Malware Analysis Report

2024-09-11 03:10

Sample ID 240519-qmr9maae2w
Target c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
SHA256 5cf77cb93ee5c6fda6b575b6c14d60cb52dc6a69e17d23d989c088f4a098b0e8
Tags
neshta discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cf77cb93ee5c6fda6b575b6c14d60cb52dc6a69e17d23d989c088f4a098b0e8

Threat Level: Known bad

The file c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neshta discovery persistence spyware stealer

Neshta family

Neshta

Detect Neshta payload

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Checks installed software on the system

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-19 13:23

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 13:23

Reported

2024-05-19 13:25

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2500 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2500 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2500 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2500 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2500 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2500 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2752 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe"

C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

"C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

MD5 fe7b3a28d0d7b2812d117f822d938e65
SHA1 a19dcfb8ed6627f1b0f9e54a7c64e4014e523b7a
SHA256 d4a1891cd83e19fbb3d908f6db3bfd516f65e06108fbe0c45fb7fc52f132d3b4
SHA512 ae7ac7d11bcb3108ca8ba9b47b0d90630c1fc6a5fdb3de4d26ea988e1645fb805bfeaf0dad5c8edd0d0928e299051375a6d073f504e503778bfd39e9b078f8a3

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

C:\Windows\Temp\{A83A1000-A7A5-4915-BADD-43481068577B}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

MD5 329c83c19c24414bc4197e8edb59be73
SHA1 c87a0c70d4aa94d1785b1a10fa31c0f33dcae8a9
SHA256 f77c93d43d8ed763e19a8398c6fd8c5725bed806186be69d0723d9de1255a211
SHA512 640b042b0f6b3c8756756f6e8faf15ba33c0b3a4e125f7866080a167a2216f8aee435402613d9298501093a30e4f807b30a80584ac323291fd09eff5a12da150

\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\mbahost.dll

MD5 c59832217903ce88793a6c40888e3cae
SHA1 6d9facabf41dcf53281897764d467696780623b8
SHA256 9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db
SHA512 1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

memory/2520-118-0x0000000000C70000-0x0000000000C88000-memory.dmp

C:\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\BootstrapperCore.config

MD5 5a502123a2adb3c114dbe6c5d37f9f61
SHA1 c0d90ce929ec8c626dc1db431edc0b70b7edee6a
SHA256 2527c708b6cab167e0c7c9a281f1aad6e8d952bc7ab0cc5731d6decca181cd5f
SHA512 3a182f3d51e31257487e409b882c89d5c115623f0db905fa0d557cb1a010810b25046c11929b0827624fbe7f4dd0bde32869eff1a3ecd2462cde05d990552bde

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2520-131-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\Chipset.Bootstrapper.dll

MD5 b20303841a71e1754adf296496633a71
SHA1 226507f26be011ee2de5248161c24a93c997961e
SHA256 ba072d1caf155a26d186063260f8d27126549805bfd9e8e0d537d343e24cbbcb
SHA512 f6a73fb032eb0192e3c41cf573fafef1326f48d0eb156c4726be6ef1f3569ccbbe3d8560cee3a5046f23d92c8d329b8adffd01a63bf6e6c2b8e1334ac19a6666

memory/2520-135-0x00000000024C0000-0x00000000024F8000-memory.dmp

\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\Bootstrapper.dll

MD5 cbd90fb2b484f33d2878d8d81794de37
SHA1 ac153d36b1ffb15e933509b0cc5a38deee12bbd9
SHA256 df40c2e9c90ad31f1130d37e2dbe896369c5df5737010432464fc853e5ea2f30
SHA512 ef5d647916362a81107bce5ac7ffd1e20d75308f96437f8134a89895866d4579ceaea88f0d59590c9a6de6f8d27efef861f088637e8d0ad6fe95df6287a4b829

memory/2520-139-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\Intel.Tools.dll

MD5 36700b8cb3f725c0b266786200c86dde
SHA1 9734c9f8b193c77797a4c8785ac5cfac84befa52
SHA256 52e7dab135e97b048c81bb943f9f231244588c1e8c0ccfb7a32b75a106e35f62
SHA512 ecfe58c0fd34f738a61aec34eb938c557a59adce4e4344d1ad52ed0a7348b582c3d15b7dbeaaf9182e097d3a66c1535ac2029cbb4df91f992f9e169bc1aac2f9

\Windows\Temp\{81F98423-CCD8-4164-A536-22433EFB7AD1}\.ba\CommandLineUtility.dll

MD5 325b410c9d84003f5037cedf07bb97fe
SHA1 9a93f6cf8bcd15e0aa12c96109836e57b6d9267a
SHA256 4b2330966345bb6fc6382e81a4ff1e7eab43a3ec642dedb8f2add7e0b03c6e41
SHA512 d2359b7ca0ac32a22324b38d1b5325a045f4a1fa380761741349e86f6007c8850fa25f18ae9cfdbbeaf592412766b961be9491a64b478657e2d0a3ea9d5a7457

memory/2520-150-0x0000000002520000-0x0000000002532000-memory.dmp

memory/2520-177-0x0000000000F20000-0x0000000000F2A000-memory.dmp

memory/2520-176-0x0000000000F20000-0x0000000000F2A000-memory.dmp

memory/2500-213-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2500-215-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2520-217-0x0000000000F20000-0x0000000000F2A000-memory.dmp

memory/2520-216-0x0000000000F20000-0x0000000000F2A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 13:23

Reported

2024-05-19 13:25

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\notification_click_helper.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2024 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 2024 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 4068 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 4068 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe
PID 4068 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe"

C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

"C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe" -burn.filehandle.attached=548 -burn.filehandle.self=536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.180.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

MD5 fe7b3a28d0d7b2812d117f822d938e65
SHA1 a19dcfb8ed6627f1b0f9e54a7c64e4014e523b7a
SHA256 d4a1891cd83e19fbb3d908f6db3bfd516f65e06108fbe0c45fb7fc52f132d3b4
SHA512 ae7ac7d11bcb3108ca8ba9b47b0d90630c1fc6a5fdb3de4d26ea988e1645fb805bfeaf0dad5c8edd0d0928e299051375a6d073f504e503778bfd39e9b078f8a3

C:\Windows\Temp\{87EA7342-8523-4B75-B62B-5532398F6C3A}\.cr\c8c6b960a64cb319bf37b53591955960_NeikiAnalytics.exe

MD5 329c83c19c24414bc4197e8edb59be73
SHA1 c87a0c70d4aa94d1785b1a10fa31c0f33dcae8a9
SHA256 f77c93d43d8ed763e19a8398c6fd8c5725bed806186be69d0723d9de1255a211
SHA512 640b042b0f6b3c8756756f6e8faf15ba33c0b3a4e125f7866080a167a2216f8aee435402613d9298501093a30e4f807b30a80584ac323291fd09eff5a12da150

memory/2024-108-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\Temp\{31A24D23-3D1D-4D37-A5A8-6E46396249C3}\.ba\mbahost.dll

MD5 c59832217903ce88793a6c40888e3cae
SHA1 6d9facabf41dcf53281897764d467696780623b8
SHA256 9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db
SHA512 1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

memory/4176-114-0x000000007298E000-0x000000007298F000-memory.dmp

memory/4176-115-0x0000000072980000-0x0000000073130000-memory.dmp

memory/4176-117-0x0000000072980000-0x0000000073130000-memory.dmp

C:\Windows\Temp\{31A24D23-3D1D-4D37-A5A8-6E46396249C3}\.ba\BootstrapperCore.dll

MD5 b0d10a2a622a322788780e7a3cbb85f3
SHA1 04d90b16fa7b47a545c1133d5c0ca9e490f54633
SHA256 f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426
SHA512 62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

memory/4176-121-0x00000000068A0000-0x00000000068B8000-memory.dmp

C:\Windows\Temp\{31A24D23-3D1D-4D37-A5A8-6E46396249C3}\.ba\BootstrapperCore.config

MD5 5a502123a2adb3c114dbe6c5d37f9f61
SHA1 c0d90ce929ec8c626dc1db431edc0b70b7edee6a
SHA256 2527c708b6cab167e0c7c9a281f1aad6e8d952bc7ab0cc5731d6decca181cd5f
SHA512 3a182f3d51e31257487e409b882c89d5c115623f0db905fa0d557cb1a010810b25046c11929b0827624fbe7f4dd0bde32869eff1a3ecd2462cde05d990552bde

memory/2024-123-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4176-124-0x0000000072980000-0x0000000073130000-memory.dmp

C:\Windows\Temp\{31A24D23-3D1D-4D37-A5A8-6E46396249C3}\.ba\Chipset.Bootstrapper.dll

MD5 b20303841a71e1754adf296496633a71
SHA1 226507f26be011ee2de5248161c24a93c997961e
SHA256 ba072d1caf155a26d186063260f8d27126549805bfd9e8e0d537d343e24cbbcb
SHA512 f6a73fb032eb0192e3c41cf573fafef1326f48d0eb156c4726be6ef1f3569ccbbe3d8560cee3a5046f23d92c8d329b8adffd01a63bf6e6c2b8e1334ac19a6666

memory/4176-130-0x0000000006CC0000-0x0000000006CC8000-memory.dmp

C:\Windows\Temp\{31A24D23-3D1D-4D37-A5A8-6E46396249C3}\.ba\Bootstrapper.dll

MD5 cbd90fb2b484f33d2878d8d81794de37
SHA1 ac153d36b1ffb15e933509b0cc5a38deee12bbd9
SHA256 df40c2e9c90ad31f1130d37e2dbe896369c5df5737010432464fc853e5ea2f30
SHA512 ef5d647916362a81107bce5ac7ffd1e20d75308f96437f8134a89895866d4579ceaea88f0d59590c9a6de6f8d27efef861f088637e8d0ad6fe95df6287a4b829

memory/4176-134-0x0000000006D10000-0x0000000006D48000-memory.dmp

C:\Windows\Temp\{31A24D23-3D1D-4D37-A5A8-6E46396249C3}\.ba\Intel.Tools.dll

MD5 36700b8cb3f725c0b266786200c86dde
SHA1 9734c9f8b193c77797a4c8785ac5cfac84befa52
SHA256 52e7dab135e97b048c81bb943f9f231244588c1e8c0ccfb7a32b75a106e35f62
SHA512 ecfe58c0fd34f738a61aec34eb938c557a59adce4e4344d1ad52ed0a7348b582c3d15b7dbeaaf9182e097d3a66c1535ac2029cbb4df91f992f9e169bc1aac2f9

memory/4176-138-0x0000000006CD0000-0x0000000006CDC000-memory.dmp

memory/4176-139-0x0000000007440000-0x00000000079E4000-memory.dmp

C:\Windows\Temp\{31A24D23-3D1D-4D37-A5A8-6E46396249C3}\.ba\CommandLineUtility.dll

MD5 325b410c9d84003f5037cedf07bb97fe
SHA1 9a93f6cf8bcd15e0aa12c96109836e57b6d9267a
SHA256 4b2330966345bb6fc6382e81a4ff1e7eab43a3ec642dedb8f2add7e0b03c6e41
SHA512 d2359b7ca0ac32a22324b38d1b5325a045f4a1fa380761741349e86f6007c8850fa25f18ae9cfdbbeaf592412766b961be9491a64b478657e2d0a3ea9d5a7457

memory/4176-143-0x0000000007010000-0x0000000007022000-memory.dmp

memory/2024-144-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4176-146-0x000000007298E000-0x000000007298F000-memory.dmp

memory/4176-147-0x0000000072980000-0x0000000073130000-memory.dmp

memory/4176-148-0x0000000072980000-0x0000000073130000-memory.dmp

memory/4176-149-0x0000000007B90000-0x0000000007C22000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1 919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA256 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA512 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

memory/4176-162-0x0000000072980000-0x0000000073130000-memory.dmp

memory/2024-165-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4176-166-0x0000000072980000-0x0000000073130000-memory.dmp

memory/4176-169-0x0000000007F90000-0x0000000007FC8000-memory.dmp

memory/4176-171-0x0000000007D00000-0x0000000007D0E000-memory.dmp

memory/4176-217-0x0000000072980000-0x0000000073130000-memory.dmp

memory/2024-247-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2024-263-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4176-264-0x0000000072980000-0x0000000073130000-memory.dmp

memory/2024-265-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2024-266-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2024-267-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2024-268-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2024-269-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2024-270-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2024-271-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2024-272-0x0000000000400000-0x000000000041B000-memory.dmp