9221fcebfa4240f4267240bceb4744a30033ffd50875cf2af562f9da2f5240a1

Analysis

max time kernel
148s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
Size

843KB
MD5

44a951475bbf66cefc34b1fc3845b580
SHA1

20dae9ecb9278ad5e7c518a276f8a594edc5a114
SHA256

9221fcebfa4240f4267240bceb4744a30033ffd50875cf2af562f9da2f5240a1
SHA512

c087b652a9b2283813313d27fdde4f26705764136b40b8c485fb95a806e1f5a47239ffc87651714f6287e5b93d06a3b752415c0984c1bf835087aeb3be6634ab
SSDEEP

12288:TwKfOVRo9yRYK42X5sUSF14tr4O8b8ITDnlLvAYrIw6E:TxWVeyRYK4s2hzM4O8b8ITDnl7CE

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe"	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe"	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\OperatingSystem.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\OperatingSystem.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\RCX296F.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\wbem\ja\resourcesresources.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ja\RCX29CF.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe

Drops file in Program Files directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\WebViewMicrosoft92.0.902.67.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LibraryLogTransport2.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCX74EE.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAiod19.8.20071.303822.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUIVSTOInstallerUI.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\RCX6046.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ManagerAdobe.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\RCX6AE9.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\RCX4D07.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\RCX56FC.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\ja-JP\OperatingWAB32res.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ja-JP\RCX571D.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX7770.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wowhelperProcess.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wowhelperProcess.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX803C.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\WebViewMicrosoft92.0.902.67.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\RCX4D57.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\RCX6191.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\AdobeNPPDF32.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RCX7731.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\WAB32WAB32.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LibraryLogTransport2.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\RCX6086.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\AdobeAcrobat.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX88C9.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\WAB32WAB32.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX57BA.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX801C.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\RCX4D46.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\JavaTMjava.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHostAdobe19.10.20064.310990.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\JavaTMjava.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\OperatingWindows.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\RCX6C13.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHostAdobe19.10.20064.310990.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBookEscript19.10.20064.310990.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AdobeAcrobat.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\OperatingWindows.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\SystemRTSCom.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ManagerAdobe.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX6A4C.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\ELS\SpellDictionaries\mssp7enUSOperating.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..structure.resources_31bf3856ad364e35_10.0.19041.1_de-de_fb3a7bfd402987eb\WindowsMicrosoft.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-whhelper.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_27035d8de238050b\Systemwhhelper.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..gbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_408e2afcf0b7274b\ServicesInternet.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_ja_31bf3856ad364e35\WindowsUtility6.1.7600.16385.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\fr-FR\RCX73BA.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\v4.0_1.0.0.0_en_31bf3856ad364e35\RCXBD0B.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\it\MicrosoftSystem.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\it\RCX294.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msident.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9355408d79c75006\SystemWindows.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..msettings-datamodel_31bf3856ad364e35_10.0.19041.264_none_c813a1965bacf6d2\SystemDataModel.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ngservice.resources_31bf3856ad364e35_10.0.19041.1151_en-us_8bea4e0b86020402\WindowsSystem.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\it\RCXBD0C.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\es-ES\MicrosoftFramework.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-0000040f_31bf3856ad364e35_10.0.19041.1_none_bf08d8a728d9f1f3\MicrosoftSystem10.0.19041.1.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-vcm-core-codecs_31bf3856ad364e35_10.0.19041.1_none_c6753311bf6fdf3d\iccvidIR3232.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\3082\cscompuivbc7ui.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\3082\RCX4A7B.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\diagnostics\system\Keyboard\de-DE\MicrosoftWindows.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-x..lugin-mui.resources_31bf3856ad364e35_10.0.19041.1_de-de_4d3a733284e52a18\Betriebssystemxwtpdui.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..k-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_38b477bf05e07ef4\Windowswersvc.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.WorkflowServices.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\RCX73CB.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Branding\Basebrd\de-DE\BASEBRDWindows.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_multipoint-wmsusertab.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d51191bbdb5f89e7\Microsoftresources.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..aphostres.resources_31bf3856ad364e35_10.0.19041.1_nl-nl_e3017120c4b3b561\APHostResMicrosoft10.0.19041.1.160101.0800.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ie-datacontrol_31bf3856ad364e35_11.0.19041.1_none_083e5b98dec1caf1\ExplorerInternet.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\v4.0_3.0.0.0_it_31bf3856ad364e35\RCXBCDB.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\Branding\Basebrd\de-DE\RCX4A9B.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..emsettingsthreshold_31bf3856ad364e35_10.0.19041.1266_none_943a4986931bd930\SystemMicrosoft.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\x86_netfx4-msvcp140_clr_dll_31bf3856ad364e35_4.0.15805.0_none_c14944d2b9d98da3\VisualMicrosoft.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\bootuwfSystem.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\hu-HU\rendszerrendszer10.0.19041.1.160101.0800.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_ja_31bf3856ad364e35\RCX297F.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.WorkflowServices.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\resourcesMicrosoft.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\es-ES\FrameworkPresentationHostDll.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Instrumentation.resources\v4.0_4.0.0.0_it_b77a5c561934e089\RCX739A.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_netfx-system.runtime.remoting_b03f5f7f11d50a3a_10.0.19041.1_none_c84370b1273f4bf1\SystemRemoting.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\v4.0_1.0.0.0_en_31bf3856ad364e35\WindowsWindows.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\it\resourcesMicrosoft.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\de\microsoftservicemodel.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_system.web.routing.resources_31bf3856ad364e35_10.0.19041.1_es-es_74b9f0ea1eef943a\FrameworkRouting.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..update-genuineintel_31bf3856ad364e35_10.0.19041.1_none_72b119e551aad4bf\Systemmcupdate10.0.19041.1.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-v..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_d2df3e3d4fc57eb3\WindowsCLLocalizationDatap.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\diagnostics\system\Apps\de-DE\CLLocalizationDatapBetriebssystem10.0.19041.1.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Boot\EFI\pt-PT\bootmgrWindows.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bits-perf_31bf3856ad364e35_10.0.19041.1_none_e915a90ea007a043\SystemBitsPerf.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sysprep-spopk_31bf3856ad364e35_10.0.19041.746_none_f5aaff8bac37a543\WindowsMicrosoft10.0.19041.746.160101.0800.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Instrumentation.resources\v4.0_4.0.0.0_it_b77a5c561934e089\SystemSystem.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\nb-NO\Windowsbootmgr10.0.19041.1.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\es-ES\RCX4ABC.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_wcf-smdiagnostics_b03f5f7f11d50a3a_10.0.19200.110_none_3fd7690573cf4d76\SMDiagnosticsFramework.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_appinstallerprompt-desktop_31bf3856ad364e35_10.0.19041.1_none_b796916d40978434\MicrosoftSystem.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\ko-KR\memdiagWindows.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\es-ES\RCX274.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wwan-lpacsp_31bf3856ad364e35_10.0.19041.1_none_22fdb9efcc6933b6\MicrosofteUICCsCSP.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.19041.1_none_81a41345d0e50bd5\wship6Microsoft.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ormabstractionlayer_31bf3856ad364e35_10.0.19041.1_none_9b301fa8bcc20f24\SystemMicrosoft.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_system.diagnostics...writertracelistener_b03f5f7f11d50a3a_4.0.15805.0_none_a9628980f690b82d\MicrosoftTextWriterTraceListener.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\v4.0_3.0.0.0_it_31bf3856ad364e35\resourcesresources10.0.19041.1.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-quickassist.resources_31bf3856ad364e35_10.0.19041.1_pt-br_b9dabff3d5814653\SystemOperating.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-uiamanager_31bf3856ad364e35_10.0.19041.1_none_90817ac65ec85f26\WindowsOperating.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\fr-FR\MicrosoftPresentationHostv0400.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\de\RCX244.tmp	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasbase-asyncmac_31bf3856ad364e35_10.0.19041.1_none_da48dc66d436c4ea\ASYNCMACMicrosoft.exe	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
4484	44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\44a951475bbf66cefc34b1fc3845b580_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\AdobeAcrobat.exe

