neshta | 5cf77cb93ee5c6fda6b575b6c14d60cb52dc6a69e17d23d989c088f4a098b0e8

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
Size

2.9MB
MD5

c8c6b960a64cb319bf37b53591955960
SHA1

f04f1d843a9a8b4244ebb7d4a8bd04fdcd03872d
SHA256

5cf77cb93ee5c6fda6b575b6c14d60cb52dc6a69e17d23d989c088f4a098b0e8
SHA512

31110e87110406b1ca88cfafbf4c00d7c7a767393008a66b4f2748df387474af576bc7eb04adc4ac12c11f7b0e33150c16d7a60c12ff7a5592106d1ed11769fb
SSDEEP

49152:UHszeWDxWaQYU9xnOunPr423fny4CMqH05hKSX0PzdVYQ+Wnbf8enNlDUjZxEhso:UHSpVU9bPr42XRqUfXCzHYQBbf8iNtSw

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

Processes:

resource	yara_rule
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
behavioral1/memory/2500-213-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2500-215-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 2 IoCs

Processes:

c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exec8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

pid process

2752 c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2520 c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

pid	process
2752	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2520	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

Loads dropped DLL 14 IoCs

Processes:

c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exec8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exec8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

pid	process
2500	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2752	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2520	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2520	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2520	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2500	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2520	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2520	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2520	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2520	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2520	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2520	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2520	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
2520	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

Processes:

c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

description ioc process

File opened for modification C:\Windows\svchost.com c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

Modifies registry class 1 IoCs

Processes:

c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exec8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

description	pid	process	target process
PID 2500 wrote to memory of 2752	2500	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2500 wrote to memory of 2752	2500	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2500 wrote to memory of 2752	2500	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2500 wrote to memory of 2752	2500	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2500 wrote to memory of 2752	2500	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2500 wrote to memory of 2752	2500	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2500 wrote to memory of 2752	2500	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520	2752	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520	2752	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520	2752	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520	2752	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520	2752	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520	2752	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520	2752	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe	c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500

C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
"C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\BootstrapperCore.config
Filesize
1KB

MD5
5a502123a2adb3c114dbe6c5d37f9f61

SHA1
c0d90ce929ec8c626dc1db431edc0b70b7edee6a

SHA256
2527c708b6cab167e0c7c9a281f1aad6e8d952bc7ab0cc5731d6decca181cd5f

SHA512
3a182f3d51e31257487e409b882c89d5c115623f0db905fa0d557cb1a010810b25046c11929b0827624fbe7f4dd0bde32869eff1a3ecd2462cde05d990552bde

Download Submit
C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
Filesize
2.1MB

MD5
329c83c19c24414bc4197e8edb59be73

SHA1
c87a0c70d4aa94d1785b1a10fa31c0f33dcae8a9

SHA256
f77c93d43d8ed763e19a8398c6fd8c5725bed806186be69d0723d9de1255a211

SHA512
640b042b0f6b3c8756756f6e8faf15ba33c0b3a4e125f7866080a167a2216f8aee435402613d9298501093a30e4f807b30a80584ac323291fd09eff5a12da150

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
Filesize
2.9MB

MD5
fe7b3a28d0d7b2812d117f822d938e65

SHA1
a19dcfb8ed6627f1b0f9e54a7c64e4014e523b7a

SHA256
d4a1891cd83e19fbb3d908f6db3bfd516f65e06108fbe0c45fb7fc52f132d3b4

SHA512
ae7ac7d11bcb3108ca8ba9b47b0d90630c1fc6a5fdb3de4d26ea988e1645fb805bfeaf0dad5c8edd0d0928e299051375a6d073f504e503778bfd39e9b078f8a3

Download Submit
\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\Bootstrapper.dll
Filesize
197KB

MD5
cbd90fb2b484f33d2878d8d81794de37

SHA1
ac153d36b1ffb15e933509b0cc5a38deee12bbd9

SHA256
df40c2e9c90ad31f1130d37e2dbe896369c5df5737010432464fc853e5ea2f30

SHA512
ef5d647916362a81107bce5ac7ffd1e20d75308f96437f8134a89895866d4579ceaea88f0d59590c9a6de6f8d27efef861f088637e8d0ad6fe95df6287a4b829

Download Submit
\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\BootstrapperCore.dll
Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\Chipset.Bootstrapper.dll
Filesize
10KB

MD5
b20303841a71e1754adf296496633a71

SHA1
226507f26be011ee2de5248161c24a93c997961e

SHA256
ba072d1caf155a26d186063260f8d27126549805bfd9e8e0d537d343e24cbbcb

SHA512
f6a73fb032eb0192e3c41cf573fafef1326f48d0eb156c4726be6ef1f3569ccbbe3d8560cee3a5046f23d92c8d329b8adffd01a63bf6e6c2b8e1334ac19a6666

Download Submit
\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\CommandLineUtility.dll
Filesize
46KB

MD5
325b410c9d84003f5037cedf07bb97fe

SHA1
9a93f6cf8bcd15e0aa12c96109836e57b6d9267a

SHA256
4b2330966345bb6fc6382e81a4ff1e7eab43a3ec642dedb8f2add7e0b03c6e41

SHA512
d2359b7ca0ac32a22324b38d1b5325a045f4a1fa380761741349e86f6007c8850fa25f18ae9cfdbbeaf592412766b961be9491a64b478657e2d0a3ea9d5a7457

Download Submit
\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\Intel.Tools.dll
Filesize
18KB

MD5
36700b8cb3f725c0b266786200c86dde

SHA1
9734c9f8b193c77797a4c8785ac5cfac84befa52

SHA256
52e7dab135e97b048c81bb943f9f231244588c1e8c0ccfb7a32b75a106e35f62

SHA512
ecfe58c0fd34f738a61aec34eb938c557a59adce4e4344d1ad52ed0a7348b582c3d15b7dbeaaf9182e097d3a66c1535ac2029cbb4df91f992f9e169bc1aac2f9

Download Submit
\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\mbahost.dll
Filesize
119KB

MD5
c59832217903ce88793a6c40888e3cae

SHA1
6d9facabf41dcf53281897764d467696780623b8

SHA256
9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db

SHA512
1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

Download Submit
memory/2500-213-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2500-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2520-135-0x00000000024C0000-0x00000000024F8000-memory.dmp

Filesize
224KB

Download
memory/2520-139-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

Filesize
48KB

Download
memory/2520-150-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2520-177-0x0000000000F20000-0x0000000000F2A000-memory.dmp

Filesize
40KB

Download
memory/2520-176-0x0000000000F20000-0x0000000000F2A000-memory.dmp

Filesize
40KB

Download
memory/2520-131-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

Filesize
32KB

Download
memory/2520-118-0x0000000000C70000-0x0000000000C88000-memory.dmp

Filesize
96KB

Download
memory/2520-217-0x0000000000F20000-0x0000000000F2A000-memory.dmp

Filesize
40KB

Download
memory/2520-216-0x0000000000F20000-0x0000000000F2A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads