7bb78378be9de95288b06faf5104a9dc65288b4b65c0a5efacc07a384e2e3ca3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be3abea80dcfa427f4eca08f127671c0_NeikiAnalytics.exe
Size

1.2MB
MD5

be3abea80dcfa427f4eca08f127671c0
SHA1

a8f0699c682ecaf60483b78703847c7048f9f5e9
SHA256

7bb78378be9de95288b06faf5104a9dc65288b4b65c0a5efacc07a384e2e3ca3
SHA512

cdb5e009a25f1996aca5dd6b7becc401fdb3c43bd84e8034ed085762b5e5bfaf9eba5e3fac71a2b07533a4f8840a56549b61ca29a085df1a15feb2d1f9a9ea9a
SSDEEP

24576:fXTff2BiQeY3lvbELqO7mi7Q/EuibeX57XIU9wwXfN1Plx:fXzfSck1+7Q/Euib87p9wG1Plx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

be3abea80dcfa427f4eca08f127671c0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	be3abea80dcfa427f4eca08f127671c0_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

Processes:

dotnetchk.exeElsinore.ScreenConnect.WindowsClient.exe

pid process

1468 dotnetchk.exe
1916 Elsinore.ScreenConnect.WindowsClient.exe
Loads dropped DLL 8 IoCs

Processes:

MsiExec.exerundll32.exe

pid process

2512 MsiExec.exe
1916 rundll32.exe
1916 rundll32.exe
1916 rundll32.exe
1916 rundll32.exe
1916 rundll32.exe
1916 rundll32.exe
1916 rundll32.exe

pid	process
1468	dotnetchk.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe

pid	process
2512	MsiExec.exe
1916	rundll32.exe
1916	rundll32.exe
1916	rundll32.exe
1916	rundll32.exe
1916	rundll32.exe
1916	rundll32.exe
1916	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Program Files directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.Override.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.Override.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.resources	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e579124.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e579124.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{49C66C1A-E39B-449E-AACD-139B24B21663}	msiexec.exe
File created	C:\Windows\Installer\e579126.msi	msiexec.exe
File created	C:\Windows\Installer\{49C66C1A-E39B-449E-AACD-139B24B21663}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI91E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{49C66C1A-E39B-449E-AACD-139B24B21663}\DefaultIcon	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005b1010511f65dd1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005b1010510000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005b101051000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5b101051000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005b10105100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 32 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (74d4fd3265fb3ba5)\\Elsinore.ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3E5BB419EBAE49CC474DDF2356BFB35A\A1C66C94B93EE944AADC31B9422B6136	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3E5BB419EBAE49CC474DDF2356BFB35A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-74d4fd3265fb3ba5	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A1C66C94B93EE944AADC31B9422B6136\Full	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\PackageCode = "3113BA3254FA56649969485FD395FABF"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A1C66C94B93EE944AADC31B9422B6136	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\ProductName = "ScreenConnect Client (74d4fd3265fb3ba5)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\Version = "83893989"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\ProductIcon = "C:\\Windows\\Installer\\{49C66C1A-E39B-449E-AACD-139B24B21663}\\DefaultIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-74d4fd3265fb3ba5\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-74d4fd3265fb3ba5\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\SourceList\PackageName = "setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A1C66C94B93EE944AADC31B9422B6136\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msiexec.exeElsinore.ScreenConnect.WindowsClient.exe

pid	process
3136	msiexec.exe
3136	msiexec.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe
1916	Elsinore.ScreenConnect.WindowsClient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4328	msiexec.exe
Token: SeSecurityPrivilege	3136	msiexec.exe
Token: SeCreateTokenPrivilege	4328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4328	msiexec.exe
Token: SeLockMemoryPrivilege	4328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4328	msiexec.exe
Token: SeMachineAccountPrivilege	4328	msiexec.exe
Token: SeTcbPrivilege	4328	msiexec.exe
Token: SeSecurityPrivilege	4328	msiexec.exe
Token: SeTakeOwnershipPrivilege	4328	msiexec.exe
Token: SeLoadDriverPrivilege	4328	msiexec.exe
Token: SeSystemProfilePrivilege	4328	msiexec.exe
Token: SeSystemtimePrivilege	4328	msiexec.exe
Token: SeProfSingleProcessPrivilege	4328	msiexec.exe
Token: SeIncBasePriorityPrivilege	4328	msiexec.exe
Token: SeCreatePagefilePrivilege	4328	msiexec.exe
Token: SeCreatePermanentPrivilege	4328	msiexec.exe
Token: SeBackupPrivilege	4328	msiexec.exe
Token: SeRestorePrivilege	4328	msiexec.exe
Token: SeShutdownPrivilege	4328	msiexec.exe
Token: SeDebugPrivilege	4328	msiexec.exe
Token: SeAuditPrivilege	4328	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4328	msiexec.exe
Token: SeChangeNotifyPrivilege	4328	msiexec.exe
Token: SeRemoteShutdownPrivilege	4328	msiexec.exe
Token: SeUndockPrivilege	4328	msiexec.exe
Token: SeSyncAgentPrivilege	4328	msiexec.exe
Token: SeEnableDelegationPrivilege	4328	msiexec.exe
Token: SeManageVolumePrivilege	4328	msiexec.exe
Token: SeImpersonatePrivilege	4328	msiexec.exe
Token: SeCreateGlobalPrivilege	4328	msiexec.exe
Token: SeCreateTokenPrivilege	4328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4328	msiexec.exe
Token: SeLockMemoryPrivilege	4328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4328	msiexec.exe
Token: SeMachineAccountPrivilege	4328	msiexec.exe
Token: SeTcbPrivilege	4328	msiexec.exe
Token: SeSecurityPrivilege	4328	msiexec.exe
Token: SeTakeOwnershipPrivilege	4328	msiexec.exe
Token: SeLoadDriverPrivilege	4328	msiexec.exe
Token: SeSystemProfilePrivilege	4328	msiexec.exe
Token: SeSystemtimePrivilege	4328	msiexec.exe
Token: SeProfSingleProcessPrivilege	4328	msiexec.exe
Token: SeIncBasePriorityPrivilege	4328	msiexec.exe
Token: SeCreatePagefilePrivilege	4328	msiexec.exe
Token: SeCreatePermanentPrivilege	4328	msiexec.exe
Token: SeBackupPrivilege	4328	msiexec.exe
Token: SeRestorePrivilege	4328	msiexec.exe
Token: SeShutdownPrivilege	4328	msiexec.exe
Token: SeDebugPrivilege	4328	msiexec.exe
Token: SeAuditPrivilege	4328	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4328	msiexec.exe
Token: SeChangeNotifyPrivilege	4328	msiexec.exe
Token: SeRemoteShutdownPrivilege	4328	msiexec.exe
Token: SeUndockPrivilege	4328	msiexec.exe
Token: SeSyncAgentPrivilege	4328	msiexec.exe
Token: SeEnableDelegationPrivilege	4328	msiexec.exe
Token: SeManageVolumePrivilege	4328	msiexec.exe
Token: SeImpersonatePrivilege	4328	msiexec.exe
Token: SeCreateGlobalPrivilege	4328	msiexec.exe
Token: SeCreateTokenPrivilege	4328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4328	msiexec.exe
Token: SeLockMemoryPrivilege	4328	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4328 msiexec.exe
4328 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Elsinore.ScreenConnect.WindowsClient.exe

pid process

1916 Elsinore.ScreenConnect.WindowsClient.exe

pid	process
4328	msiexec.exe
4328	msiexec.exe

pid	process
1916	Elsinore.ScreenConnect.WindowsClient.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

