eb69cfd70d67689110ea15e7482b0e4cc73985c7033d1456a865f0582558070d

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37a50ddd639ccc171af1182cef631ef0_NeikiAnalytics.exe
Size

1.2MB
MD5

37a50ddd639ccc171af1182cef631ef0
SHA1

bda797c2a71e0fa4e580ec5cb3acbbc7a9b51640
SHA256

eb69cfd70d67689110ea15e7482b0e4cc73985c7033d1456a865f0582558070d
SHA512

e9b95f07aecc15f8a07ac8abcabb4e52d1c5ac9a3fc6cc110eaa4e5df44cc9adcfd378221dcbcf491c105d4d3e8f4e559e864bed06d19733e00fef314f7332fb
SSDEEP

24576:fXTff2BiQihB88nUSRNPf1BGqZ8MOEuibXJItFo:fXzfSMg8np1zGCkEuibXJItFo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	37a50ddd639ccc171af1182cef631ef0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
4372	dotnetchk.exe

Loads dropped DLL 8 IoCs

pid	Process
3688	MsiExec.exe
2180	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe
2180	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1468	msiexec.exe
Token: SeSecurityPrivilege	2912	msiexec.exe
Token: SeCreateTokenPrivilege	1468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1468	msiexec.exe
Token: SeLockMemoryPrivilege	1468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1468	msiexec.exe
Token: SeMachineAccountPrivilege	1468	msiexec.exe
Token: SeTcbPrivilege	1468	msiexec.exe
Token: SeSecurityPrivilege	1468	msiexec.exe
Token: SeTakeOwnershipPrivilege	1468	msiexec.exe
Token: SeLoadDriverPrivilege	1468	msiexec.exe
Token: SeSystemProfilePrivilege	1468	msiexec.exe
Token: SeSystemtimePrivilege	1468	msiexec.exe
Token: SeProfSingleProcessPrivilege	1468	msiexec.exe
Token: SeIncBasePriorityPrivilege	1468	msiexec.exe
Token: SeCreatePagefilePrivilege	1468	msiexec.exe
Token: SeCreatePermanentPrivilege	1468	msiexec.exe
Token: SeBackupPrivilege	1468	msiexec.exe
Token: SeRestorePrivilege	1468	msiexec.exe
Token: SeShutdownPrivilege	1468	msiexec.exe
Token: SeDebugPrivilege	1468	msiexec.exe
Token: SeAuditPrivilege	1468	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1468	msiexec.exe
Token: SeChangeNotifyPrivilege	1468	msiexec.exe
Token: SeRemoteShutdownPrivilege	1468	msiexec.exe
Token: SeUndockPrivilege	1468	msiexec.exe
Token: SeSyncAgentPrivilege	1468	msiexec.exe
Token: SeEnableDelegationPrivilege	1468	msiexec.exe
Token: SeManageVolumePrivilege	1468	msiexec.exe
Token: SeImpersonatePrivilege	1468	msiexec.exe
Token: SeCreateGlobalPrivilege	1468	msiexec.exe
Token: SeCreateTokenPrivilege	1468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1468	msiexec.exe
Token: SeLockMemoryPrivilege	1468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1468	msiexec.exe
Token: SeMachineAccountPrivilege	1468	msiexec.exe
Token: SeTcbPrivilege	1468	msiexec.exe
Token: SeSecurityPrivilege	1468	msiexec.exe
Token: SeTakeOwnershipPrivilege	1468	msiexec.exe
Token: SeLoadDriverPrivilege	1468	msiexec.exe
Token: SeSystemProfilePrivilege	1468	msiexec.exe
Token: SeSystemtimePrivilege	1468	msiexec.exe
Token: SeProfSingleProcessPrivilege	1468	msiexec.exe
Token: SeIncBasePriorityPrivilege	1468	msiexec.exe
Token: SeCreatePagefilePrivilege	1468	msiexec.exe
Token: SeCreatePermanentPrivilege	1468	msiexec.exe
Token: SeBackupPrivilege	1468	msiexec.exe
Token: SeRestorePrivilege	1468	msiexec.exe
Token: SeShutdownPrivilege	1468	msiexec.exe
Token: SeDebugPrivilege	1468	msiexec.exe
Token: SeAuditPrivilege	1468	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1468	msiexec.exe
Token: SeChangeNotifyPrivilege	1468	msiexec.exe
Token: SeRemoteShutdownPrivilege	1468	msiexec.exe
Token: SeUndockPrivilege	1468	msiexec.exe
Token: SeSyncAgentPrivilege	1468	msiexec.exe
Token: SeEnableDelegationPrivilege	1468	msiexec.exe
Token: SeManageVolumePrivilege	1468	msiexec.exe
Token: SeImpersonatePrivilege	1468	msiexec.exe
Token: SeCreateGlobalPrivilege	1468	msiexec.exe
Token: SeCreateTokenPrivilege	1468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1468	msiexec.exe
Token: SeLockMemoryPrivilege	1468	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1468	msiexec.exe
1468	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 4372	4356	37a50ddd639ccc171af1182cef631ef0_NeikiAnalytics.exe	83
PID 4356 wrote to memory of 4372	4356	37a50ddd639ccc171af1182cef631ef0_NeikiAnalytics.exe	83
PID 4356 wrote to memory of 4372	4356	37a50ddd639ccc171af1182cef631ef0_NeikiAnalytics.exe	83
PID 4356 wrote to memory of 1468	4356	37a50ddd639ccc171af1182cef631ef0_NeikiAnalytics.exe	85
PID 4356 wrote to memory of 1468	4356	37a50ddd639ccc171af1182cef631ef0_NeikiAnalytics.exe	85
PID 4356 wrote to memory of 1468	4356	37a50ddd639ccc171af1182cef631ef0_NeikiAnalytics.exe	85
PID 2912 wrote to memory of 3688	2912	msiexec.exe	87
PID 2912 wrote to memory of 3688	2912	msiexec.exe	87
PID 2912 wrote to memory of 3688	2912	msiexec.exe	87
PID 3688 wrote to memory of 2180	3688	MsiExec.exe	88
PID 3688 wrote to memory of 2180	3688	MsiExec.exe	88
PID 3688 wrote to memory of 2180	3688	MsiExec.exe	88

