Malware Analysis Report

2024-09-23 05:09

Sample ID 240613-c685lavfrk
Target 57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe
SHA256 93377ae35e5bff6cff064a7a262a98b28cf8ff2e87aaf87e3db2dd418df2c30f
Tags
ransomware
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

93377ae35e5bff6cff064a7a262a98b28cf8ff2e87aaf87e3db2dd418df2c30f

Threat Level: Shows suspicious behavior

The file 57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

ransomware

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:42

Reported

2024-06-13 02:45

Platform

win7-20240508-en

Max time kernel

140s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe"

Signatures

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX1369.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\7zFM.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX13AC.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX13C4.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\DVD Maker\DVDMaker.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX13C3.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX12B6.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX1464.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX1433.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX13C1.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX1368.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX1432.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX1308.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\7z.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX1463.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX1306.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX1319.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX13C0.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\readme.1xt C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX13AB.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX1465.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX13BE.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\DVD Maker\DVDMaker.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX13AA.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX1399.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCX13BF.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\readme.1xt C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\windows\WallPapers.jpg C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Desktop\General C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\windows\\WallPapers.jpg" C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 960

Network

N/A

Files

memory/348-0-0x0000000000400000-0x0000000000481000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

MD5 0d472c9720e55e9c249207de6c69722c
SHA1 7244426a440a268cb37b49005812b8f20f052776
SHA256 bc1d3cfb69f97bc930af3af7be8601e60eb1cc78516aa844e41c65e51c316de3
SHA512 f77bf33604691e0f21f1f3548187153495aad5cd5beb80b409ff50c71502e5303ddb7d64b652edc5b4177bf88e8cee0df914f91b9532b9b1116af32050291cca

C:\Program Files\7-Zip\7z.cab

MD5 9a1dd1d96481d61934dcc2d568971d06
SHA1 f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA256 8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA512 7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

C:\Program Files\7-Zip\7z.exe

MD5 4f3f6b42637b538325b513d159957711
SHA1 a26ae9fa13e61e338a6f03241907c618f2a928ab
SHA256 a7f61b66248c0943891399397c57d9f0250597a84029e65750fb8775349325d9
SHA512 9ab402a6767a7be8a30e1c69e7494ba66788fd83c802648017e98b57555db62e64e31465e99e0a58f35ef9fa664f3dd8e1c872da1eb23a86ddaba9d40ec142b2

C:\Program Files\7-Zip\7zFM.cab

MD5 30ac0b832d75598fb3ec37b6f2a8c86a
SHA1 6f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA256 1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512 505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX1368.tmp

MD5 8d9797194e3826b5ab1050f637275859
SHA1 e633cc82c5ae2f57aba7cf83738a592cff2a8fc9
SHA256 ed8e457251c983d7acdcd3dcbdf750d21509aa056e62fee6525034e1721941dd
SHA512 aaed0b4b27ecb5616d5967226c3d6e2b9aaaa432380747f8cc5c9b83659d1a72cc175fe0157359f3b622fba4e7b94bb4626726ed97150662d1f4ded0fbb1ab18

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab

MD5 f45a7db6aec433fd579774dfdb3eaa89
SHA1 2f8773cc2b720143776a0909d19b98c4954b39cc
SHA256 2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a
SHA512 03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

C:\Program Files\Google\Chrome\Application\chrome.exe

MD5 c8cf3430300e939b9882ceeb0c0c1687
SHA1 06bca3a4d584b92b4353314c8af3f83d780b78e6
SHA256 e39b1889dce39872208297c52efc11631e94a17d2379f93b28f519981617e99d
SHA512 afe28303c2233ecf4a310e764ed988c38a2e53308e4c83cd9bc717e99504958461543b910aea5ec816ac148de3177777d56b2a705e0cfa2689edad4d048e3538

C:\Program Files\Google\Chrome\Application\chrome.cab

MD5 095092f4e746810c5829038d48afd55a
SHA1 246eb3d41194dddc826049bbafeb6fc522ec044a
SHA256 2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588
SHA512 7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

C:\Program Files\Google\Chrome\Application\chrome_proxy.cab

MD5 b65d7344b0a7faa207d2e1a7adaafb60
SHA1 755ad15b1745b0e730d658d4a92e2b754425b7db
SHA256 f4b91fbbcba8a46eefe4965e4a24c6ede3decbd1fec96e141a1953173efd1c92
SHA512 f17ac73c2df7c73a31b11ce0f533d6db91bdb0cdeea653dcd52ac72c3cf28da0c236b79586ddc7a6c825fdd171290722f888465e776f12ac2cae75be82726b22

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab

MD5 527e039ba9add8a7fac3a6bc30a6d476
SHA1 729a329265eda72cada039c1941e7c672addfc19
SHA256 4b8a72fc81b733ed2e6e70d4c5401f954002783dbf14927849ad579860780b94
SHA512 9e73e14e33a5f07a87e9c1fecfdaee09d1408471052aacfde3d1e877dad4d253b525ebefca6bddabc23cf81d8dcce0785aedcc2f135d171ecbb1feaeb922c449

memory/348-221-0x0000000000400000-0x0000000000481000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:42

Reported

2024-06-13 02:45

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe"

Signatures

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\Desktop\Wallpaper = "C:\\windows\\WallPapers.jpg" C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX3FBC.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX3F9C.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX3FBD.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX3F6A.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX3F9B.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\readme.1xt C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\7z.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\RCX3F7B.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX3FFD.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX400D.tmp C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\Program Files\7-Zip\7zFM.cab C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\readme.1xt C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
File created C:\windows\WallPapers.jpg C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\windows\\WallPapers.jpg" C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Desktop\General C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\57f68279ca6180f35866c1a81d66f450_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 720

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1832-0-0x0000000000400000-0x0000000000481000-memory.dmp

C:\Program Files\7-Zip\7z.cab

MD5 9a1dd1d96481d61934dcc2d568971d06
SHA1 f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA256 8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA512 7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

C:\Program Files\7-Zip\7z.exe

MD5 caceb914dc6aaf9fe746b1c0464bd21a
SHA1 d1121c44667bc286b91b3d547c0f8e5d21e8cab2
SHA256 a6d79ba95ab72ac86edce041983113ca851bc0d8e9d2c70e42f9d877f09f179e
SHA512 d721b4fd7d7db7e14a7b39e55271da7a8fc9207ee6c1ae93290ce9ee0d1d5eeddfc06c4124c5428fdd697596001266083e8dfc005ea87871b71f4a4ed5351112

C:\Program Files\7-Zip\7zFM.exe

MD5 57f68279ca6180f35866c1a81d66f450
SHA1 11fb5322e832d1323ec50af422b60fc88e6abf2f
SHA256 93377ae35e5bff6cff064a7a262a98b28cf8ff2e87aaf87e3db2dd418df2c30f
SHA512 5a8b8dcc721b91c0d534b9394448f1d018294e122fe65a7bb096c87f5f1843fd4fc552befebc92ce71fee11fe990bb0fd6fe8ad1bdb4c5e55d02666cd8e59c73

C:\Program Files\7-Zip\7zFM.cab

MD5 30ac0b832d75598fb3ec37b6f2a8c86a
SHA1 6f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA256 1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512 505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab

MD5 b8d69fa2755c3ab1f12f8866a8e2a4f7
SHA1 8e3cdfb20e158c2906323ba0094a18c7dd2aaf2d
SHA256 7e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd
SHA512 5acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18

memory/1832-67-0x0000000000400000-0x0000000000481000-memory.dmp