be3abea80dcfa427f4eca08f127671c0_NeikiAnalytics.exemsiexec.exeMsiExec.exe

description	pid	process	target process
PID 4552 wrote to memory of 1468	4552	be3abea80dcfa427f4eca08f127671c0_NeikiAnalytics.exe	dotnetchk.exe
PID 4552 wrote to memory of 1468	4552	be3abea80dcfa427f4eca08f127671c0_NeikiAnalytics.exe	dotnetchk.exe
PID 4552 wrote to memory of 1468	4552	be3abea80dcfa427f4eca08f127671c0_NeikiAnalytics.exe	dotnetchk.exe
PID 4552 wrote to memory of 4328	4552	be3abea80dcfa427f4eca08f127671c0_NeikiAnalytics.exe	msiexec.exe
PID 4552 wrote to memory of 4328	4552	be3abea80dcfa427f4eca08f127671c0_NeikiAnalytics.exe	msiexec.exe
PID 4552 wrote to memory of 4328	4552	be3abea80dcfa427f4eca08f127671c0_NeikiAnalytics.exe	msiexec.exe
PID 3136 wrote to memory of 2512	3136	msiexec.exe	MsiExec.exe
PID 3136 wrote to memory of 2512	3136	msiexec.exe	MsiExec.exe
PID 3136 wrote to memory of 2512	3136	msiexec.exe	MsiExec.exe
PID 2512 wrote to memory of 1916	2512	MsiExec.exe	rundll32.exe
PID 2512 wrote to memory of 1916	2512	MsiExec.exe	rundll32.exe
PID 2512 wrote to memory of 1916	2512	MsiExec.exe	rundll32.exe
PID 3136 wrote to memory of 2132	3136	msiexec.exe	srtasks.exe
PID 3136 wrote to memory of 2132	3136	msiexec.exe	srtasks.exe
PID 3136 wrote to memory of 1916	3136	msiexec.exe	Elsinore.ScreenConnect.WindowsClient.exe
PID 3136 wrote to memory of 1916	3136	msiexec.exe	Elsinore.ScreenConnect.WindowsClient.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\be3abea80dcfa427f4eca08f127671c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\be3abea80dcfa427f4eca08f127671c0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\VSD4FA6.tmp\DotNetFXCustom\dotnetchk.exe
"C:\Users\Admin\AppData\Local\Temp\VSD4FA6.tmp\DotNetFXCustom\dotnetchk.exe"
2⤵
- Executes dropped EXE
PID:1468

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2B3074D920F77367462913F8902B47D8 C
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI538E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240604109 1 Elsinore.ScreenConnect.InstallerActions!Elsinore.ScreenConnect.ClientInstallerActions.FixupServiceArguments
3⤵
- Loads dropped DLL
PID:1916

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2132

C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.WindowsClient.exe" "?y=Host&h=connect.boxsupport.com&p=8041&s=2d24616a-7f52-4064-adf3-b7a1ef039272&k=BgIAAACkAABSU0ExAAgAAAEAAQAnrYFzXlcydiDgsvWW2YnAuon0BH6W%2fItMumA7VU05z7WuI9zvR0eVjsIMQxS3amQ8nGY4eZdsByUqyhO7cf%2bQDDUzkTXmlU%2flGuJA7BfEIBnh3ThyTvnf0hO7BXuMNmmSfj5t%2ftyphLOBlh9WpglNjdflM5Pu8hKBWso8CVtSW7RZu9FFZOcpQYZfnTNIkqPCBKiA2Kh93MCQ43Bk5EIL1uKffbcbfT1%2bI4ij8IwvVPvTT6V2xYqIV7VblOoLyBD4Mq4i8t%2ffml8BAQkFQLWc6s6FhtCBE9kfp5BENY2XsihU1SKkCPUIrv7qQ2AVmmtxpWTuGOJlEfUN%2fy6Tdtyz&n=2LiHrwIMS2F5bGVlIEF2ZXJ5j24xXklqP5A4mDWKpjUUE%2bkiechR6ESHoKPsjsS3SgrquQ%3d%3d&i=glen%20adkins"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579125.rbs

Filesize
8KB

MD5
85cd65477dba91cd08cb8ecf128fe146

SHA1
45c8f4dfc54db9b483e49c4c9de17b1d3db754f7

SHA256
87ac02317102c8f7fbcefcfdafca06abf1357f96ffd7757b880b5e642e84885d

SHA512
b07c73bfd4fe3f14f439f2ead3e94a75d714de74f5dd37e1edec6dc278bac068e39467a6e8e8290890e6eba4be1b815d33b7c2b2e2f5afadc9a27990974eb01e

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.Override.en-US.resources

Filesize
617B

MD5
5f6e8999020452a7d414469e23f820e7

SHA1
21f6820154ba7fbe18ea4a237e1682bdb41c5147

SHA256
84303e6196dccb36f8bc8dacaa183822963b71c9b8448b492114980234470ecc

SHA512
aceb9f9d6672b24ac97b9b4f2fb2b6887add0565b1ed8698fb676aa976f5dba9f5ee1bce48decdb7aeb51a1f24cd9d11f6d52a32f49a79fda132796e60b81694

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.Override.resources

Filesize
15KB

MD5
c3d204fabfa272a3b0f7319928e1822a

SHA1
874bfd93f9483d6adee4ee7c01968cc5315f4899

SHA256
0bfcc6494dfd00329a974501aa0037bc2ecdf1633554ee499b759dd799805e65

SHA512
9474555b0c610b0247c219cba5703cdeccf57ace7a0230f38188f0d429164e434265d40ce1d61e06554fd99b7e772b65aad112def2f572f5278f02a911f35a0c

