8721dcf056af85dbf9e21d17e3875f07eab6763f818067649850df86d3790860

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 07:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
Size

1.1MB
MD5

256e6029803361c69887d31b63f8c830
SHA1

5242c796a2b827081a7fdf86b2798130d46c3a71
SHA256

8721dcf056af85dbf9e21d17e3875f07eab6763f818067649850df86d3790860
SHA512

6618ab8f2472d34c9275e9922bb65cbf8f062244948316d27843c944ee38776fe1d0b18a550f07a204e1e3e00743642d8169c58f9a0e5ed3ed7434260760cfa5
SSDEEP

12288:8wKfOVRo9yRYYyV6EQUj0ESA/ACj5oMKVjOqz:8xWVeyRYK29pKxOqz

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe"	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe"	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sl-SI\RCX8D4C.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\sl-SI\WindowsWindows.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ProcessAdobeScCore.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\Windowsmpasdesc4.18.1907.16384.160101.0800.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\PlatformU401.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AdobeNPPDF32.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCX49E0.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\RCX4A20.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\RCX4A5F.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\IEXPLOREieinstal.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\InkObjMicrosoft.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\en-US\RCX40A8.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\Libraryprcr.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX55DB.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateAdobe.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX661B.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\IEXPLOREieinstal.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCX376B.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\RCX37CB.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX6FD0.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAdobe.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\RCX37BA.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\PlatformU401.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX60BA.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateAdobe.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\FrameworklibGLESv2.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ProcessAdobeScCore.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCX559B.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDomMake.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCX62CE.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\FrameworklibGLESv2.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX7000.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\en-US\MicrosoftWindows.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\datamatrixpmpqrcodepmp.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\WindowsOperating10.0.19041.1.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AdobeAcrobat.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX788D.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClientsideProvidersresources.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\RCX4058.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\RCX4068.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcrDynamic19.10.20064.310990.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\RCX5687.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-payments_31bf3856ad364e35_10.0.19041.264_none_3c5559db7416f46a\WindowsSystem.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\B61D15F98E24A4A42882574055142AEA\56.64.8781\RCX4006.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..dminflows.resources_31bf3856ad364e35_10.0.19041.1_de-de_0f07ff385f4cd189\SystemSettingsAdminFlowsMicrosoft.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6e93dfccd8fc6ff5\dexploitationWindows.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmadmod_31bf3856ad364e35_10.0.19041.1_none_3c3ff8c0bd5597fe\wmadmodOperating.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_dual_mtconfig.inf_31bf3856ad364e35_10.0.19041.1_none_1444c37187ab0346\MicrosoftWindows.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-refsutil.resources_31bf3856ad364e35_10.0.19041.1151_en-us_696c825bf3449d17\refsutilrefsutil10.0.19041.1151.160101.0800.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-windows-minwin_31bf3856ad364e35_10.0.19041.173_none_2dc175215ae8ec39\Windowsosloader.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-runas_31bf3856ad364e35_10.0.19041.1_none_15d956c7fccae922\WindowsOperating10.0.19041.1.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..sh-helper.resources_31bf3856ad364e35_10.0.19041.1_es-es_a358d8dee8e6bf5f\WindowsMicrosoft.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devices-lights-winrt_31bf3856ad364e35_10.0.19041.264_none_fd8e7e5b1e3eb4b2\WindowsWindows10.0.19041.264.160101.0800.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_dual_net8192su64.inf_31bf3856ad364e35_10.0.19041.1_none_f6ae9a69b6662cfe\RTL8192SWireless.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-cryptngc.resources_31bf3856ad364e35_10.0.19041.1202_en-us_2d7e2b0ed5dd2700\cryptngcMicrosoft.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Windows\IME\IMETC\DICTS\RCX27FC.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..pprov-dll.resources_31bf3856ad364e35_10.0.19041.1_it-it_386b02d498494540\OperatingMicrosoft.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-consolelogon-library_31bf3856ad364e35_10.0.19041.1202_none_fa14df42dc2de4f5\MicrosoftOperating.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_10.0.19041.1_it-it_1533f24f68d1ad01\Microsoftoperativo10.0.19041.1.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-stobject_31bf3856ad364e35_10.0.19041.964_none_2804a3f5b45d48ed\stobjectWindows.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-help-client.resources_31bf3856ad364e35_10.0.19041.1_es-es_378fd2997d2ac312\MicrosoftWindows.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-accountscontrol-api_31bf3856ad364e35_10.0.19041.746_none_5aaf19161dc3f482\OperatingWindows.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_netfx4-servicemodelregui_dll_b03f5f7f11d50a3a_4.0.15805.0_none_d5fd7ea545783f20\ServiceModelRegUIMicrosoft.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..rprovider.resources_31bf3856ad364e35_10.0.19041.1_de-de_1421bb71934b48b3\BetriebssystemDefaultPrinterProvider.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..n-library.resources_31bf3856ad364e35_10.0.19041.1_it-it_ff5371598d186467\ConsoleLogonSistema10.0.19041.1.160101.0800.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-ngc-local_31bf3856ad364e35_10.0.19041.1_none_c95bfc009f0aefab\ngclocalngclocal.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_de-de_e6bd58924bc1cd26\BetriebssystemWindows.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b759715c5becbedc\SystemWindows10.0.19041.1.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..fyiconexe.resources_31bf3856ad364e35_10.0.19041.1_it-it_96ed458f9617febc\Sistemaoperativo.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dlna-dmrserver_31bf3856ad364e35_10.0.19041.264_none_b4c1d142f8e57a4e\OperatingReceiver.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-waitfor.resources_31bf3856ad364e35_10.0.19041.1_es-es_e32bafd79f020607\operativowaitfor.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-x..ollmentui.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_91503b2c2ca3135c\dexploitationCertEnrollUI.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mtf-jpn-datasources_31bf3856ad364e35_10.0.19041.1266_none_c5a77d5f2a2a87a4\MTFDDDSSDDS.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-takeown.resources_31bf3856ad364e35_10.0.19041.1_en-us_6c295aa8904b0eb1\SystemMicrosoft.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..g-printticket-win32_31bf3856ad364e35_10.0.19041.746_none_fba89dce325efce1\SystemWindows10.0.19041.746.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\B61D15F98E24A4A42882574055142AEA\56.64.8781\HostHost.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..immersive.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_e2930c57d66c2a4f\WINDOWSIMMERSIVE.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..dminflows.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_e20204487c460b8d\SystemSettingsAdminFlowsSettings.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-onex.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f5dbe4eaafd7bcf\operativoMicrosoft.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Resources\2.0.0.0_es_b03f5f7f11d50a3a\RCX3F59.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-filetracefilter_31bf3856ad364e35_10.0.19041.1_none_b0b561660c7b5f0c\filetracefiletrace.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-network-qos-pacer_31bf3856ad364e35_10.0.19041.1_none_ad4e5f294b587440\MicrosoftOperating.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..temutilitylibraries_31bf3856ad364e35_10.0.19041.1266_none_5e5c2b5da4deafc1\SystemSystem.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..smenttool.resources_31bf3856ad364e35_10.0.19041.1_it-it_db4ccb3ee434f63d\MicrosoftSistema.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_system.identitymodel.selectors.resources_b77a5c561934e089_4.0.15805.0_de-de_bce100e61b9fa8f3\resourcesMicrosoft.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-netevent_31bf3856ad364e35_10.0.19041.1_none_1a8c10573e4d18a9\WindowsSystem.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_microsoft.security...ulegenerationwizard_31bf3856ad364e35_10.0.19041.1_none_4bc8e4f04b426f62\WizardsMicrosoft10.0.19041.1.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ernelmode.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_e6ac898f395cc8f9\WindowsOperating10.0.19041.1.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\MicrosoftRresources.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sud_31bf3856ad364e35_10.0.19041.746_none_859f3f8ebab96f33\OperatingSystem10.0.19041.746.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.Resources\2.0.0.0_es_b03f5f7f11d50a3a\RCX3F49.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..pellcheck.resources_31bf3856ad364e35_10.0.19041.1_es-es_de56fff7ea552504\MicrosoftSistema.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-networktopology-inf_31bf3856ad364e35_10.0.19041.1_none_f049b692429bf3a6\WindowsRSPNDR10.0.19041.1.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mmsys.resources_31bf3856ad364e35_10.0.19041.1_de-de_133f7c13d2cdb204\PanelControl.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-userinit.resources_31bf3856ad364e35_10.0.19041.1_en-us_45e1b3af71b01941\userinitMicrosoft.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\hr-HR\bootmgrsustav.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-synchost_31bf3856ad364e35_10.0.19041.1_none_1f721a9c9befed5e\SyncHostpsSyncHostps.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\RCX289A.tmp	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..i-appcore.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_8ac4ee7dad26d084\Microsofttwinapi.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..omponents.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_262bd7114887afcc\SystmeSocialApis.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..rver-apis.resources_31bf3856ad364e35_10.0.19041.1_en-us_1540b052425beb5b\SystemSMBWMIV2.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..iprovider.resources_31bf3856ad364e35_10.0.19041.1_de-de_e38bd2c34e8e1456\Windowsvdswmi.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets.Resources\v4.0_1.0.0.0_en_31bf3856ad364e35\CimCmdletsSystem.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-fido-credprov_31bf3856ad364e35_10.0.19041.1_none_99f786e1c5486d04\OperatingSystem.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_10.0.19041.264_none_39a33f9dfdb389ae\MicrosoftMicrosoft.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b9dc2e5385069c21\MicrosoftTHEMESERVICE.exe	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
2872	256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\256e6029803361c69887d31b63f8c830_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\FrameworklibGLESv2.exe

Filesize
1.2MB

MD5
634d8e32652392df1951b639027062d7

SHA1
9f6e72363f1c113c27840c6d91c3f882e00c2c2c

SHA256
9172934bf081da67a19e758c329ee6346d1576cbaba66b3c6bfaf2be5130b590

SHA512
03938291b32b8ac922cf6fbec475cf83b3df3e04cb729538ba23cf026db567db1d84468a4819ce993217a04823c2d57cdc09c4158be461473724991b1e56b062

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\RCX4A20.tmp

Filesize
1.1MB

MD5
e1928d4608b687991d63fffcd848b556

SHA1
cd450ff9919c4e6186927baf33ca06eccc316f11

SHA256
77ae294428d392781c83cc5564884bc265fe8a5203b6d776c41f0e693ed2d2a4

SHA512
2aaef18ed13e05ecfb57a417c31632d25b44385a5a8e1e5c7c81fef812b5c6aab3568662695ef995b4465a266a38c71a0e73cbf675cf1d484bdb3adb1230305d

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\RCX4068.tmp

Filesize
1.1MB

MD5
c178bc5c53b61a73051de6193a3420e5

SHA1
864f022a17a3b9ebc82166d412e382ff9444cbfa

SHA256
ed07ccee8fa8369137e976a63f4dd68acc15ae3636bbc433520c4bd84414f77d

SHA512
c8f74d21cefa6eff8649311a4c18d8aa17827f54654fd1aa4b2f2aa894292bc7cc55a8d1c0114890100b9b42c82af2d868f94ed4cb1b2bb547157cf4b5efb0ae

Download Submit
C:\Program Files (x86)\Internet Explorer\de-DE\IEXPLOREieinstal.exe

Filesize
1.1MB

MD5
256e6029803361c69887d31b63f8c830

SHA1
5242c796a2b827081a7fdf86b2798130d46c3a71

SHA256
8721dcf056af85dbf9e21d17e3875f07eab6763f818067649850df86d3790860

SHA512
6618ab8f2472d34c9275e9922bb65cbf8f062244948316d27843c944ee38776fe1d0b18a550f07a204e1e3e00743642d8169c58f9a0e5ed3ed7434260760cfa5

Download Submit