8df6794b6ce878fc8d0ac63c378d2014dcd54a08d58358ffde83fac937ef40f9

General

Target

7a4122e621e12ce07734e64b85d188a0_NeikiAnalytics.exe
Size

332KB
MD5

7a4122e621e12ce07734e64b85d188a0
SHA1

9dd7337b13792b1faa6c6751339927b2c51e85df
SHA256

8df6794b6ce878fc8d0ac63c378d2014dcd54a08d58358ffde83fac937ef40f9
SHA512

186fa4d6b9c9bd21f336d42e0a4c7284571748c532386431083c7ff62275461a415fbef29d87cbf592fd3b510e654499082528349f1792ce0faf83280f3207cc
SSDEEP

6144:yE9yXX91NogTTm7HyHBm3fzQS+RZ5eDOqyq5efV7+3nWkredKpluyEKMaR/HX5:yQyXX91NoBSHBm3LQfRZ5eDxyqQdK3n3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

1008.tmp

pid process

2840 1008.tmp
Loads dropped DLL 2 IoCs

Processes:

7a4122e621e12ce07734e64b85d188a0_NeikiAnalytics.exe

pid process

3024 7a4122e621e12ce07734e64b85d188a0_NeikiAnalytics.exe
3024 7a4122e621e12ce07734e64b85d188a0_NeikiAnalytics.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2840	1008.tmp

pid	process
3024	7a4122e621e12ce07734e64b85d188a0_NeikiAnalytics.exe
3024	7a4122e621e12ce07734e64b85d188a0_NeikiAnalytics.exe

Drops file in System32 directory 64 IoCs

Processes:

1008.tmp

description	ioc	process
File created	C:\Windows\SysWOW64\mfc40.dll	1008.tmp
File created	C:\Windows\SysWOW64\msjet40.dll	1008.tmp
File created	C:\Windows\SysWOW64\msrd2x40.dll	1008.tmp
File created	C:\Windows\SysWOW64\mswdat10.dll	1008.tmp
File created	C:\Windows\SysWOW64\msjter40.dll	1008.tmp
File created	C:\Windows\SysWOW64\mspbde40.dll	1008.tmp
File created	C:\Windows\SysWOW64\mstext40.dll	1008.tmp
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\MediaPlayer-DLMigPlugin.dll	1008.tmp
File created	C:\Windows\SysWOW64\d3d8.dll	1008.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120.dll	1008.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	1008.tmp
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	1008.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdumd32.dll	1008.tmp
File created	C:\Windows\SysWOW64\dmscript.dll	1008.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	1008.tmp
File created	C:\Windows\SysWOW64\odbcjt32.dll	1008.tmp
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	1008.tmp
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	1008.tmp
File created	C:\Windows\SysWOW64\iac25_32.ax	1008.tmp
File created	C:\Windows\SysWOW64\msexcl40.dll	1008.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	1008.tmp
File opened for modification	C:\Windows\SysWOW64\VBAME.DLL	1008.tmp
File created	C:\Windows\SysWOW64\d3dim.dll	1008.tmp
File created	C:\Windows\SysWOW64\ivfsrc.ax	1008.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	1008.tmp
File created	C:\Windows\SysWOW64\msorcl32.dll	1008.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120_clr0400.dll	1008.tmp
File created	C:\Windows\SysWOW64\olecli32.dll	1008.tmp
File created	C:\Windows\SysWOW64\expsrv.dll	1008.tmp
File created	C:\Windows\SysWOW64\ir50_32.dll	1008.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	1008.tmp
File created	C:\Windows\SysWOW64\msexch40.dll	1008.tmp
File created	C:\Windows\SysWOW64\msjtes40.dll	1008.tmp
File created	C:\Windows\SysWOW64\regedit.exe	1008.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdag.dll	1008.tmp
File created	C:\Windows\SysWOW64\d3dim700.dll	1008.tmp
File created	C:\Windows\SysWOW64\explorer.exe	1008.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100.dll	1008.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	1008.tmp
File created	C:\Windows\SysWOW64\mswstr10.dll	1008.tmp
File created	C:\Windows\SysWOW64\sqlwoa.dll	1008.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdva.dll	1008.tmp
File opened for modification	C:\Windows\SysWOW64\atl100.dll	1008.tmp
File created	C:\Windows\SysWOW64\audiodev.dll	1008.tmp
File created	C:\Windows\SysWOW64\dplayx.dll	1008.tmp
File created	C:\Windows\SysWOW64\ir32_32.dll	1008.tmp
File created	C:\Windows\SysWOW64\mfc40u.dll	1008.tmp
File created	C:\Windows\SysWOW64\msrd3x40.dll	1008.tmp
File created	C:\Windows\SysWOW64\msvbvm60.dll	1008.tmp
File created	C:\Windows\SysWOW64\msvcrt20.dll	1008.tmp
File created	C:\Windows\SysWOW64\sqlunirl.dll	1008.tmp
File created	C:\Windows\SysWOW64\InstallShield\setup.exe	1008.tmp
File created	C:\Windows\SysWOW64\dpwsockx.dll	1008.tmp
File created	C:\Windows\SysWOW64\FXSXP32.dll	1008.tmp
File created	C:\Windows\SysWOW64\ir41_32.ax	1008.tmp
File opened for modification	C:\Windows\SysWOW64\MSCOMCTL.OCX	1008.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120.dll	1008.tmp
File created	C:\Windows\SysWOW64\rdvgumd32.dll	1008.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	1008.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	1008.tmp
File opened for modification	C:\Windows\SysWOW64\vccorlib120.dll	1008.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvwgf2um.dll	1008.tmp
File created	C:\Windows\SysWOW64\msltus40.dll	1008.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvd3dum.dll	1008.tmp