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.en-US.resources

Filesize
23KB

MD5
2c3a7d5575505139752a1debe50f75be

SHA1
cc707edced1d9b6780873e92d9eaeca8f4a63e52

SHA256
d94ca7a84f8f8f9e3a0a528c07d726632f49db9640432d88b6428b99b8fb69ec

SHA512
85838ecc586dfb0a20f34174677561521b6c2f1ed4ae1fa64fcf7b95f0e6ab0b426f0f938be3a72c55c409725ad8f0638647e3216f997a6e305ce44e549f3fd5

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Client.resources

Filesize
4KB

MD5
43df44e3c87b3401160118d2d43601ff

SHA1
d534cd8d970c4c5bf6b8574ad0446d70a103a8fb

SHA256
e265d0d544f628387857031c8fb5983d658195423f34ea8df7aa1c49b12aa9f2

SHA512
2e4318c1105c4a34c28c5f9b06e6d4b5d08131ec28c34342402d49bae9dc00eeeecac6fc8498ac851e9ca981a84bd595f8a90f5d7967084719ab0662df3a4a3b

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.Client.dll

Filesize
93KB

MD5
39fc8f57a9b6511a808a1f7e4f325cef

SHA1
197659d433dc18acd728e236d3e0ff6225517104

SHA256
9e4d1ffd9fc3e149ba0a0e219814e9f0614e26bbe08bc5e552dcdb261770e59d

SHA512
d6b9eadc929db765c6c4ce083c6aca470bae49c86833e677908f3a7526881464a31141666f1f287be073d150065999aed680fecaa7eb268b662dc133067e2f2f

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.Windows.dll

Filesize
391KB

MD5
30fbbd14cf3d47d5619ad55c36fb269e

SHA1
237b458b3fade98b4ad7cf48c9057c6b241cb5cb

SHA256
105cd91c0f24b24dcd57c40a22fe0447a888340dcc84ca5b1c34eedfd11f3b5d

SHA512
4394323c76818360a54a207012c5bf56234041cb62e6f6247800924315f8276987861709efef3cef71e51e4330ddfee2dd14ff5cfce73e8c6d03be78e5deedcf

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.WindowsClient.exe

Filesize
338KB

MD5
d6ab7b47f447abebe3fcc9791f22e3c6

SHA1
3c61202073488e59587065eeb6010be9f0e95f32

SHA256
e71b305a592c27f8f9398eb00475c620548e1511ad532f48148223adbb604555

SHA512
97c077bc57a0c59be920e5081d6bbfcc7827fd480e3deab002ae78573fb73549ae149cdaaf24e8fb622ec319a1ca53f9f1b98b6030407197a5012f6bd4a6fb32

Download Submit
C:\Program Files (x86)\ScreenConnect Client (74d4fd3265fb3ba5)\Elsinore.ScreenConnect.WindowsClient.exe.config

Filesize
259B

MD5
95f04aa18dc27e4f0c73ac6829dcc3d8

SHA1
2f361486c18e23cea4b375e1c9cccdc14bdd620d

SHA256
f3c7ed5a1114cbfa6e3e996f4b0311edb5e25dc2099fd7eb7a3a456c261a2d94

SHA512
59bfd8675c2b215e793bf343b6d1aa9c3304ab763c5870a4934ab947284af7bb0493fc4b5a6048dc3d531262e061d68d7395f09eaee1ebf1524c0d8ed63164b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI538E.tmp

Filesize
279KB

MD5
6d5f46d5ae78e61ea290b6c300def625

SHA1
3ae79c014bc2066a9f7966d6764825c2dab24b51

SHA256
a4c316a8d25936de049356c0a36f9d04feed977eca19a13b9908dc1e697aa0f8

SHA512
efc8a0dfbf590c23463b82c8ffc7b295d77bccd16750e3db7ef5b2c8c8acd6ea45839abd131672b3f75198dd68e539ee30bdea1bdc54d5296f27f89acdda374f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI538E.tmp-\Elsinore.ScreenConnect.Core.dll

Filesize
194KB

MD5
27eb6b7a79a41c8eb611e3d492f09acb

SHA1
ac0234cc29183a58e36ea4271074fbe3eb935744

SHA256
327dcc7c94c4df1822700982c40318ead01ac48fa07170221d468bf78c5189b0

SHA512
35aa8861a6fd66a74a408f558b78a5b52e7b4a963c44a945260f63f4c5aece0b0446dea890cf1c01ca10600da3d4c36c224700130ecb64b5d0298396e051902a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI538E.tmp-\Elsinore.ScreenConnect.InstallerActions.dll

