eb7e28ae2e5f7628fa2838fa3424952ba50e76e8f003b36115a035d19b22662b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
Size

447KB
MD5

2ce35c36903ad6e372ab53011e3b8820
SHA1

b804f66019f09df78eb7e02af03244911e3d1a3f
SHA256

eb7e28ae2e5f7628fa2838fa3424952ba50e76e8f003b36115a035d19b22662b
SHA512

986d80c52febb709076f200ebafcd2b336f7c962b85ae58d0fc6564da8c4353a53c2fa62ce1b6a1251c27ca3785299e74f881de9873b23e7cf42b796fa0ffcc8
SSDEEP

12288:hPnA65XwlYgrHy6V17kr8+m73q+pgkxzdxRlabQYtCAZ5cIkKix:hPJwlBrygOW3q49ldx7XIa

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3076	Logo1_.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023406-13.dat	upx
behavioral2/memory/1620-15-0x0000000000400000-0x00000000004F4000-memory.dmp	upx
behavioral2/memory/1620-19-0x0000000000400000-0x00000000004F4000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1620-15-0x0000000000400000-0x00000000004F4000-memory.dmp	autoit_exe
behavioral2/memory/1620-19-0x0000000000400000-0x00000000004F4000-memory.dmp	autoit_exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe
3076	Logo1_.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
1620	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2544	2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe	82
PID 2648 wrote to memory of 2544	2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe	82
PID 2648 wrote to memory of 2544	2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe	82
PID 2544 wrote to memory of 4620	2544	net.exe	84
PID 2544 wrote to memory of 4620	2544	net.exe	84
PID 2544 wrote to memory of 4620	2544	net.exe	84
PID 2648 wrote to memory of 4572	2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe	88
PID 2648 wrote to memory of 4572	2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe	88
PID 2648 wrote to memory of 4572	2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe	88
PID 2648 wrote to memory of 3076	2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe	89
PID 2648 wrote to memory of 3076	2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe	89
PID 2648 wrote to memory of 3076	2648	2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe	89
PID 3076 wrote to memory of 1136	3076	Logo1_.exe	91
PID 3076 wrote to memory of 1136	3076	Logo1_.exe	91
PID 3076 wrote to memory of 1136	3076	Logo1_.exe	91
PID 1136 wrote to memory of 4400	1136	net.exe	93
PID 1136 wrote to memory of 4400	1136	net.exe	93
PID 1136 wrote to memory of 4400	1136	net.exe	93
PID 4572 wrote to memory of 1620	4572	cmd.exe	94
PID 4572 wrote to memory of 1620	4572	cmd.exe	94
PID 4572 wrote to memory of 1620	4572	cmd.exe	94
PID 3076 wrote to memory of 1852	3076	Logo1_.exe	97
PID 3076 wrote to memory of 1852	3076	Logo1_.exe	97
PID 3076 wrote to memory of 1852	3076	Logo1_.exe	97
PID 1852 wrote to memory of 1892	1852	net.exe	99
PID 1852 wrote to memory of 1892	1852	net.exe	99
PID 1852 wrote to memory of 1892	1852	net.exe	99
PID 3076 wrote to memory of 3452	3076	Logo1_.exe	56
PID 3076 wrote to memory of 3452	3076	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a592C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Users\Admin\AppData\Local\Temp\2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1620
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4400
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
a4c8106e6b09119bbdf16d697e5562fc

SHA1
ca9fc6811703e29f7752f3a13e114fe904d0ebaa

SHA256
184bfec75adf37374d96cb6ae5ea764fbeff8618090ad0618eb99cd4d620a606

SHA512
8ea21582fc055e1e90fbfc92778c62f6aefa2681504b8c5a7d63e6e27f8064f9dffc4251765d3e3f15737cbc136cfa5c1c1e864246b8808659e56addc75e976d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
e68c3b97bfb45e0298d261ce59935c4c

SHA1
ffc0216b782cb0c46c1716e22e60be073233b4a8

SHA256
d94a59df2d51575fc39aed6c15320e1ef8c302cc8f3a34d86342c8f3919e2645

SHA512
ba2b48c178304d187c08f1b67cfadec8a5b37860b9b0e927cdf651b6f73129ee2567a3b9a4609e39612b8619d331a06ef512553e59be3dcdda5ed74d8b2bbeec

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
11e0853d537d2721ecc655c1fc527e91

SHA1
c8e23d103e93073ba7c93374878ae9a9f926c944

SHA256
f168cda7cfa0f4f1d8dc26f615772410afe41b43fbc3da3cfe2c249b1eadca30

SHA512
3e5af85789e480d355053e9ded02108ae53136aec795d5d37faf1d5426275f7f3729e5583b0a95b3434d5b4452c7382405c0f8bc94e8a65275335c62268e0ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a592C.bat

Filesize
620B

MD5
1faa49cec3c6522f46948c5efb02dab0

SHA1
00d2f3a57c387905931850d65573cfe4b1a801f2

SHA256
4588d71f26045231a65523e8c9762d9cad0090c8e13bee9ca4f976c191ad6bca

SHA512
1c62badc8aee05da663c4cd3898f364a91eef3216639cc57e01d6d07d5bd886f00a9b156a3be4dc48616aef1e02f980d34fdfeda2b65b2c6c9d514065901ded0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ce35c36903ad6e372ab53011e3b8820_NeikiAnalytics.exe.exe

Filesize
413KB

MD5
61f00cd504821ba3727f40ba91c0aa38

SHA1
1923a6331cf73dde5af1cb5573f35d9cce3a86b6

SHA256
7d317c9d43001251d8ba8ad9c81d2959e8a8030927ff3b7ed6a3b91840409552

SHA512
f1efd9094f5a6a14e19b2e418605c65be4fc0505e231072503786caefb42651ff9df2d3504c7bb84373097cc25651e495be85003ae45e81bd5e0ce22bb489935

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
a20cdac89a48ae7a0f01bd4686d6cd5f

SHA1
df10d5972a5960f8f318e76140a3a2797a62fd3e

SHA256
5fc2bdd002b6e88ab0ad4cd67d58daa3c9e2a58df0ad9579d540f6e2320f8c89

SHA512
0c2227986fc0fab88c8dcd796f8cc235f8c155c99af38c5210448657d4dfafa387eb4747e118d89baa7cbaa0eb74ad30bebcb1e04fafbe64ef11920358691797

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\_desktop.ini

Filesize
8B

MD5
378d822ce12583d0d584184af22d1d77

SHA1
c062ac770b028df6db676099e02f09fc2f77b171

SHA256
1ad01f8e46c86dfa34468e306eabe54b58d56134130b53ea7677961e3baaf6c7

SHA512
23cf7b916de734c6bb6fd3b2beee21f3e82bc95e93d8662dca818d7cf13602706f22671dce61388b2a7e0b613c07c70512331c4132759b16cf438cb1750bc397

Download Submit
memory/1620-15-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1620-19-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/2648-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-2692-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-8710-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download