C:\Users\Admin\AppData\Local\Temp\37a50ddd639ccc171af1182cef631ef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\37a50ddd639ccc171af1182cef631ef0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Local\Temp\VSD4C99.tmp\DotNetFXCustom\dotnetchk.exe
  "C:\Users\Admin\AppData\Local\Temp\VSD4C99.tmp\DotNetFXCustom\dotnetchk.exe"
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1468

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8077FE554D70D245F600C0F71C5F0091 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI50A0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240603390 1 Elsinore.ScreenConnect.InstallerActions!Elsinore.ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI50A0.tmp

Filesize
278KB

MD5
917510603fea350089f54461aacf68b3

SHA1
5658cb673ad85a5a180369b6c2f5cdbf2218c249

SHA256
5b1a39a19bd6a1518279f26410167f421f4bd13424c4991864a0d01918716cd3

SHA512
d7109b6708960df83dcbb2d9f1bc20fbd4900198bb5da22175c4c931bc1a798be3dbb686db8df31955e6d9af12756f5c548aef053ca5e8b607e2eebf70bb073d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI50A0.tmp-\Elsinore.ScreenConnect.Core.dll

Filesize
194KB

MD5
23924527bd86ca334c12dd83e88d2a50

SHA1
4b8b83805ea8b55bc396c0fa35316034fc5816ca

SHA256
3300e34d00dd61786c5de10a9e3937100bf34dc6e1d8e0e6d4ecede05ada12a9

SHA512
6d864bd19247628c25ad2a2a96c8d3b286207e7318472c5fe2294dab581d6f0104bd3df66ca304d1f2c0bb849f0aaab865022701b99b601788a52e20934d4bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI50A0.tmp-\Elsinore.ScreenConnect.InstallerActions.dll

Filesize
19KB

MD5
f42d069afa3ee6baf401cc3b7e3cda4e

SHA1
acf9d6da264c1956a15fa6d3721ab59c7c0d91c7

SHA256
bfad49fd279aefc7fd9189fa4e27015921bf49bf923483526135c401ebf1aa28

SHA512
248a9bb3d8b80cd3deffdf4a817a2d190dd105b391ac0b1828b53b3c09fcc10f0dce4afc0c17a21d7078d50961e431114695aab538f6bf659d39e4be44def7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI50A0.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
176KB

MD5
1e5a0962f20e91ca18bc150266e6f49e

SHA1
e71caab3b88b2913178ca2ae549a00455679cd4e

SHA256
fa74ae4d5e62a1cc7cfeaa55d84fe9bddab06651b6744fb4469074e79317da99

SHA512
09021a2183536d07d915e413bd70fbd47f6afcf9fa9b8deb886f473c7b3dc3ee3e042c126f644be70f42f491692fab0a25b49ef88099caf272eec75c5bd2fc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSD4C99.tmp\DotNetFXCustom\dotnetchk.exe

Filesize
85KB

MD5
4992d98e6772a5fd7256c4c7fe978a11

SHA1
6cf70905908b59553e1b92e057c3e7c13bd7b6a4

SHA256
5494efb1859e625eff5c2b51a66058fd7ffe1aa619594f62900a0bef392012d0

SHA512
8afdda6a49a4c61c62e329f3d15dc31c98327fd720e654972b14f98112b79d293648cad0dd08b3d12e48e020dd21fe40f9fc0a6c78014e1434a1703f40f6f4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.msi

Filesize
770KB

MD5
d3bdbffec283c1a7886639cdb8c096e3

SHA1
7b1dc4044aa5415918589fed4beb446c1b1ada55

SHA256
96e8e600875cac22d4a4c32abc08a822f4eee4836d55d59af431127dded546ce

SHA512
1326262ee2b054e8b182c76e383064f4e14a8ff6f3cd13e56d0007cd724083f5399c1e2d8cbbd6385e08a23408aa7c3da22340a31be416a41614301f138ae0fb

Download Submit
memory/2180-28-0x0000000005440000-0x0000000005470000-memory.dmp

Filesize
192KB

Download
memory/2180-32-0x0000000005480000-0x000000000548C000-memory.dmp

Filesize
48KB

Download
memory/2180-36-0x00000000054D0000-0x0000000005508000-memory.dmp

Filesize
224KB

Download
memory/2180-37-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads