61bbfea9b775220037926245f58d5f262e02491ad31f7ae1153fbbc269f767cc

General

Target

35ac0aa3a9c41197a8702c0342feb320_NeikiAnalytics.exe
Size

438KB
MD5

35ac0aa3a9c41197a8702c0342feb320
SHA1

ac49125523b35d6e342e839a26716e25f1b7aab1
SHA256

61bbfea9b775220037926245f58d5f262e02491ad31f7ae1153fbbc269f767cc
SHA512

4a4a2feb88b0584c7500bf2576be7f9da79455fa84394b490da6bb4f9878e758095f47707efc2a2edb92cb01c5e47ea0d81c8e032ae450ecb7d7ca654bb8baef
SSDEEP

6144:uZLJseGtp4QLQTVT6C+5Ybyc2N0pLzaSCKta7KTw460SdMCE:qCeGtLLQhK+mc+0pnaS7aCdn

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

D3A.tmp

pid process

1628 D3A.tmp
Loads dropped DLL 2 IoCs

Processes:

35ac0aa3a9c41197a8702c0342feb320_NeikiAnalytics.exe

pid process

1844 35ac0aa3a9c41197a8702c0342feb320_NeikiAnalytics.exe
1844 35ac0aa3a9c41197a8702c0342feb320_NeikiAnalytics.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1628	D3A.tmp

pid	process
1844	35ac0aa3a9c41197a8702c0342feb320_NeikiAnalytics.exe
1844	35ac0aa3a9c41197a8702c0342feb320_NeikiAnalytics.exe

Drops file in System32 directory 64 IoCs

Processes:

D3A.tmp

description	ioc	process
File created	C:\Windows\SysWOW64\crtdll.dll	D3A.tmp
File created	C:\Windows\SysWOW64\iac25_32.ax	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	D3A.tmp
File created	C:\Windows\SysWOW64\msrd2x40.dll	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120.dll	D3A.tmp
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	D3A.tmp
File created	C:\Windows\SysWOW64\explorer.exe	D3A.tmp
File created	C:\Windows\SysWOW64\ir50_32.dll	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	D3A.tmp
File created	C:\Windows\SysWOW64\mswstr10.dll	D3A.tmp
File created	C:\Windows\SysWOW64\olecli32.dll	D3A.tmp
File created	C:\Windows\SysWOW64\setupSNK.exe	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	D3A.tmp
File created	C:\Windows\SysWOW64\mstext40.dll	D3A.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdag.dll	D3A.tmp
File created	C:\Windows\SysWOW64\audiodev.dll	D3A.tmp
File created	C:\Windows\SysWOW64\d3d8.dll	D3A.tmp
File created	C:\Windows\SysWOW64\dmscript.dll	D3A.tmp
File created	C:\Windows\SysWOW64\mspbde40.dll	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120_clr0400.dll	D3A.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd32.dll	D3A.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdumd32.dll	D3A.tmp
File created	C:\Windows\SysWOW64\regedit.exe	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\atl110.dll	D3A.tmp
File created	C:\Windows\SysWOW64\dplaysvr.exe	D3A.tmp
File created	C:\Windows\SysWOW64\ir41_32.ax	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	D3A.tmp
File created	C:\Windows\SysWOW64\msltus40.dll	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	D3A.tmp
File created	C:\Windows\SysWOW64\msxbde40.dll	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\VBAME.DLL	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\vccorlib120.dll	D3A.tmp
File created	C:\Windows\SysWOW64\d3dxof.dll	D3A.tmp
File created	C:\Windows\SysWOW64\msorcl32.dll	D3A.tmp
File created	C:\Windows\SysWOW64\mswdat10.dll	D3A.tmp
File created	C:\Windows\SysWOW64\rdvgumd32.dll	D3A.tmp
File created	C:\Windows\SysWOW64\sqlwoa.dll	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\atl100.dll	D3A.tmp
File created	C:\Windows\SysWOW64\dpwsockx.dll	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100.dll	D3A.tmp
File created	C:\Windows\SysWOW64\odbcjt32.dll	D3A.tmp
File created	C:\Windows\SysWOW64\migration\MediaPlayer-DLMigPlugin.dll	D3A.tmp
File created	C:\Windows\SysWOW64\msexch40.dll	D3A.tmp
File created	C:\Windows\SysWOW64\msjtes40.dll	D3A.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\amdpcom32.dll	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	D3A.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdva.dll	D3A.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvwgf2um.dll	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120.dll	D3A.tmp
File created	C:\Windows\SysWOW64\mfc40u.dll	D3A.tmp
File created	C:\Windows\SysWOW64\msrepl40.dll	D3A.tmp
File created	C:\Windows\SysWOW64\msvcrt20.dll	D3A.tmp
File created	C:\Windows\SysWOW64\FXSXP32.dll	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	D3A.tmp
File created	C:\Windows\SysWOW64\sqlunirl.dll	D3A.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atidxx32.dll	D3A.tmp
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\MediaPlayer-DLMigPlugin.dll	D3A.tmp
File created	C:\Windows\SysWOW64\d3dim.dll	D3A.tmp
File created	C:\Windows\SysWOW64\dplayx.dll	D3A.tmp
File created	C:\Windows\SysWOW64\msexcl40.dll	D3A.tmp
File created	C:\Windows\SysWOW64\msjet40.dll	D3A.tmp
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	D3A.tmp

Drops file in Program Files directory 64 IoCs

Processes:

D3A.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MLCFG32.CPL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7EN.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODBC.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSETUP.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OART.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OMSMAIN.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll	D3A.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api	D3A.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACETXT.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IETAG.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INTLDATE.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MOFL.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCDDSF.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKFSTUB.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SOCIALCONNECTOR.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLTASK.FAE	D3A.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OFFXML.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\VBAJET32.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSYUBIN7.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnPPT.dll	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONFILTER.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ODBC.SAM	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEOLEDB.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_PDF.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSStr32.dll	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPEDITOR.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOCF.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OFFOWC.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPSLAX.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmdlocal.dll	D3A.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeXMP.dll	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXSEC32.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSAEXP30.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAME.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\oisctrl.dll	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLACCT.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\MSGR3ES.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OARTCONV.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	D3A.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL	D3A.tmp
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\xmlrw.dll	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmgdsrv.dll	D3A.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUTHZAX.DLL	D3A.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	D3A.tmp

Drops file in Windows directory 64 IoCs

Processes:

D3A.tmp

description	ioc	process
File created	C:\Windows\winsxs\wow64_microsoft-windows-shsvcs_31bf3856ad364e35_6.1.7601.17514_none_35ab0ceb67ede31e\shsvcs.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-htmlhelp-infotech_31bf3856ad364e35_6.1.7601.17514_none_f8ab56ff71fc562a\itss.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_11.2.9600.16428_none_cddc21e3e934f0b3\sqmapi.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-mdac-rds-shape-dll_31bf3856ad364e35_6.1.7600.16385_none_cfe5c5221e722874\msadds.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-msmq-admin_31bf3856ad364e35_6.1.7601.17514_none_b9556b899bae7dc1\mqsnap.dll	D3A.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_9d700972113e2691_setupapi.dll_8d9de2e7	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-rpc-remote_31bf3856ad364e35_6.1.7601.17514_none_c2a09d30916321d9\RpcRtRemote.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.1.7600.16385_none_39f81956d5a8018f\authz.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-mmc-usersandgroups_31bf3856ad364e35_6.1.7601.17514_none_05e47e97e02a316a\localsec.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-g..policy-admin-gpedit_31bf3856ad364e35_6.1.7600.16385_none_ce0882b8c63afdf6\gpedit.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-setup_31bf3856ad364e35_11.2.9600.16428_none_1f77d330a4790dae\inseng.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ents-mdac-ado15-dll_31bf3856ad364e35_6.1.7601.17514_none_0e384c71cee8c9e1\msado15.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-mail-core-dll_31bf3856ad364e35_6.1.7601.17514_none_5a862b71838c3bb7\msoe.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-efs-core-library_31bf3856ad364e35_6.1.7601.17514_none_58a94d70f5cca7eb\efscore.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-impexp-extexport_31bf3856ad364e35_11.2.9600.16428_none_b436382b203656be\ExtExport.exe	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.7601.17514_none_64655b7c61c841cb\iertutil.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-mpg4decd_31bf3856ad364e35_6.1.7600.16385_none_607be46cc35d6611\MPG4DECD.DLL	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-sort_31bf3856ad364e35_6.1.7600.16385_none_ab9479767ad67fd7\sort.exe	D3A.tmp
File created	C:\Windows\winsxs\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.1.7600.16385_none_f47d7472a4c4e67e\mscorsvw.exe	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-mp3dmod_31bf3856ad364e35_6.1.7600.16385_none_ecf1800a3afff679\MP3DMOD.DLL	D3A.tmp
File created	C:\Windows\winsxs\x86_netfx-clrgc_b03f5f7f11d50a3a_6.1.7601.17514_none_f5276fe6b5adf276\clrgc.exe	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..tion-isolationlayer_31bf3856ad364e35_6.1.7601.17514_none_5ff76bfa669f084b\migisol.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24\ndadmin.exe	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-rasclienttools_31bf3856ad364e35_6.1.7600.16385_none_6f1d25ec0a04d811\rasphone.exe	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-wlan-extension_31bf3856ad364e35_6.1.7600.16385_none_f9b9855184ad1e6d\wlanext.exe	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_51ca66a2bbe76806\ATL90.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_11.2.9600.16428_none_88216b07fe83d256\wininet.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..nents-mdac-ado15-rh_31bf3856ad364e35_6.1.7600.16385_none_33ac69f3afeb0325\msadrh15.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-wlanconnectionflow_31bf3856ad364e35_6.1.7600.16385_none_8a0b2bb6c9253b6f\WLanConn.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_netfx-corperfmonext_dll_b03f5f7f11d50a3a_6.1.7601.17514_none_8743ee547f97667a\CORPerfMonExt.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-d..japanese-propertyui_31bf3856ad364e35_6.1.7600.16385_none_929776facb7f4f74\imjputyc.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_6.1.7600.16385_none_fe75fb7856d846d5\DWWIN.EXE	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-indeo5-codecs_31bf3856ad364e35_6.1.7600.16385_none_24d6d974d24f7d95\ivfsrc.ax	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-driver-thunking-32_31bf3856ad364e35_6.1.7600.16385_none_24253253bade2400\odbc32gt.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_netfx-fw_netfxperf_dll_31bf3856ad364e35_6.2.7601.17514_none_5ec9dfb2784680fc\netfxperf.dll	D3A.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.1.7600.16385_none_39f81956d5a8018f_authz.dll_c0d80602	D3A.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-wlangpui_31bf3856ad364e35_6.1.7601.17514_none_a8f77ffc5592a42d\wlangpui.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-com-complus-setup_31bf3856ad364e35_6.1.7600.16385_none_e97e2f6c50a1c3c0\mtstocom.exe	D3A.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system_data_dll_x86	D3A.tmp
File created	C:\Windows\winsxs\x86_wpf-presentationhostexe_31bf3856ad364e35_6.2.7601.17514_none_3a2a6a811d2b5065\PresentationHost.exe	D3A.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81_iscsium.dll_edf4260f	D3A.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-e..rformancemonitoring_31bf3856ad364e35_6.1.7600.16385_none_17d2ef5202301871\esentprf.dll	D3A.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\iisreset.exe	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-g..policy-admin-appmgr_31bf3856ad364e35_6.1.7601.17514_none_fcc0c5ed143b8eb0\appmgr.dll	D3A.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-ldap-client_31bf3856ad364e35_6.1.7601.17514_none_f543b182b4adcce6_wldap32.dll_09c99dc1	D3A.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-directshow-asf_31bf3856ad364e35_6.1.7601.17514_none_83382f97498abe19\qasf.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-migration_31bf3856ad364e35_6.1.7601.17514_none_e02729035a3379c1\MediaPlayer-DLMigPlugin.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-mssign32-dll_31bf3856ad364e35_6.1.7600.16385_none_ca0a23a23bc12926\mssign32.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-t..framework-migration_31bf3856ad364e35_6.1.7600.16385_none_f0c791fc196de3b5\msctfmig.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_6.1.7601.17514_none_9809be824da2c173\vbc.exe	D3A.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-uiribbon_31bf3856ad364e35_6.1.7601.17514_none_db578bdb5e3559c6\UIRibbon.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-help-oemhelpins_31bf3856ad364e35_6.1.7600.16385_none_02251b880c000edf\OEMHelpIns.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.7601.17514_none_190fa02cb006154d\msfeedssync.exe	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-jsprofilercore_31bf3856ad364e35_8.0.7600.16385_none_253839ca09b4c8e4\JSProfilerCore.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_51cd0a7abbe4e19b\ATL90.dll	D3A.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6_hhsetup.dll_37c1de59	D3A.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-fax-common_31bf3856ad364e35_6.1.7600.16385_none_724e4ae29eb2503d\FXSCOMEX.dll	D3A.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_9da1b3254ff796e9\sdchange.exe	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\NlbMigPlugin.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\nlscoremig.dll	D3A.tmp
File created	C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	D3A.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7601.17514_none_1beb53526fc80c8d\iexplore.exe	D3A.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll	D3A.tmp

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

35ac0aa3a9c41197a8702c0342feb320_NeikiAnalytics.exe

description	pid	process	target process
PID 1844 wrote to memory of 1628	1844	35ac0aa3a9c41197a8702c0342feb320_NeikiAnalytics.exe	D3A.tmp
PID 1844 wrote to memory of 1628	1844	35ac0aa3a9c41197a8702c0342feb320_NeikiAnalytics.exe	D3A.tmp
PID 1844 wrote to memory of 1628	1844	35ac0aa3a9c41197a8702c0342feb320_NeikiAnalytics.exe	D3A.tmp
PID 1844 wrote to memory of 1628	1844	35ac0aa3a9c41197a8702c0342feb320_NeikiAnalytics.exe	D3A.tmp

C:\Users\Admin\AppData\Local\Temp\35ac0aa3a9c41197a8702c0342feb320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35ac0aa3a9c41197a8702c0342feb320_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\D3A.tmp
C:\Users\Admin\AppData\Local\Temp\D3A.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1628

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\D3A.tmp
Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/1844-0-0x0000000000480000-0x00000000004B6000-memory.dmp

Filesize
216KB

Download
memory/1844-1-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1844-131-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads