0d3ad3b5bbc07307c098fc9a651a0848714dad8f317c9d2ff5092295b3006fc8

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe
Size

1.2MB
MD5

391e059619df1772ffe560f8e23dbbe0
SHA1

7b1df6152dfce7747d3603efe717991539ec0a62
SHA256

0d3ad3b5bbc07307c098fc9a651a0848714dad8f317c9d2ff5092295b3006fc8
SHA512

ce09e590308b484c086ae62f7af743fe4427fa856f81ed6a65c7c652c67c7feb8d80eb5ee8952029e2d278c68d58f5ef1c7c6538113ec58f83b822a20547d46e
SSDEEP

24576:fXTff2BiQOY3lvbELqO7mi7JmEuibeX57XIU9wwXfNdm:fXzfSIk1+7JmEuib87p9wGdm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

dotnetchk.exe

pid process

5100 dotnetchk.exe
Loads dropped DLL 8 IoCs

Processes:

MsiExec.exerundll32.exe

pid process

3564 MsiExec.exe
4320 rundll32.exe
4320 rundll32.exe
4320 rundll32.exe
4320 rundll32.exe
4320 rundll32.exe
4320 rundll32.exe
4320 rundll32.exe

pid	process
5100	dotnetchk.exe

pid	process
3564	MsiExec.exe
4320	rundll32.exe
4320	rundll32.exe
4320	rundll32.exe
4320	rundll32.exe
4320	rundll32.exe
4320	rundll32.exe
4320	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Program Files directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Client.Override.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Client.Override.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (11b72ccd7699205c)\Elsinore.ScreenConnect.WindowsClient.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA8E2.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a858.msi	msiexec.exe
File created	C:\Windows\Installer\{EEC1A90F-1F5A-4BE3-95F7-23C283B2C9A1}\DefaultIcon	msiexec.exe
File created	C:\Windows\Installer\e57a856.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EEC1A90F-1F5A-4BE3-95F7-23C283B2C9A1}	msiexec.exe
File opened for modification	C:\Windows\Installer\{EEC1A90F-1F5A-4BE3-95F7-23C283B2C9A1}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a856.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000019be7eb961b76eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000019be7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090019be7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d19be7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000019be7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe

Modifies registry class 32 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\sc-11b72ccd7699205c\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\ProductName = "ScreenConnect Client (11b72ccd7699205c)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\PackageName = "setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F09A1CEEA5F13EB4597F322C382B9C1A\Full	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\Version = "83893989"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-11b72ccd7699205c	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F09A1CEEA5F13EB4597F322C382B9C1A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\ProductIcon = "C:\\Windows\\Installer\\{EEC1A90F-1F5A-4BE3-95F7-23C283B2C9A1}\\DefaultIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\PackageCode = "6ED0B7625338863439950C50538479B2"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE991F5021DE2131117BC2DC679902C5\F09A1CEEA5F13EB4597F322C382B9C1A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (11b72ccd7699205c)\\Elsinore.ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE991F5021DE2131117BC2DC679902C5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-11b72ccd7699205c\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F09A1CEEA5F13EB4597F322C382B9C1A\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

5036 msiexec.exe
5036 msiexec.exe

pid	process
5036	msiexec.exe
5036	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2976	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2976	msiexec.exe
Token: SeSecurityPrivilege	5036	msiexec.exe
Token: SeCreateTokenPrivilege	2976	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2976	msiexec.exe
Token: SeLockMemoryPrivilege	2976	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2976	msiexec.exe
Token: SeMachineAccountPrivilege	2976	msiexec.exe
Token: SeTcbPrivilege	2976	msiexec.exe
Token: SeSecurityPrivilege	2976	msiexec.exe
Token: SeTakeOwnershipPrivilege	2976	msiexec.exe
Token: SeLoadDriverPrivilege	2976	msiexec.exe
Token: SeSystemProfilePrivilege	2976	msiexec.exe
Token: SeSystemtimePrivilege	2976	msiexec.exe
Token: SeProfSingleProcessPrivilege	2976	msiexec.exe
Token: SeIncBasePriorityPrivilege	2976	msiexec.exe
Token: SeCreatePagefilePrivilege	2976	msiexec.exe
Token: SeCreatePermanentPrivilege	2976	msiexec.exe
Token: SeBackupPrivilege	2976	msiexec.exe
Token: SeRestorePrivilege	2976	msiexec.exe
Token: SeShutdownPrivilege	2976	msiexec.exe
Token: SeDebugPrivilege	2976	msiexec.exe
Token: SeAuditPrivilege	2976	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2976	msiexec.exe
Token: SeChangeNotifyPrivilege	2976	msiexec.exe
Token: SeRemoteShutdownPrivilege	2976	msiexec.exe
Token: SeUndockPrivilege	2976	msiexec.exe
Token: SeSyncAgentPrivilege	2976	msiexec.exe
Token: SeEnableDelegationPrivilege	2976	msiexec.exe
Token: SeManageVolumePrivilege	2976	msiexec.exe
Token: SeImpersonatePrivilege	2976	msiexec.exe
Token: SeCreateGlobalPrivilege	2976	msiexec.exe
Token: SeCreateTokenPrivilege	2976	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2976	msiexec.exe
Token: SeLockMemoryPrivilege	2976	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2976	msiexec.exe
Token: SeMachineAccountPrivilege	2976	msiexec.exe
Token: SeTcbPrivilege	2976	msiexec.exe
Token: SeSecurityPrivilege	2976	msiexec.exe
Token: SeTakeOwnershipPrivilege	2976	msiexec.exe
Token: SeLoadDriverPrivilege	2976	msiexec.exe
Token: SeSystemProfilePrivilege	2976	msiexec.exe
Token: SeSystemtimePrivilege	2976	msiexec.exe
Token: SeProfSingleProcessPrivilege	2976	msiexec.exe
Token: SeIncBasePriorityPrivilege	2976	msiexec.exe
Token: SeCreatePagefilePrivilege	2976	msiexec.exe
Token: SeCreatePermanentPrivilege	2976	msiexec.exe
Token: SeBackupPrivilege	2976	msiexec.exe
Token: SeRestorePrivilege	2976	msiexec.exe
Token: SeShutdownPrivilege	2976	msiexec.exe
Token: SeDebugPrivilege	2976	msiexec.exe
Token: SeAuditPrivilege	2976	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2976	msiexec.exe
Token: SeChangeNotifyPrivilege	2976	msiexec.exe
Token: SeRemoteShutdownPrivilege	2976	msiexec.exe
Token: SeUndockPrivilege	2976	msiexec.exe
Token: SeSyncAgentPrivilege	2976	msiexec.exe
Token: SeEnableDelegationPrivilege	2976	msiexec.exe
Token: SeManageVolumePrivilege	2976	msiexec.exe
Token: SeImpersonatePrivilege	2976	msiexec.exe
Token: SeCreateGlobalPrivilege	2976	msiexec.exe
Token: SeCreateTokenPrivilege	2976	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2976	msiexec.exe
Token: SeLockMemoryPrivilege	2976	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2976 msiexec.exe
2976 msiexec.exe

pid	process
2976	msiexec.exe
2976	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exemsiexec.exeMsiExec.exe

description	pid	process	target process
PID 2736 wrote to memory of 5100	2736	391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe	dotnetchk.exe
PID 2736 wrote to memory of 5100	2736	391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe	dotnetchk.exe
PID 2736 wrote to memory of 5100	2736	391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe	dotnetchk.exe
PID 2736 wrote to memory of 2976	2736	391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe	msiexec.exe
PID 2736 wrote to memory of 2976	2736	391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe	msiexec.exe
PID 2736 wrote to memory of 2976	2736	391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe	msiexec.exe
PID 5036 wrote to memory of 3564	5036	msiexec.exe	MsiExec.exe
PID 5036 wrote to memory of 3564	5036	msiexec.exe	MsiExec.exe
PID 5036 wrote to memory of 3564	5036	msiexec.exe	MsiExec.exe
PID 3564 wrote to memory of 4320	3564	MsiExec.exe	rundll32.exe
PID 3564 wrote to memory of 4320	3564	MsiExec.exe	rundll32.exe
PID 3564 wrote to memory of 4320	3564	MsiExec.exe	rundll32.exe
PID 5036 wrote to memory of 2540	5036	msiexec.exe	srtasks.exe
PID 5036 wrote to memory of 2540	5036	msiexec.exe	srtasks.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\391e059619df1772ffe560f8e23dbbe0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\VSD7918.tmp\DotNetFXCustom\dotnetchk.exe
  "C:\Users\Admin\AppData\Local\Temp\VSD7918.tmp\DotNetFXCustom\dotnetchk.exe"
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E1E4227506E7DCFA70FCC4D31E7C04CD C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI7DFA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240615000 1 Elsinore.ScreenConnect.InstallerActions!Elsinore.ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    PID:4320
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a857.rbs

Filesize
8KB

MD5
9bd52959d75648b9f81d074aa233f469

SHA1
0cfa0a0cfb9751349ea9f1208106a9d6ed66953f

SHA256
59fc443dea687f70d03c54b37929c1cd651dbc9091f64a4b7a7f690eeb779b9e

SHA512
10682400d85b7a2895fcbc8883cc8dd326b7185977430cf8d1ce70e36ff45f4167ea5b26b71823b212ef41f97a662016d8ebedd09ee69b14a9332679af9edf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7DFA.tmp

Filesize
279KB

MD5
6d5f46d5ae78e61ea290b6c300def625

SHA1
3ae79c014bc2066a9f7966d6764825c2dab24b51

SHA256
a4c316a8d25936de049356c0a36f9d04feed977eca19a13b9908dc1e697aa0f8

SHA512
efc8a0dfbf590c23463b82c8ffc7b295d77bccd16750e3db7ef5b2c8c8acd6ea45839abd131672b3f75198dd68e539ee30bdea1bdc54d5296f27f89acdda374f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7DFA.tmp-\Elsinore.ScreenConnect.Core.dll

Filesize
194KB

MD5
27eb6b7a79a41c8eb611e3d492f09acb

SHA1
ac0234cc29183a58e36ea4271074fbe3eb935744

SHA256
327dcc7c94c4df1822700982c40318ead01ac48fa07170221d468bf78c5189b0

SHA512
35aa8861a6fd66a74a408f558b78a5b52e7b4a963c44a945260f63f4c5aece0b0446dea890cf1c01ca10600da3d4c36c224700130ecb64b5d0298396e051902a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7DFA.tmp-\Elsinore.ScreenConnect.InstallerActions.dll

Filesize
19KB

MD5
fcb234ac467125d61196946526883161

SHA1
b5e919ae7fdd23a40360f3d2895fd95fd7d6047d

SHA256
ce1c13343377bc52ba06f20a9b8eb5d8334aa96a25db9c3dc33d8b928bfe2397

SHA512
e9524c35126fe8abd3b65ddca415bc2453aa2362761e082e6df819b4efb4dbae4ec61c822a94fd401867cabca6f4ace9c1c07c3c0137ece808d65ca51dc505ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7DFA.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
176KB

MD5
1e5a0962f20e91ca18bc150266e6f49e

SHA1
e71caab3b88b2913178ca2ae549a00455679cd4e

SHA256
fa74ae4d5e62a1cc7cfeaa55d84fe9bddab06651b6744fb4469074e79317da99

SHA512
09021a2183536d07d915e413bd70fbd47f6afcf9fa9b8deb886f473c7b3dc3ee3e042c126f644be70f42f491692fab0a25b49ef88099caf272eec75c5bd2fc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSD7918.tmp\DotNetFXCustom\dotnetchk.exe

Filesize
85KB

MD5
4992d98e6772a5fd7256c4c7fe978a11

SHA1
6cf70905908b59553e1b92e057c3e7c13bd7b6a4

SHA256
5494efb1859e625eff5c2b51a66058fd7ffe1aa619594f62900a0bef392012d0

SHA512
8afdda6a49a4c61c62e329f3d15dc31c98327fd720e654972b14f98112b79d293648cad0dd08b3d12e48e020dd21fe40f9fc0a6c78014e1434a1703f40f6f4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.msi

Filesize
766KB

MD5
a6f2eb667909f70a151b597de548dc57

SHA1
a3a55305966ec586249cf2dfcf1ae0bed98f6b61

SHA256
e3a980b0f0639008d8a5a060caa3b619f3408e9dd7a3182c788b21e3cfc02d3f

SHA512
f8bb35175460e398797ac9b05089fe8130d028bb1fc65a1201b63b8cd0105a2a0ed2c991f7381f7ff1ee060106e89697db54fedb4dcac648df95a3302cafb6d3

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
71deff0dcf52e0029c3873b5a75e8cde

SHA1
9252fcf7dcb0d3bb3ffda8243ebec1477f4ca3d9

SHA256
6edfe8d6099846642ecb47bae766c0d197e43620ae3eb5fe5c24b72c673918ad

SHA512
5dfe3e3a242a5a151f1f9d8b7b0aea2915f52cd9fd218b16a981a95e31eb68884762d773b10b5776c74e0d5b99050472ec8e91187a47455294737f682d733037

Download Submit
\??\Volume{b97ebe19-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e870da61-7651-4e9f-b4be-f76678a5a52c}_OnDiskSnapshotProp

Filesize
6KB

MD5
0e21c411dfd2fa9bbea8cec43cff078c

SHA1
e20478cafd69ccf617f72413f9da83202aeb2791

SHA256
96f3f826211ce1cae38c36c5dd707abe824062e6597c843de4dfd2ef84f9fd29

SHA512
06daa40879ed2afbef3e9f8d4e271ae21dc1b74aa5b1ddfca8683f075c6f9d8a21b11d459c895cfeccd1f3ba2fd6e4c5ac222ed5381953fa510dc6aec7a796c6

Download Submit
memory/4320-32-0x0000000004B70000-0x0000000004B7C000-memory.dmp

Filesize
48KB

Download
memory/4320-37-0x00000000051B0000-0x0000000005754000-memory.dmp

Filesize
5.6MB

Download
memory/4320-36-0x0000000004BC0000-0x0000000004BF8000-memory.dmp

Filesize
224KB

Download
memory/4320-28-0x0000000004B30000-0x0000000004B60000-memory.dmp

Filesize
192KB

Download