Drops file in Program Files directory 64 IoCs

Processes:

1008.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RECALL.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VVIEWDWG.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLADD.FAE	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONWordAddin.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msmgdsrv.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CDLMSO.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOCF.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSYUBIN7.DLL	1008.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\PortalConnectCore.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DESKSAM.SAM	1008.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSetupPS.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MAPIPH.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHEV.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCNPST64.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.DLL	1008.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll	1008.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\FPWEC.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKFSTUB.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMWIN.FAE	1008.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api	1008.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPLACE.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolui100.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLTASK.FAE	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XPAGE3C.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OL.SAM	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VC\msdia90.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MLSHEXT.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNoteSyncPC.dll	1008.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GKWord.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\RM.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUTHZAX.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPST32.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCH.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RICHED20.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GKPowerPoint.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OISAPP.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLVBS.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLMAPI32.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBCONV.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api	1008.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSETUP.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPERSON.DLL	1008.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONTAB32.DLL	1008.tmp

Drops file in Windows directory 64 IoCs

Processes:

1008.tmp

description	ioc	process
File created	C:\Windows\winsxs\wow64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_04d9defd57c1f6bf\mfps.dll	1008.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-w..mediadeliveryengine_31bf3856ad364e35_6.1.7601.17514_none_85ead099a8942341\wmpmde.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-computer-name-ui_31bf3856ad364e35_6.1.7601.17514_none_100e917a4cc5476d\netid.dll	1008.tmp
File created	C:\Windows\winsxs\x86_netfx-peverify_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_711dc6fb06230c92\peverify.dll	1008.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-sqmapi_31bf3856ad364e35_6.1.7601.17514_none_00451cf8631056b6_sqmapi.dll_3755dd17	1008.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-wmpdui_31bf3856ad364e35_6.1.7600.16385_none_5ca7e61c63366a5f_wmpdui.dll_ed891d84	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-tasklist_31bf3856ad364e35_6.1.7600.16385_none_28198854bba53a00\tasklist.exe	1008.tmp
File created	C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.wininet.dll.01da64d002202070.000a	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_6.1.7600.16385_none_44263d819f0aa19e\odbcad32.exe	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ponents-jetxbasepdx_31bf3856ad364e35_6.1.7600.16385_none_91e7a2968218eaf7\mspbde40.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.1.7601.17514_none_eb5947ea4debcf36\secproc_isv.dll	1008.tmp
File created	C:\Windows\winsxs\x86_wpf-presentationhostproxy_31bf3856ad364e35_6.2.7601.17514_none_f4c14ddc76dc8f97\PresentationHostProxy.dll	1008.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7601.17514_none_f0e8ac03e1d6bb5b_msxml6.dll_ebe15265	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_6.1.7600.16385_none_fe75fb7856d846d5\DWWIN.EXE	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-smartcardksp_31bf3856ad364e35_6.1.7601.17514_none_b7f7d8e8e19ade8a\basecsp.dll	1008.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-drm_31bf3856ad364e35_6.1.7601.17514_none_d6a8cb040fcd3a85\blackbox.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-mp4sdecd_31bf3856ad364e35_6.1.7600.16385_none_0ebebeb7ce7cc727\MP4SDECD.DLL	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-c..plus-admin-comadmin_31bf3856ad364e35_6.1.7600.16385_none_313785582054d3f3\comadmin.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-directx-d3d10level9_31bf3856ad364e35_7.1.7601.16492_none_d67de7d188fdee8d\d3d10level9.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\IasMigPlugin.dll	1008.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.1.7601.17514_none_227e1c01642654f4_wer.dll_c8c67db6	1008.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_c8df7823424473a1\netbtugc.exe	1008.tmp
File created	C:\Windows\winsxs\x86_netfx-mscordbc_dll_b03f5f7f11d50a3a_6.1.7601.17514_none_414c2fe8825bd6cb\mscordbc.dll	1008.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-security-kerberos_31bf3856ad364e35_6.1.7601.17514_none_4f518cecfbcddc34\kerberos.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_8.0.7601.17514_none_64655b7c61c841cb\sqmapi.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-driverquery_31bf3856ad364e35_6.1.7600.16385_none_95f92198f65d354d\driverquery.exe	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-i..nternetcontrolpanel_31bf3856ad364e35_8.0.7601.17514_none_abfb5733271ca1ff\inetcpl.cpl	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\esscli.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-wmspdmoe_31bf3856ad364e35_6.1.7600.16385_none_f9fb55c5d138e6cb\WMSPDMOE.DLL	1008.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-snmp-agent-service_31bf3856ad364e35_6.1.7601.17514_none_5faf9128a3432508\snmp.exe	1008.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.1.7601.17514_none_4477e7eba20ff0b9\psisdecd.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-c..ent-indexing-common_31bf3856ad364e35_6.1.7601.17514_none_08bb77b635526b01\Query.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-msac3enc_31bf3856ad364e35_6.1.7601.17514_none_a6e637e4d9e690e8\MSAC3ENC.DLL	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_44b0c76c35d4b76d\wabmig.exe	1008.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-ehome-ehui_31bf3856ad364e35_6.1.7601.17514_none_373ecc0d14680e72\ehui.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-c..atemanagersnapindll_31bf3856ad364e35_6.1.7601.17514_none_5727f15709ce8fe2\certmgr.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.1.7600.16385_none_04dbf9102154d42e\ddrawex.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-setup_31bf3856ad364e35_11.2.9600.16428_none_1f77d330a4790dae\inseng.dll	1008.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-credui_31bf3856ad364e35_6.1.7601.17514_none_dd3eb6aced2f8d13_credui.dll_c0e5bbea	1008.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-drm_31bf3856ad364e35_6.1.7601.17514_none_d6a8cb040fcd3a85\msscp.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-driver-thunking-32_31bf3856ad364e35_6.1.7600.16385_none_24253253bade2400\odbc32gt.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-netshell_31bf3856ad364e35_6.1.7601.17514_none_d78ad4be6c4ce238\netshell.dll	1008.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-drm_31bf3856ad364e35_6.1.7601.17514_none_d6a8cb040fcd3a85\drmv2clt.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-htmlconverter_31bf3856ad364e35_11.2.9600.16428_none_f151276ee40bc690\html.iec	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-devtools_31bf3856ad364e35_8.0.7601.17514_none_5866bdf3151a6faf\iedvtool.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-impexp-extexport_31bf3856ad364e35_11.2.9600.16428_none_b436382b203656be\ExtExport.exe	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-mpg4decd_31bf3856ad364e35_6.1.7600.16385_none_607be46cc35d6611\MPG4DECD.DLL	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-msmpeg2vdec_31bf3856ad364e35_7.1.7601.16492_none_8416bfe4a16d5fb1\msmpeg2vdec.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-msmq-runtime-core_31bf3856ad364e35_6.1.7601.17514_none_5768e2ad17453bd6\mqrt.dll	1008.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-wcn-config-registrar_31bf3856ad364e35_6.1.7601.17514_none_959763920cea12e1\fdWCN.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-font-embedding_31bf3856ad364e35_6.1.7601.17514_none_b7c78d327d35e10e\t2embed.dll	1008.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.1.7601.17514_none_f59e20ddece8f922_certenrollctrl.exe_9495aa75	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-c..us-runtime-stclient_31bf3856ad364e35_6.1.7600.16385_none_a9649d04c661942c\stclient.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-directshow-dvdsupport_31bf3856ad364e35_6.1.7601.17514_none_562994bd321aac67\qdvd.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-k..eo-capture-plug-ins_31bf3856ad364e35_6.1.7601.17514_none_f77206649edabee9\Kswdmcap.ax	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-mfc40u_31bf3856ad364e35_6.1.7601.17514_none_f51a7bf0b3d25294\mfc40u.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-shell-previewhost_31bf3856ad364e35_6.1.7601.17514_none_4544cf0e5f20beea\prevhost.exe	1008.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_765b17a2c56f9155_rasmxs.dll_0c54a828	1008.tmp
File created	C:\Windows\winsxs\wow64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_dbd4d2796675bc72\mssph.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..c-oracle-driver-dll_31bf3856ad364e35_6.1.7601.17514_none_6b16a37ea1353bb1\msorcl32.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_720e868d9b0b6a44\WerFaultSecure.exe	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-m..b-odbc-provider-dll_31bf3856ad364e35_6.1.7601.17514_none_25b6ad6b6f64d102\msdasql.dll	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_5fbe9f67bec0f818\runas.exe	1008.tmp
File created	C:\Windows\winsxs\x86_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_35d357a66c38ade4\sxsoa.dll	1008.tmp

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7a4122e621e12ce07734e64b85d188a0_NeikiAnalytics.exe

description	pid	process	target process
PID 3024 wrote to memory of 2840	3024	7a4122e621e12ce07734e64b85d188a0_NeikiAnalytics.exe	1008.tmp
PID 3024 wrote to memory of 2840	3024	7a4122e621e12ce07734e64b85d188a0_NeikiAnalytics.exe	1008.tmp
PID 3024 wrote to memory of 2840	3024	7a4122e621e12ce07734e64b85d188a0_NeikiAnalytics.exe	1008.tmp
PID 3024 wrote to memory of 2840	3024	7a4122e621e12ce07734e64b85d188a0_NeikiAnalytics.exe	1008.tmp

C:\Users\Admin\AppData\Local\Temp\7a4122e621e12ce07734e64b85d188a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7a4122e621e12ce07734e64b85d188a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\1008.tmp
C:\Users\Admin\AppData\Local\Temp\1008.tmp
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2840

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\1008.tmp
Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/3024-2-0x00000000002E0000-0x000000000031D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads