Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 20:54
Static task
static1
Behavioral task
behavioral1
Sample
391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
391e059619df1772ffe560f8e23dbbe0
-
SHA1
7b1df6152dfce7747d3603efe717991539ec0a62
-
SHA256
0d3ad3b5bbc07307c098fc9a651a0848714dad8f317c9d2ff5092295b3006fc8
-
SHA512
ce09e590308b484c086ae62f7af743fe4427fa856f81ed6a65c7c652c67c7feb8d80eb5ee8952029e2d278c68d58f5ef1c7c6538113ec58f83b822a20547d46e
-
SSDEEP
24576:fXTff2BiQOY3lvbELqO7mi7JmEuibeX57XIU9wwXfNdm:fXzfSIk1+7JmEuib87p9wGdm
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2980 dotnetchk.exe -
Loads dropped DLL 12 IoCs
pid Process 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 2600 MsiExec.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe 2504 rundll32.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.Client.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Client.Override.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Client.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.Core.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.Windows.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.WindowsClient.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.WindowsClient.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Client.Override.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Client.en-US.resources msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI39A6.tmp msiexec.exe File opened for modification C:\Windows\Installer\{EEC1A90F-1F5A-4BE3-95F7-23C283B2C9A1}\DefaultIcon msiexec.exe File opened for modification C:\Windows\Installer\f7638fc.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f7638fb.msi msiexec.exe File created C:\Windows\Installer\f7638fc.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f7638fb.msi msiexec.exe File created C:\Windows\Installer\f7638fe.msi msiexec.exe File created C:\Windows\Installer\{EEC1A90F-1F5A-4BE3-95F7-23C283B2C9A1}\DefaultIcon msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe -
Modifies registry class 32 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\UseOriginalUrlEncoding = "1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-11b72ccd7699205c\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (11b72ccd7699205c)\\Elsinore.ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\ProductName = "ScreenConnect Client (11b72ccd7699205c)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\ProductIcon = "C:\\Windows\\Installer\\{EEC1A90F-1F5A-4BE3-95F7-23C283B2C9A1}\\DefaultIcon" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-11b72ccd7699205c msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\PackageName = "setup.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F09A1CEEA5F13EB4597F322C382B9C1A msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE991F5021DE2131117BC2DC679902C5\F09A1CEEA5F13EB4597F322C382B9C1A msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\shell msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\Version = "83893989" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\URL Protocol msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\PackageCode = "6ED0B7625338863439950C50538479B2" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F09A1CEEA5F13EB4597F322C382B9C1A\Full msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE991F5021DE2131117BC2DC679902C5 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\shell\open msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2672 msiexec.exe 2672 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1736 msiexec.exe Token: SeIncreaseQuotaPrivilege 1736 msiexec.exe Token: SeRestorePrivilege 2672 msiexec.exe Token: SeTakeOwnershipPrivilege 2672 