a51bccc7ded9b49e1317c19b628b7c3e4f89de06784119fed86d120c4f438150

General

Target

9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.exe
Size

6.2MB
MD5

9428a6521088216a83e401dc7cf3a3a0
SHA1

34b15c82e8aa42de4fc1baefc90ad0a9f5bc4454
SHA256

a51bccc7ded9b49e1317c19b628b7c3e4f89de06784119fed86d120c4f438150
SHA512

1407d4bafb41c7d79ae280a509f4359e6136e5b2174a5dbd035eddb0b2c904fdd36d4ab5b97ef9cfb5874bcbf99e1b33c55d6d99ba4f04fa44e30a2dbcecd867
SSDEEP

98304:9bkTttG2daLX1lM50QdWW7T7TT7khfLEfJjr4I3AWtbzrCgHriBsUgywYH:x+hUD7MDWavTchTEfVrHJV/HriBsUt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp
2952	musilandmusicdownloader.exe

Loads dropped DLL 6 IoCs

pid	Process
1924	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.exe
3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp
3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp
3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp
3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp
3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp
3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp
2952	musilandmusicdownloader.exe
2952	musilandmusicdownloader.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 3044	1924	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 3044	1924	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 3044	1924	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 3044	1924	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 3044	1924	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 3044	1924	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 3044	1924	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.exe	28
PID 3044 wrote to memory of 2548	3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp	29
PID 3044 wrote to memory of 2548	3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp	29
PID 3044 wrote to memory of 2548	3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp	29
PID 3044 wrote to memory of 2548	3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp	29
PID 3044 wrote to memory of 2952	3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp	31
PID 3044 wrote to memory of 2952	3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp	31
PID 3044 wrote to memory of 2952	3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp	31
PID 3044 wrote to memory of 2952	3044	9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp	31

C:\Users\Admin\AppData\Local\Temp\9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\is-N7TEN.tmp\9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-N7TEN.tmp\9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp" /SL5="$400F4,6223240,56832,C:\Users\Admin\AppData\Local\Temp\9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "Musiland_Music_Downloader_5151"
    3⤵
    PID:2548
- - C:\Users\Admin\AppData\Local\Musiland Music Downloader\musilandmusicdownloader.exe
    "C:\Users\Admin\AppData\Local\Musiland Music Downloader\musilandmusicdownloader.exe" 3b946430892e3bf0e5f148d6100fef9b
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Musiland Music Downloader\musilandmusicdownloader.exe

Filesize
3.9MB

MD5
1af374b3b5a87d83be9ae131e07db17a

SHA1
fd55ee4a6a6a38c38afd57cd684ed630b9f85c45

SHA256
ff017ffe85a8388674080e58708bd2cab958f6941c215b22ef59c6461cd45b89

SHA512
f28bb2e9f764224a79d83ae25d7b1ecda52ce3c32b7da8372d74b4718969c96f8213f76214322ff5e22f629849fd3568412ae1240e2b7882dd38269aef0bf76a

Download Submit
\Users\Admin\AppData\Local\Temp\is-KSPU5.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-KSPU5.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-KSPU5.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-N7TEN.tmp\9428a6521088216a83e401dc7cf3a3a0_NeikiAnalytics.tmp

Filesize
692KB

MD5
1f867b23e94cb84404b9f58144e518fb

SHA1
99a7a7f472e6d81ffc9a48d9f4bcccfbc172bc18

SHA256
e9bda766a107f30c1d7a9c9dba0f32339dd1c746d65aaec2affac735dcec9ed9

SHA512
efa3882e8969daba6696e628155bdcd441177db1d7127d4a93173571ba52588e91f73fc243b177194063401037ea3c0608a20b7d45f7945ad04b9842cb36531d

Download Submit
memory/1924-81-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1924-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1924-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2952-79-0x0000000000400000-0x0000000000BED000-memory.dmp

Filesize
7.9MB

Download
memory/2952-83-0x0000000000400000-0x0000000000BED000-memory.dmp

Filesize
7.9MB

Download
memory/2952-80-0x0000000000400000-0x0000000000BED000-memory.dmp

Filesize
7.9MB

Download
memory/3044-8-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3044-82-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3044-78-0x00000000039B0000-0x000000000419D000-memory.dmp

Filesize
7.9MB

Download
memory/3044-84-0x00000000039B0000-0x000000000419D000-memory.dmp

Filesize
7.9MB

Download

Analysis

Sharing