Filesize
19KB

MD5
fcb234ac467125d61196946526883161

SHA1
b5e919ae7fdd23a40360f3d2895fd95fd7d6047d

SHA256
ce1c13343377bc52ba06f20a9b8eb5d8334aa96a25db9c3dc33d8b928bfe2397

SHA512
e9524c35126fe8abd3b65ddca415bc2453aa2362761e082e6df819b4efb4dbae4ec61c822a94fd401867cabca6f4ace9c1c07c3c0137ece808d65ca51dc505ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI538E.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
176KB

MD5
1e5a0962f20e91ca18bc150266e6f49e

SHA1
e71caab3b88b2913178ca2ae549a00455679cd4e

SHA256
fa74ae4d5e62a1cc7cfeaa55d84fe9bddab06651b6744fb4469074e79317da99

SHA512
09021a2183536d07d915e413bd70fbd47f6afcf9fa9b8deb886f473c7b3dc3ee3e042c126f644be70f42f491692fab0a25b49ef88099caf272eec75c5bd2fc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSD4FA6.tmp\DotNetFXCustom\dotnetchk.exe

Filesize
85KB

MD5
4992d98e6772a5fd7256c4c7fe978a11

SHA1
6cf70905908b59553e1b92e057c3e7c13bd7b6a4

SHA256
5494efb1859e625eff5c2b51a66058fd7ffe1aa619594f62900a0bef392012d0

SHA512
8afdda6a49a4c61c62e329f3d15dc31c98327fd720e654972b14f98112b79d293648cad0dd08b3d12e48e020dd21fe40f9fc0a6c78014e1434a1703f40f6f4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.msi

Filesize
783KB

MD5
88117cb9c4cde78518114c69ac1b8c15

SHA1
303665c920fdb79da17fc93dbe9487d3616e451c

SHA256
1ffa15b4890bacf8aa2b56fa7543816e09c3bd924e4ef5bcafbeee40c5e4e020

SHA512
d60e984124e36f87404dcdfa6b7e0df5929fe2f4fcefb765a30c6dbe3a744b1b7e091aafdde8d6556df5cce92326d63c3a7eac85e73323c17d5808061760d2fa

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
cb2963046f0414e0dc5c028288470133

SHA1
d4ba98ea9f78f97a5f1dfde5f0bceac3b07d04ca

SHA256
5a4de0bd3356c0aaef89e5bbe2ae140d9e4139c467ca71a7dca25e9f12a2d0f5

SHA512
c92a7c8f2990bbdc57554f58d5b6f204aabeba20c308883fc77b753915517f64b68934ccf104f742781769343ce7a063c8fed59f5d52fa1c4dbe2db206833367

Download Submit
\??\Volume{5110105b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fe668474-02f9-43ed-b809-be6f843c5532}_OnDiskSnapshotProp

Filesize
6KB

MD5
5ba6f77647544cbc5323ae49f3910e7d

SHA1
b92e5e32cac1cdefc8b5a9ae69faade2711dbdcd

SHA256
4670d61b39c8a2f583bd29ce3a084c0f7e7996e77683b8e67c324976b4355692

SHA512
714ef1c3c3583809e6221e155de08c642c4b83f39db267600ae73e3ff9bb5bcd2309fd9611e2436027c948268de5e3344d00f1a0fbf4a4c08ddc9bf17232f1dc

Download Submit
memory/1916-90-0x000000001B030000-0x000000001B098000-memory.dmp

Filesize
416KB

Download
memory/1916-37-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/1916-91-0x000000001C2E0000-0x000000001C466000-memory.dmp

Filesize
1.5MB

Download
memory/1916-32-0x0000000003160000-0x000000000316C000-memory.dmp

Filesize
48KB

Download
memory/1916-28-0x0000000003120000-0x0000000003150000-memory.dmp

Filesize
192KB

Download
memory/1916-84-0x0000000000D80000-0x0000000000D9E000-memory.dmp

Filesize
120KB

Download
memory/1916-86-0x000000001AFF0000-0x000000001B028000-memory.dmp

Filesize
224KB

Download
memory/1916-96-0x000000001C600000-0x000000001C650000-memory.dmp

Filesize
320KB

Download
memory/1916-36-0x0000000005500000-0x0000000005538000-memory.dmp

Filesize
224KB

Download
memory/1916-82-0x0000000000570000-0x00000000005CA000-memory.dmp

Filesize
360KB

Download