msiexec.exe Token: SeSecurityPrivilege 2672 msiexec.exe Token: SeCreateTokenPrivilege 1736 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1736 msiexec.exe Token: SeLockMemoryPrivilege 1736 msiexec.exe Token: SeIncreaseQuotaPrivilege 1736 msiexec.exe Token: SeMachineAccountPrivilege 1736 msiexec.exe Token: SeTcbPrivilege 1736 msiexec.exe Token: SeSecurityPrivilege 1736 msiexec.exe Token: SeTakeOwnershipPrivilege 1736 msiexec.exe Token: SeLoadDriverPrivilege 1736 msiexec.exe Token: SeSystemProfilePrivilege 1736 msiexec.exe Token: SeSystemtimePrivilege 1736 msiexec.exe Token: SeProfSingleProcessPrivilege 1736 msiexec.exe Token: SeIncBasePriorityPrivilege 1736 msiexec.exe Token: SeCreatePagefilePrivilege 1736 msiexec.exe Token: SeCreatePermanentPrivilege 1736 msiexec.exe Token: SeBackupPrivilege 1736 msiexec.exe Token: SeRestorePrivilege 1736 msiexec.exe Token: SeShutdownPrivilege 1736 msiexec.exe Token: SeDebugPrivilege 1736 msiexec.exe Token: SeAuditPrivilege 1736 msiexec.exe Token: SeSystemEnvironmentPrivilege 1736 msiexec.exe Token: SeChangeNotifyPrivilege 1736 msiexec.exe Token: SeRemoteShutdownPrivilege 1736 msiexec.exe Token: SeUndockPrivilege 1736 msiexec.exe Token: SeSyncAgentPrivilege 1736 msiexec.exe Token: SeEnableDelegationPrivilege 1736 msiexec.exe Token: SeManageVolumePrivilege 1736 msiexec.exe Token: SeImpersonatePrivilege 1736 msiexec.exe Token: SeCreateGlobalPrivilege 1736 msiexec.exe Token: SeCreateTokenPrivilege 1736 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1736 msiexec.exe Token: SeLockMemoryPrivilege 1736 msiexec.exe Token: SeIncreaseQuotaPrivilege 1736 msiexec.exe Token: SeMachineAccountPrivilege 1736 msiexec.exe Token: SeTcbPrivilege 1736 msiexec.exe Token: SeSecurityPrivilege 1736 msiexec.exe Token: SeTakeOwnershipPrivilege 1736 msiexec.exe Token: SeLoadDriverPrivilege 1736 msiexec.exe Token: SeSystemProfilePrivilege 1736 msiexec.exe Token: SeSystemtimePrivilege 1736 msiexec.exe Token: SeProfSingleProcessPrivilege 1736 msiexec.exe Token: SeIncBasePriorityPrivilege 1736 msiexec.exe Token: SeCreatePagefilePrivilege 1736 msiexec.exe Token: SeCreatePermanentPrivilege 1736 msiexec.exe Token: SeBackupPrivilege 1736 msiexec.exe Token: SeRestorePrivilege 1736 msiexec.exe Token: SeShutdownPrivilege 1736 msiexec.exe Token: SeDebugPrivilege 1736 msiexec.exe Token: SeAuditPrivilege 1736 msiexec.exe Token: SeSystemEnvironmentPrivilege 1736 msiexec.exe Token: SeChangeNotifyPrivilege 1736 msiexec.exe Token: SeRemoteShutdownPrivilege 1736 msiexec.exe Token: SeUndockPrivilege 1736 msiexec.exe Token: SeSyncAgentPrivilege 1736 msiexec.exe Token: SeEnableDelegationPrivilege 1736 msiexec.exe Token: SeManageVolumePrivilege 1736 msiexec.exe Token: SeImpersonatePrivilege 1736 msiexec.exe Token: SeCreateGlobalPrivilege 1736 msiexec.exe Token: SeCreateTokenPrivilege 1736 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1736 msiexec.exe 1736 msiexec.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2980 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 2980 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 2980 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 2980 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 28 PID 2924 wrote to memory of 1736 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 29 PID 2924 wrote to memory of 1736 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 29 PID 2924 wrote to memory of 1736 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 29 PID 2924 wrote to memory of 1736 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 29 PID 2924 wrote to memory of 1736 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 29 PID 2924 wrote to memory of 1736 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 29 PID 2924 wrote to memory of 1736 2924 391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe 29 PID 2672 wrote to memory of 2600 2672 msiexec.exe 31 PID 2672 wrote to memory of 2600 2672 msiexec.exe 31 PID 2672 wrote to memory of 2600 2672 msiexec.exe 31 PID 2672 wrote to memory of 2600 2672 msiexec.exe 31 PID 2672 wrote to memory of 2600 2672 msiexec.exe 31 PID 2672 wrote to memory of 2600 2672 msiexec.exe 31 PID 2672 wrote to memory of 2600 2672 msiexec.exe 31 PID 2600 wrote to memory of 2504 2600 MsiExec.exe 32 PID 2600 wrote to memory of 2504 2600 MsiExec.exe 32 PID 2600 wrote to memory of 2504 2600 MsiExec.exe 32 PID 2600 wrote to memory of 2504 2600 MsiExec.exe 32 PID 2600 wrote to memory of 2504 2600 MsiExec.exe 32 PID 2600 wrote to memory of 2504 2600 MsiExec.exe 32 PID 2600 wrote to memory of 2504 2600 MsiExec.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\VSD19C8.tmp\DotNetFXCustom\dotnetchk.exe"C:\Users\Admin\AppData\Local\Temp\VSD19C8.tmp\DotNetFXCustom\dotnetchk.exe"2⤵
- Executes dropped EXE
PID:2980
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1736
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 89AA17C0DFCEA79F52E7007646A1DD03 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI1C47.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259398868 1 Elsinore.ScreenConnect.InstallerActions!Elsinore.ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
PID:2504
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2128
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000584" "00000000000003E8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5d950502c7474bc3ca1ba5ca527d0c58a
SHA1087d6acb5f604a34ea57770cadeca758caf48f98
SHA25654189230b06bbf1b891c6557e909d7c205b68a809fda3fbe93c6e4a66dcc2531
SHA5123b49c7fffa16b488ba0c053649fd3e0d9948f2652dfa54c12ca1d4e4e64e9011be93af7e790e37714e59a1b8b8f3d4596498f6abdb8c26048ec733fdf172d190
-
Filesize
279KB
MD56d5f46d5ae78e61ea290b6c300def625
SHA13ae79c014bc2066a9f7966d6764825c2dab24b51
SHA256a4c316a8d25936de049356c0a36f9d04feed977eca19a13b9908dc1e697aa0f8
SHA512efc8a0dfbf590c23463b82c8ffc7b295d77bccd16750e3db7ef5b2c8c8acd6ea45839abd131672b3f75198dd68e539ee30bdea1bdc54d5296f27f89acdda374f
-
Filesize
766KB
MD5a6f2eb667909f70a151b597de548dc57
SHA1a3a55305966ec586249cf2dfcf1ae0bed98f6b61
SHA256e3a980b0f0639008d8a5a060caa3b619f3408e9dd7a3182c788b21e3cfc02d3f
SHA512f8bb35175460e398797ac9b05089fe8130d028bb1fc65a1201b63b8cd0105a2a0ed2c991f7381f7ff1ee060106e89697db54fedb4dcac648df95a3302cafb6d3
-
Filesize
194KB
MD527eb6b7a79a41c8eb611e3d492f09acb
SHA1ac0234cc29183a58e36ea4271074fbe3eb935744
SHA256327dcc7c94c4df1822700982c40318ead01ac48fa07170221d468bf78c5189b0
SHA51235aa8861a6fd66a74a408f558b78a5b52e7b4a963c44a945260f63f4c5aece0b0446dea890cf1c01ca10600da3d4c36c224700130ecb64b5d0298396e051902a
-
Filesize
19KB
MD5fcb234ac467125d61196946526883161
SHA1b5e919ae7fdd23a40360f3d2895fd95fd7d6047d
SHA256ce1c13343377bc52ba06f20a9b8eb5d8334aa96a25db9c3dc33d8b928bfe2397
SHA512e9524c35126fe8abd3b65ddca415bc2453aa2362761e082e6df819b4efb4dbae4ec61c822a94fd401867cabca6f4ace9c1c07c3c0137ece808d65ca51dc505ef
-
Filesize
176KB
MD51e5a0962f20e91ca18bc150266e6f49e
SHA1e71caab3b88b2913178ca2ae549a00455679cd4e
SHA256fa74ae4d5e62a1cc7cfeaa55d84fe9bddab06651b6744fb4469074e79317da99
SHA51209021a2183536d07d915e413bd70fbd47f6afcf9fa9b8deb886f473c7b3dc3ee3e042c126f644be70f42f491692fab0a25b49ef88099caf272eec75c5bd2fc1f
-
Filesize
85KB
MD54992d98e6772a5fd7256c4c7fe978a11
SHA16cf70905908b59553e1b92e057c3e7c13bd7b6a4
SHA2565494efb1859e625eff5c2b51a66058fd7ffe1aa619594f62900a0bef392012d0
SHA5128afdda6a49a4c61c62e329f3d15dc31c98327fd720e654972b14f98112b79d293648cad0dd08b3d12e48e020dd21fe40f9fc0a6c78014e1434a1703f40f6f4d8