7bb784e7f0b8cb6d90dbfc81d0c6dc7671ede85a0eb6fa038b264d5d4d62970e

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
Size

423KB
MD5

1219248934d13f375d8d8c8b5102f6b0
SHA1

ea11a585b881ffd1145627ad4f2821fb3e34b0a0
SHA256

7bb784e7f0b8cb6d90dbfc81d0c6dc7671ede85a0eb6fa038b264d5d4d62970e
SHA512

a200300863941c69f4611db8c430ac132445135663552c5fcbde750202481eb78fadd2927cea53865747195ef143399837c6cd466a794f6c238b7ce94a680ecc
SSDEEP

12288:rwKfOVRo9yRYNyQ7B4O8b8ITDnl2w2wYPYl8:rxWVeyRYQQ7B4O8b8ITDnlZ2wb8

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1540	microsoftsystem.exe
1736	photoviewerphotoacq.exe
836	winmailbetriebssystem.exe
1992	systmemsinfo6.1.7601.17514.exe

Loads dropped DLL 4 IoCs

pid	Process
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TableTextServiceMicrosoft6.1.7600.163857.0907131255 = "c:\\program files (x86)\\windows nt\\tabletextservice\\fr-fr\\microsoftsystem.exe"	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Systmedexploitation = "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\fr-fr\\systmemsinfo6.1.7601.17514.exe"	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsWinMail = "c:\\program files (x86)\\windows mail\\de-de\\winmailbetriebssystem.exe"	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EngineOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe"	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\resourcesFramework = "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\it\\resourcesinstrumentation.exe"	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices"	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsPhotoViewer = "c:\\program files (x86)\\windows photo viewer\\de-de\\photoviewerphotoacq.exe"	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\GoogleChrome106.0.5249.119 = "c:\\program files (x86)\\google\\update\\download\\{8a69d345-d564-463c-aff1-a69d9e530f96}\\106.0.5249.119\\chromegoogle.exe"	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\EngineSource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe"	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	microsoftsystem.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	photoviewerphotoacq.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	winmailbetriebssystem.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	systmemsinfo6.1.7601.17514.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\RCX286A.tmp	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\ChromeGoogle.exe	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\ChromeGoogle.exe	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\RCX407F.tmp	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\MicrosoftSystem.exe	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\Systmemsinfo6.1.7601.17514.exe	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\WinMailBetriebssystem.exe	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCX3E2C.tmp	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\RCX3E3C.tmp	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\resourcesInstrumentation.exe	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\PhotoViewerPhotoAcq.exe	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX2859.tmp	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\resourcesInstrumentation.exe	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\RCX2848.tmp	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	photoviewerphotoacq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winmailbetriebssystem.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	systmemsinfo6.1.7601.17514.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	systmemsinfo6.1.7601.17514.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	microsoftsystem.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	microsoftsystem.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	photoviewerphotoacq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	photoviewerphotoacq.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winmailbetriebssystem.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winmailbetriebssystem.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	systmemsinfo6.1.7601.17514.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	microsoftsystem.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1540	microsoftsystem.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1736	photoviewerphotoacq.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
836	winmailbetriebssystem.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1992	systmemsinfo6.1.7601.17514.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1540	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	30
PID 1688 wrote to memory of 1540	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	30
PID 1688 wrote to memory of 1540	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	30
PID 1688 wrote to memory of 1540	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	30
PID 1688 wrote to memory of 1736	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	32
PID 1688 wrote to memory of 1736	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	32
PID 1688 wrote to memory of 1736	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	32
PID 1688 wrote to memory of 1736	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	32
PID 1688 wrote to memory of 836	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	34
PID 1688 wrote to memory of 836	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	34
PID 1688 wrote to memory of 836	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	34
PID 1688 wrote to memory of 836	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	34
PID 1688 wrote to memory of 1992	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	35
PID 1688 wrote to memory of 1992	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	35
PID 1688 wrote to memory of 1992	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	35
PID 1688 wrote to memory of 1992	1688	1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe	35

C:\Users\Admin\AppData\Local\Temp\1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1219248934d13f375d8d8c8b5102f6b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688
- \??\c:\program files (x86)\windows nt\tabletextservice\fr-fr\microsoftsystem.exe
  "c:\program files (x86)\windows nt\tabletextservice\fr-fr\microsoftsystem.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1540
- \??\c:\program files (x86)\windows photo viewer\de-de\photoviewerphotoacq.exe
  "c:\program files (x86)\windows photo viewer\de-de\photoviewerphotoacq.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1736
- \??\c:\program files (x86)\windows mail\de-de\winmailbetriebssystem.exe
  "c:\program files (x86)\windows mail\de-de\winmailbetriebssystem.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:836
- \??\c:\program files (x86)\common files\microsoft shared\msinfo\fr-fr\systmemsinfo6.1.7601.17514.exe
  "c:\program files (x86)\common files\microsoft shared\msinfo\fr-fr\systmemsinfo6.1.7601.17514.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\resourcesInstrumentation.exe

Filesize
423KB

MD5
1219248934d13f375d8d8c8b5102f6b0

SHA1
ea11a585b881ffd1145627ad4f2821fb3e34b0a0

SHA256
7bb784e7f0b8cb6d90dbfc81d0c6dc7671ede85a0eb6fa038b264d5d4d62970e

SHA512
a200300863941c69f4611db8c430ac132445135663552c5fcbde750202481eb78fadd2927cea53865747195ef143399837c6cd466a794f6c238b7ce94a680ecc

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\RCX286A.tmp

Filesize
425KB

MD5
252b7a4116b4b0782f037ebeb7ca73b5

SHA1
b9250a1d00140edb903a199d01e69529f85899b1

SHA256
c289138bca6ec4cdb8d874b9567e4804c273d4d0d21b171cc1dbce1ed9189782

SHA512
fe2485312b693d4b270095de3b65c0d62642f6c689adc5ee6bc1ca95de6dd98aa8bfab8bd7dfb6c5a2768331ff19e4ce8539b547eef0614decfffbf80493fe11

Download Submit