SHA256
9746fac995541ba46d2ebac9a98b91f7dce99279a8467d450794394ca335fafa

SHA512
7a81a7a22ecf82949f097eb63c79839720a47fbe593db8de56bcb559dc0ed66b33bb796893ad0cf121ecbff23a37c6ee2e23b45fe738a3a6c6ead252cbe4db93

Download Submit
C:\Program Files (x86)\Common Files\System\ado\ja-JP\MicrosoftWindows.exe

Filesize
784KB

MD5
5fa0a415f72b27c80ae6bd2f55a2b6b9

SHA1
e0b90db4ad9adae34df3635a119aa62a4ccfee39

SHA256
4943e01c9ae1949141fa19ebff8d551a470f6ee50daba94ec8b5880053a41154

SHA512
8af2b367562f4d9038a64c3a0b219cecefff1373b1f56506f556699e61aec6626985ea952750fb75196468afd128ac220ac65cf6d9a293815be18388fb73e301

Download Submit
C:\Program Files (x86)\Internet Explorer\en-US\HMMAPIieinstal.exe

Filesize
784KB

MD5
efacfdaa7d13d686bb7118f2d9bb043f

SHA1
d2651d39adc80da7b59c28512403f1dc8b60c8e7

SHA256
606dc775b2800f09691d96e52a6db10f6c86a464e206c8e0d198f3085eee2508

SHA512
41e7cdc7eafb33efabc9dbb92363b9aea03ee701749046f033695c980a95a5fe4a2d81e34bf404c35872f66e1f1f56cf0496ac7302b8405fb69ed86a0f165edf

Download Submit