617e92659377c1b3ad840c40e63b6a9a4e3b4b4b3f59f8e4bacfaba3e56c957d

Analysis

max time kernel
142s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
Size

831KB
MD5

0a1e2a8e985c7b1f74845e4bb71ecfe0
SHA1

1d6e833e9c345c12767481641066a7c08c3a6794
SHA256

617e92659377c1b3ad840c40e63b6a9a4e3b4b4b3f59f8e4bacfaba3e56c957d
SHA512

77049304f0b904cea8dd2dfde7c90a8e97fa1d7f7af665d934c6ef29b166f041eec4227e7c4f379b981bf66217c52100cf966144405755bde8bb26e33603b74a
SSDEEP

6144:nwynAtMrOVRkidy9yIGWlUiwS4O8b8ITDnlznZ0NP4w:nwKfOVRo9yRYn4O8b8ITDnlC94w

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe"	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe"	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vstxraid.inf_amd64_300cb04282659e6d\StorXvstxraid.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\pdf417pmpdatamatrixpmp.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAcrobat19.8.20071.303822.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterdlllibEGL.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX69D3.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\WindowsInkObj.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\RCX42D5.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutilsqmapi.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\RCX4BF0.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\WindowsInkObj.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\MicrosoftDAO36003.60.9765.0.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RCX5F40.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterdlllibEGL.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\Windowsmsdasqlr.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\RCX5F7F.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\RCX605B.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBookAdobe.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\RCX4305.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\en-US\Microsoftmsaddsr.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\RCX554A.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\Operatingtifffilt.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msaddsrmsaddsr.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX5665.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutilsqmapi.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX4335.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\RCX4C7F.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\RCX557A.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX6907.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VisualVisual.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US\RCX4C3F.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\MicrosoftTools.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod19.8.20071.303822.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\RCX6BC8.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..riseresourcemanager_31bf3856ad364e35_10.0.19041.153_none_181648432283054a\enterpriseresourcemanagerSystem.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ttingshandlers-siuf_31bf3856ad364e35_10.0.19041.1081_none_3f2ef87c18b8629b\OperatingWindows.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\WindowsMicrosoft10.0.19041.1.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\pt-PT\Windowsbootmgr10.0.19041.1.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\ro-RO\Sistembootmgr10.0.19041.1.160101.0800.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\1040\RCX4621.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\uk-UA\bootmgrbootmgr10.0.19041.1.160101.0800.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f38392944c41a2a4\ServicesInformation.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\pt-PT\WindowsWindows.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\REGEDITsplwow64.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..opeerbase.resources_31bf3856ad364e35_10.0.19041.1_it-it_bddf56bbe26c199d\pnrpsvcWindows.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-csvde.resources_31bf3856ad364e35_10.0.19041.1_it-it_52fdd67c8e1e096a\operativoWindows.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DataVisualization.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\RCXFC61.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\x86_wpf-reachframework_31bf3856ad364e35_10.0.19200.101_none_cfc39681387e521f\ReachFrameworkFramework.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_30aa1615db0a20c2\WindowsSystem.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\es-ES\memdiagbootmgr.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1_none_84e58cd924a91c8f\Operatingwiashext10.0.19041.1.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-scripting-jscript_31bf3856ad364e35_11.0.19041.1266_none_45b27a620a2b071a\jscriptjscript.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\resourcesIdentityModel.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\RCX8DDB.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\IME\de-DE\MicrosoftWindows.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\Globalization\ELS\SpellDictionaries\OperatingWindows.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winsetupui_31bf3856ad364e35_10.0.19041.1_none_14fd3afa650855a2\OperatingSystem.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\RCXD40D.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmpnssui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_21aa50a71cd3eb6c\WindowsMicrosoft.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..ty-client.resources_31bf3856ad364e35_10.0.19041.1_en-us_009b75f57c630da0\SystemTaskScheduler.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.KeyDistributionService.Cmdlets.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\RCXFD3D.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\REGEDITsplwow64.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..providers.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_beec14688bdd2043\WABSyncProviderdexploitation10.0.19041.1.160101.0800.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\IME\uk-UA\RCXD43E.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..cy-gptext.resources_31bf3856ad364e35_10.0.19041.1_de-de_d9e35635662e64cc\Betriebssystemgptext.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..irtualbus.resources_31bf3856ad364e35_10.0.19041.1_en-us_ac0b3c7d0a7b529a\WindowsNdisVirtualBus.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..extension.resources_31bf3856ad364e35_10.0.19041.1_es-es_f430dc031fb598f7\wlanextwlanext.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_multipoint-wms.alertsview.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a92827165f7219cd\OperatingAlertsView.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_cs-cz_659b8edb96b66240\WindowsMicrosoft.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework\v1.0.3705\Microsoftmscormmc.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-webauthn_31bf3856ad364e35_10.0.19041.1_none_b51692778b21e562\Windowswebauthn.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-c..-migregdb.resources_31bf3856ad364e35_10.0.19041.1_de-de_d806fe0506954399\BetriebssystemMicrosoft.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..repairbde.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d183d04ab4278a10\repairbdeMicrosoft.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..kenbroker.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bef1f143f427080d\TokenBrokerCore.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-c..ent-indexing-common_31bf3856ad364e35_10.0.19041.1_none_c6f9c5a0aace9a6c\Systemquery.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..oryclient.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1a1285355b7e5ee0\MicrosoftWindows.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..tenanceui.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_260d606218bbc420\dexploitationMicrosoft.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sensors-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_eacfc22f187c8b18\MicrosoftWindows.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..necore-batterysaver_31bf3856ad364e35_10.0.19041.1_none_ba1da8930477a89b\WindowsWindows.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.resources\v4.0_4.0.0.0_de_b77a5c561934e089\resourcesMicrosoft.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\ja-JP\RCXD42D.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ntfs.resources_31bf3856ad364e35_10.0.19041.1_it-it_274e132ac7bdb414\Windowsoperativo.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..ty-common.resources_31bf3856ad364e35_10.0.19041.1_es-es_c7de5a89c4d8cd49\MicrosoftSistema.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Fonts\RCX6008.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-media-cap..adcastdvr.resources_31bf3856ad364e35_10.0.19041.1_es-es_4609db38f2f8dc4c\SistemaBroadcast.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-s..ngstack-onecorebase_31bf3856ad364e35_10.0.19041.262_none_7245fa948869d127\WindowsMicrosoft.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.KeyDistributionService.Cmdlets.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\resourcesWindows.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\fr\Systemresources.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.resources\v4.0_4.0.0.0_de_b77a5c561934e089\RCX444A.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\RCX4610.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.JScript.Resources\8.0.0.0_es_b03f5f7f11d50a3a\Microsoftresources8.0.50727.9149.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-r..ry-editor.resources_31bf3856ad364e35_10.0.19041.1_en-us_bb16f4d1d67d891e\WindowsOperating.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-w..tion-wiatwaincompat_31bf3856ad364e35_10.0.19041.264_none_dca7f23c9674c57a\OperatingWindows.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rascmdial.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_298cbfe37a998247\MicrosoftCMDIAL32.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..ktopology.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_bd71cce23f0cc16c\SystmeMicrosoft.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..layer-vis.resources_31bf3856ad364e35_10.0.19041.1_es-es_c00dacbfe888f3f0\mpvisSistema.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v1.0.3705\RCX8D0E.tmp	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..component.resources_31bf3856ad364e35_10.0.19041.1_de-de_8e7b8ebb6a265e2a\SetupWindows.exe	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
3292	0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a1e2a8e985c7b1f74845e4bb71ecfe0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterdlllibEGL.exe

Filesize
559KB

MD5
51992b3faca43a532e534f2aa88b0223

SHA1
ef0c9140e252987956867c10a885e1ec43eacd86

SHA256
27f3f93222034290735a6a2df0ab9985f038377de1b7ecb5d8e9d773cd093fd3

SHA512
6c1ebb06f89be97738d5b143c814aaa534bac88cf49cf34731174494586a72a54a1a62eca97e95b79fc61d9b9718c10db6d9020bdb91117b6a593e2c538f8f49

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\MicrosoftTools.exe

Filesize
832KB

MD5
f47958fb823b5db25ff3534b007acfeb

SHA1
34b9385f3b95497c8b7950dbba85f0a62d7063ce

SHA256
be435233a4043c6a29cd55421b37326cea3285230e9bc24586c14b3b427f4d43

SHA512
47161e14a8129a0e38d7c8531731a539f8a1610e342fdb67b9c7aea39fe2be6203cdd12f34d0265ec263fac0017353302b9cbb9b4b75bc300e4c7ff5812a94bb

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\RCX4BF0.tmp

Filesize
832KB

MD5
638d8a85a17b02ebde290d5bf1fa21df

SHA1
7605259aa040f2174afd5875c2d257c53a77158c

SHA256
11ac5e73743ae2462b495b6279e5bfba21ce6c193469f72e7e80fef7358fbfa8

SHA512
690ab0fd9d651afa6974085e2fc833a9693660c30c773f6a2c1c39656c90c0aaafb0ab2690a3958651cd98fc13a6ea4de844fdab3d7512b53d7acfa50eab8fcd

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\WindowsInkObj.exe

Filesize
831KB

MD5
0a1e2a8e985c7b1f74845e4bb71ecfe0

SHA1
1d6e833e9c345c12767481641066a7c08c3a6794

SHA256
617e92659377c1b3ad840c40e63b6a9a4e3b4b4b3f59f8e4bacfaba3e56c957d

SHA512
77049304f0b904cea8dd2dfde7c90a8e97fa1d7f7af665d934c6ef29b166f041eec4227e7c4f379b981bf66217c52100cf966144405755bde8bb26e33603b74a

Download Submit
C:\Windows\Microsoft.NET\Framework\v1.0.3705\Microsoftmscormmc.exe

Filesize
762KB

MD5
e8707613ddfd0ed56054ce3985568892

SHA1
2e62a4b3c974170edfc0670bf7a3914ef1b1b175

SHA256
35e63ca2f187c7ff99eaeb849677a6f35cc1f27c51dea4510a758020bad89eb8

SHA512
08d5f03d02753d688e209df0534987b88e67ca928cf6fd21ff87fcaa7b523fbc43fcfaeabe70683b5d11aebbc6a9f392a77ce578d1155e6ff05f2ef401e8e351

Download Submit