77de0e0c2a83ab5135a1e3a1bb4ddeb1618d2fb72a635079ab5581b908257cdb

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe
Size

1.2MB
MD5

62afd4d16db5edf8233efccde51d25d0
SHA1

e6a88a5f51e8c1c46dcf7eeb0307b00a4aa8100f
SHA256

77de0e0c2a83ab5135a1e3a1bb4ddeb1618d2fb72a635079ab5581b908257cdb
SHA512

9f19e5292b791adf97cc82e4d43224caced09532b6f1e8c2df8d88ab0ffdf20201b98eec47c4e05c1778234ee436baefb109327b57b1e0dd8451d7c50162cd3b
SSDEEP

24576:fXTff2BiQihB88nUSRNPf1BGqZ8MKEuibXJItWA:fXzfSMg8np1zGCUEuibXJItWA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2628	dotnetchk.exe

Loads dropped DLL 12 IoCs

pid	Process
2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe
2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe
2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe
2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe
2436	MsiExec.exe
2568	rundll32.exe
2568	rundll32.exe
2568	rundll32.exe
2568	rundll32.exe
2568	rundll32.exe
2568	rundll32.exe
2568	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeSecurityPrivilege	2572	msiexec.exe
Token: SeCreateTokenPrivilege	2500	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2500	msiexec.exe
Token: SeLockMemoryPrivilege	2500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2500	msiexec.exe
Token: SeMachineAccountPrivilege	2500	msiexec.exe
Token: SeTcbPrivilege	2500	msiexec.exe
Token: SeSecurityPrivilege	2500	msiexec.exe
Token: SeTakeOwnershipPrivilege	2500	msiexec.exe
Token: SeLoadDriverPrivilege	2500	msiexec.exe
Token: SeSystemProfilePrivilege	2500	msiexec.exe
Token: SeSystemtimePrivilege	2500	msiexec.exe
Token: SeProfSingleProcessPrivilege	2500	msiexec.exe
Token: SeIncBasePriorityPrivilege	2500	msiexec.exe
Token: SeCreatePagefilePrivilege	2500	msiexec.exe
Token: SeCreatePermanentPrivilege	2500	msiexec.exe
Token: SeBackupPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeShutdownPrivilege	2500	msiexec.exe
Token: SeDebugPrivilege	2500	msiexec.exe
Token: SeAuditPrivilege	2500	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2500	msiexec.exe
Token: SeChangeNotifyPrivilege	2500	msiexec.exe
Token: SeRemoteShutdownPrivilege	2500	msiexec.exe
Token: SeUndockPrivilege	2500	msiexec.exe
Token: SeSyncAgentPrivilege	2500	msiexec.exe
Token: SeEnableDelegationPrivilege	2500	msiexec.exe
Token: SeManageVolumePrivilege	2500	msiexec.exe
Token: SeImpersonatePrivilege	2500	msiexec.exe
Token: SeCreateGlobalPrivilege	2500	msiexec.exe
Token: SeCreateTokenPrivilege	2500	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2500	msiexec.exe
Token: SeLockMemoryPrivilege	2500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2500	msiexec.exe
Token: SeMachineAccountPrivilege	2500	msiexec.exe
Token: SeTcbPrivilege	2500	msiexec.exe
Token: SeSecurityPrivilege	2500	msiexec.exe
Token: SeTakeOwnershipPrivilege	2500	msiexec.exe
Token: SeLoadDriverPrivilege	2500	msiexec.exe
Token: SeSystemProfilePrivilege	2500	msiexec.exe
Token: SeSystemtimePrivilege	2500	msiexec.exe
Token: SeProfSingleProcessPrivilege	2500	msiexec.exe
Token: SeIncBasePriorityPrivilege	2500	msiexec.exe
Token: SeCreatePagefilePrivilege	2500	msiexec.exe
Token: SeCreatePermanentPrivilege	2500	msiexec.exe
Token: SeBackupPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeShutdownPrivilege	2500	msiexec.exe
Token: SeDebugPrivilege	2500	msiexec.exe
Token: SeAuditPrivilege	2500	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2500	msiexec.exe
Token: SeChangeNotifyPrivilege	2500	msiexec.exe
Token: SeRemoteShutdownPrivilege	2500	msiexec.exe
Token: SeUndockPrivilege	2500	msiexec.exe
Token: SeSyncAgentPrivilege	2500	msiexec.exe
Token: SeEnableDelegationPrivilege	2500	msiexec.exe
Token: SeManageVolumePrivilege	2500	msiexec.exe
Token: SeImpersonatePrivilege	2500	msiexec.exe
Token: SeCreateGlobalPrivilege	2500	msiexec.exe
Token: SeCreateTokenPrivilege	2500	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2500	msiexec.exe
2500	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2628	2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe	28
PID 2212 wrote to memory of 2628	2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe	28
PID 2212 wrote to memory of 2628	2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe	28
PID 2212 wrote to memory of 2628	2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe	28
PID 2212 wrote to memory of 2500	2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe	29
PID 2212 wrote to memory of 2500	2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe	29
PID 2212 wrote to memory of 2500	2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe	29
PID 2212 wrote to memory of 2500	2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe	29
PID 2212 wrote to memory of 2500	2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe	29
PID 2212 wrote to memory of 2500	2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe	29
PID 2212 wrote to memory of 2500	2212	62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe	29
PID 2572 wrote to memory of 2436	2572	msiexec.exe	31
PID 2572 wrote to memory of 2436	2572	msiexec.exe	31
PID 2572 wrote to memory of 2436	2572	msiexec.exe	31
PID 2572 wrote to memory of 2436	2572	msiexec.exe	31
PID 2572 wrote to memory of 2436	2572	msiexec.exe	31
PID 2572 wrote to memory of 2436	2572	msiexec.exe	31
PID 2572 wrote to memory of 2436	2572	msiexec.exe	31
PID 2436 wrote to memory of 2568	2436	MsiExec.exe	32
PID 2436 wrote to memory of 2568	2436	MsiExec.exe	32
PID 2436 wrote to memory of 2568	2436	MsiExec.exe	32
PID 2436 wrote to memory of 2568	2436	MsiExec.exe	32
PID 2436 wrote to memory of 2568	2436	MsiExec.exe	32
PID 2436 wrote to memory of 2568	2436	MsiExec.exe	32
PID 2436 wrote to memory of 2568	2436	MsiExec.exe	32

C:\Users\Admin\AppData\Local\Temp\62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\62afd4d16db5edf8233efccde51d25d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\VSD8BEB.tmp\DotNetFXCustom\dotnetchk.exe
  "C:\Users\Admin\AppData\Local\Temp\VSD8BEB.tmp\DotNetFXCustom\dotnetchk.exe"
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADA86E0029A181B624C222F19096A027 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI928F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259429381 1 Elsinore.ScreenConnect.InstallerActions!Elsinore.ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI928F.tmp

Filesize
278KB

MD5
917510603fea350089f54461aacf68b3

SHA1
5658cb673ad85a5a180369b6c2f5cdbf2218c249

SHA256
5b1a39a19bd6a1518279f26410167f421f4bd13424c4991864a0d01918716cd3

SHA512
d7109b6708960df83dcbb2d9f1bc20fbd4900198bb5da22175c4c931bc1a798be3dbb686db8df31955e6d9af12756f5c548aef053ca5e8b607e2eebf70bb073d

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.msi

Filesize
770KB

MD5
70206698d16e35dec55695647938eb5f

SHA1
b04ae41f5ead31ca6ff46161acb82868a38b7077

SHA256
db713be6eba2bf2d24d740daf0249ed2b22fbdd534c3890197411ea2cee3df61

SHA512
8a0ce37b2f33b7aaa0ac4f74c6d719124c873d32eb75c62417ee156f56eee1bbd072daf54cbf716ef54e884cce593202a36a815cef77e874530af0187b4de89f

Download Submit
\Users\Admin\AppData\Local\Temp\MSI928F.tmp-\Elsinore.ScreenConnect.Core.dll

Filesize
194KB

MD5
23924527bd86ca334c12dd83e88d2a50

SHA1
4b8b83805ea8b55bc396c0fa35316034fc5816ca

SHA256
3300e34d00dd61786c5de10a9e3937100bf34dc6e1d8e0e6d4ecede05ada12a9

SHA512
6d864bd19247628c25ad2a2a96c8d3b286207e7318472c5fe2294dab581d6f0104bd3df66ca304d1f2c0bb849f0aaab865022701b99b601788a52e20934d4bbd

Download Submit
\Users\Admin\AppData\Local\Temp\MSI928F.tmp-\Elsinore.ScreenConnect.InstallerActions.dll

Filesize
19KB

MD5
f42d069afa3ee6baf401cc3b7e3cda4e

SHA1
acf9d6da264c1956a15fa6d3721ab59c7c0d91c7

SHA256
bfad49fd279aefc7fd9189fa4e27015921bf49bf923483526135c401ebf1aa28

SHA512
248a9bb3d8b80cd3deffdf4a817a2d190dd105b391ac0b1828b53b3c09fcc10f0dce4afc0c17a21d7078d50961e431114695aab538f6bf659d39e4be44def7aa

Download Submit
\Users\Admin\AppData\Local\Temp\MSI928F.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
176KB

MD5
1e5a0962f20e91ca18bc150266e6f49e

SHA1
e71caab3b88b2913178ca2ae549a00455679cd4e

SHA256
fa74ae4d5e62a1cc7cfeaa55d84fe9bddab06651b6744fb4469074e79317da99

SHA512
09021a2183536d07d915e413bd70fbd47f6afcf9fa9b8deb886f473c7b3dc3ee3e042c126f644be70f42f491692fab0a25b49ef88099caf272eec75c5bd2fc1f

Download Submit
\Users\Admin\AppData\Local\Temp\VSD8BEB.tmp\DotNetFXCustom\dotnetchk.exe

Filesize
85KB

MD5
4992d98e6772a5fd7256c4c7fe978a11

SHA1
6cf70905908b59553e1b92e057c3e7c13bd7b6a4

SHA256
5494efb1859e625eff5c2b51a66058fd7ffe1aa619594f62900a0bef392012d0

SHA512
8afdda6a49a4c61c62e329f3d15dc31c98327fd720e654972b14f98112b79d293648cad0dd08b3d12e48e020dd21fe40f9fc0a6c78014e1434a1703f40f6f4d8

Download Submit
memory/2568-31-0x00000000009C0000-0x00000000009F0000-memory.dmp

Filesize
192KB

Download
memory/2568-35-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2568-39-0x0000000000C40000-0x0000000000C78000-memory.dmp

Filesize
224KB

Download