Filesize
845KB

MD5
79ad59b86fe1d36bed01db6bd54ffa26

SHA1
1c7bf2e4816344c294776637d5c9503f64006a46

SHA256
8c6e9fff46e3467d9ed23f2700ed4a10f64311deb8ec278abd189c10427270b3

SHA512
391b5b5c8ef292c35259a7bf6a3a44b23dff12537a31d0d823b4daab31cc172eacf1d7ab204b78978c3162fee7a6cd3dfe235ce0582260bc500e475f9758f522

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUIVSTOInstallerUI.exe

Filesize
845KB

MD5
7300cb3f8c17c1395cc168b447e11401

SHA1
b9b940722affb4372981a7d2a26932d1f7ebb4b4

SHA256
7b20d50ebe98dd97bd61f710a3897ede4342a2a093875323ab4923d55541083d

SHA512
d39753ac279cf2b5394626931aaf60d63bb5b5d95dec2ad8737c6c4f8022aa1ae1912e4d8ea7ca0604d9acf4856dda69842051b1164e29e0e453829a48fe9042

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\RCX6086.tmp

Filesize
845KB

MD5
82f1e79e2c49e9fb6ee64ce5e6f2b625

SHA1
25b9ba2b1d3846299cafc292573f12ea8e666cce

SHA256
e7f065a9302acfdf12b9f325191c51f6bad4c95971c0a99fad1cc47579b11a28

SHA512
c3cf65efdd6e63e7d89589a366e5b7cdbcfa7ecc898d63e1e30ca5a9cc77cc6800ab8bcdeaa97dcaf1f639accd033936afe090490a3ad2ffe0e978bc670807e5

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\WebViewMicrosoft92.0.902.67.exe

Filesize
843KB

MD5
44a951475bbf66cefc34b1fc3845b580

SHA1
20dae9ecb9278ad5e7c518a276f8a594edc5a114

SHA256
9221fcebfa4240f4267240bceb4744a30033ffd50875cf2af562f9da2f5240a1

SHA512
c087b652a9b2283813313d27fdde4f26705764136b40b8c485fb95a806e1f5a47239ffc87651714f6287e5b93d06a3b752415c0984c1bf835087aeb3be6634ab

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\OperatingSystem.exe

Filesize
922KB

MD5
a44f0039eff8491a4cb81703faf57b56

SHA1
d8ab6f3629c19a61c45ef059dbed6534ca79c13f

SHA256
a15217fe7f7c386f47396ef7c92dc351088de26122c15dba6a9f5bb3f03e1b7b

SHA512
1500cee6e65c62d3d56f42102ba2f30b7627f8acc4a5460848d3ec8d3a7885ba6c5eec0db329ce7a29886b2b61a64d1ed3e1331bb321aad8b3d635bc6032a70c

Download Submit