Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 01:57
Behavioral task
behavioral1
Sample
26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe
-
Size
4.7MB
-
MD5
4b01cd538281d558b44084e00fc8d0f0
-
SHA1
4b56243284609cfc15d1665793afa44427dd7143
-
SHA256
26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38
-
SHA512
0da3753f66754668cf8b345f2fb9106667012b7a9b9acfa7c1c32c1e594eaa8178041073cc9743682dbed57c055aa8b5631ee73e1e7fe6bdeb277ab1e3bbb115
-
SSDEEP
49152:6Hyjtk2MYC5GDXHyjtk2MYC5GDb7inIOY/BoiU2oyNiAbnblJwSinj+BxpEiixfw:6mtk2a2mtk2a5TF0LDjwSkgxeXvRnOn9
Malware Config
Signatures
-
Detect Neshta payload 29 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta \Users\Admin\AppData\Local\Temp\._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe family_neshta C:\Windows\svchost.com family_neshta behavioral1/memory/2584-60-0x0000000000400000-0x00000000008BA000-memory.dmp family_neshta behavioral1/memory/2556-74-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2180-104-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3000-140-0x0000000000400000-0x00000000008BA000-memory.dmp family_neshta behavioral1/memory/532-136-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2480-133-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2468-110-0x0000000000400000-0x00000000008BA000-memory.dmp family_neshta behavioral1/memory/2628-90-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe family_neshta behavioral1/memory/2964-149-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/884-167-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2992-170-0x0000000000400000-0x00000000008BA000-memory.dmp family_neshta behavioral1/memory/2708-244-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2528-250-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/568-251-0x0000000000400000-0x00000000008BA000-memory.dmp family_neshta behavioral1/memory/1096-270-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/108-276-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2536-288-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2920-287-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2536-290-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2920-289-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2920-293-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2536-295-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 31 IoCs
Processes:
26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exesvchost.com_CACHE~1.EXESynaptics.exe._cache_Synaptics.exe._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXESynaptics.exe._cache__CACHE~2.EXE._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exepid process 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 2536 ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 2556 svchost.com 2412 _CACHE~1.EXE 2468 Synaptics.exe 2628 ._cache_Synaptics.exe 1892 ._cache__CACHE~1.EXE 2180 svchost.com 1612 _CACHE~2.EXE 852 ._cache__CACHE~2.EXE 3000 Synaptics.exe 2480 ._cache_Synaptics.exe 532 svchost.com 764 _CACHE~2.EXE 2728 ._cache__CACHE~2.EXE 2992 Synaptics.exe 2964 ._cache_Synaptics.exe 884 svchost.com 996 _CACHE~2.EXE 568 Synaptics.exe 2816 ._cache__CACHE~2.EXE 2708 ._cache_Synaptics.exe 2528 svchost.com 2404 _CACHE~2.EXE 2448 ._cache__CACHE~2.EXE 2424 Synaptics.exe 1096 ._cache_Synaptics.exe 108 svchost.com 2548 _CACHE~2.EXE 1360 ._cache__CACHE~2.EXE 476 Synaptics.exe -
Loads dropped DLL 64 IoCs
Processes:
26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exesvchost.comSynaptics.exe_CACHE~1.EXEsvchost.com_CACHE~2.EXESynaptics.exesvchost.com_CACHE~2.EXESynaptics.exesvchost.com_CACHE~2.EXESynaptics.exe._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exesvchost.com_CACHE~2.EXESynaptics.exesvchost.com_CACHE~2.EXEpid process 2920 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 2920 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 2556 svchost.com 2556 svchost.com 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 2468 Synaptics.exe 2468 Synaptics.exe 2468 Synaptics.exe 2412 _CACHE~1.EXE 2412 _CACHE~1.EXE 2180 svchost.com 2180 svchost.com 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 3000 Synaptics.exe 3000 Synaptics.exe 3000 Synaptics.exe 3000 Synaptics.exe 532 svchost.com 532 svchost.com 764 _CACHE~2.EXE 764 _CACHE~2.EXE 764 _CACHE~2.EXE 764 _CACHE~2.EXE 2992 Synaptics.exe 2992 Synaptics.exe 2992 Synaptics.exe 2992 Synaptics.exe 884 svchost.com 884 svchost.com 2920 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 996 _CACHE~2.EXE 996 _CACHE~2.EXE 996 _CACHE~2.EXE 996 _CACHE~2.EXE 568 Synaptics.exe 2920 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 2536 ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 2536 ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 2920 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 568 Synaptics.exe 568 Synaptics.exe 568 Synaptics.exe 2528 svchost.com 2528 svchost.com 2404 _CACHE~2.EXE 2404 _CACHE~2.EXE 2404 _CACHE~2.EXE 2404 _CACHE~2.EXE 2404 _CACHE~2.EXE 2424 Synaptics.exe 2424 Synaptics.exe 2424 Synaptics.exe 2424 Synaptics.exe 108 svchost.com 108 svchost.com 2548 _CACHE~2.EXE 2548 _CACHE~2.EXE 2548 _CACHE~2.EXE -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe -
Drops file in Windows directory 24 IoCs
Processes:
svchost.com._cache_Synaptics.exe._cache_Synaptics.exesvchost.com._cache_Synaptics.exesvchost.com26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exesvchost.comsvchost.com._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe._cache_Synaptics.exesvchost.com._cache_Synaptics.exedescription ioc process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
_CACHE~2.EXEpid process 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE 1612 _CACHE~2.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
_CACHE~2.EXEdescription pid process Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 1612 _CACHE~2.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exesvchost.comSynaptics.exe_CACHE~1.EXE._cache_Synaptics.exesvchost.com_CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXEdescription pid process target process PID 2920 wrote to memory of 2584 2920 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe PID 2920 wrote to memory of 2584 2920 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe PID 2920 wrote to memory of 2584 2920 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe PID 2920 wrote to memory of 2584 2920 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe PID 2584 wrote to memory of 2536 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe PID 2584 wrote to memory of 2536 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe PID 2584 wrote to memory of 2536 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe PID 2584 wrote to memory of 2536 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe PID 2536 wrote to memory of 2556 2536 ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe svchost.com PID 2536 wrote to memory of 2556 2536 ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe svchost.com PID 2536 wrote to memory of 2556 2536 ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe svchost.com PID 2536 wrote to memory of 2556 2536 ._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe svchost.com PID 2556 wrote to memory of 2412 2556 svchost.com _CACHE~1.EXE PID 2556 wrote to memory of 2412 2556 svchost.com _CACHE~1.EXE PID 2556 wrote to memory of 2412 2556 svchost.com _CACHE~1.EXE PID 2556 wrote to memory of 2412 2556 svchost.com _CACHE~1.EXE PID 2584 wrote to memory of 2468 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe Synaptics.exe PID 2584 wrote to memory of 2468 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe Synaptics.exe PID 2584 wrote to memory of 2468 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe Synaptics.exe PID 2584 wrote to memory of 2468 2584 26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe Synaptics.exe PID 2468 wrote to memory of 2628 2468 Synaptics.exe ._cache_Synaptics.exe PID 2468 wrote to memory of 2628 2468 Synaptics.exe ._cache_Synaptics.exe PID 2468 wrote to memory of 2628 2468 Synaptics.exe ._cache_Synaptics.exe PID 2468 wrote to memory of 2628 2468 Synaptics.exe ._cache_Synaptics.exe PID 2412 wrote to memory of 1892 2412 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2412 wrote to memory of 1892 2412 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2412 wrote to memory of 1892 2412 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2412 wrote to memory of 1892 2412 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2628 wrote to memory of 2180 2628 ._cache_Synaptics.exe svchost.com PID 2628 wrote to memory of 2180 2628 ._cache_Synaptics.exe svchost.com PID 2628 wrote to memory of 2180 2628 ._cache_Synaptics.exe svchost.com PID 2628 wrote to memory of 2180 2628 ._cache_Synaptics.exe svchost.com PID 2180 wrote to memory of 1612 2180 svchost.com _CACHE~2.EXE PID 2180 wrote to memory of 1612 2180 svchost.com _CACHE~2.EXE PID 2180 wrote to memory of 1612 2180 svchost.com _CACHE~2.EXE PID 2180 wrote to memory of 1612 2180 svchost.com _CACHE~2.EXE PID 1612 wrote to memory of 852 1612 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 1612 wrote to memory of 852 1612 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 1612 wrote to memory of 852 1612 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 1612 wrote to memory of 852 1612 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 1612 wrote to memory of 3000 1612 _CACHE~2.EXE Synaptics.exe PID 1612 wrote to memory of 3000 1612 _CACHE~2.EXE Synaptics.exe PID 1612 wrote to memory of 3000 1612 _CACHE~2.EXE Synaptics.exe PID 1612 wrote to memory of 3000 1612 _CACHE~2.EXE Synaptics.exe PID 3000 wrote to memory of 2480 3000 Synaptics.exe ._cache_Synaptics.exe PID 3000 wrote to memory of 2480 3000 Synaptics.exe ._cache_Synaptics.exe PID 3000 wrote to memory of 2480 3000 Synaptics.exe ._cache_Synaptics.exe PID 3000 wrote to memory of 2480 3000 Synaptics.exe ._cache_Synaptics.exe PID 2480 wrote to memory of 532 2480 ._cache_Synaptics.exe svchost.com PID 2480 wrote to memory of 532 2480 ._cache_Synaptics.exe svchost.com PID 2480 wrote to memory of 532 2480 ._cache_Synaptics.exe svchost.com PID 2480 wrote to memory of 532 2480 ._cache_Synaptics.exe svchost.com PID 532 wrote to memory of 764 532 svchost.com _CACHE~2.EXE PID 532 wrote to memory of 764 532 svchost.com _CACHE~2.EXE PID 532 wrote to memory of 764 532 svchost.com _CACHE~2.EXE PID 532 wrote to memory of 764 532 svchost.com _CACHE~2.EXE PID 764 wrote to memory of 2728 764 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 764 wrote to memory of 2728 764 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 764 wrote to memory of 2728 764 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 764 wrote to memory of 2728 764 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 764 wrote to memory of 2992 764 _CACHE~2.EXE Synaptics.exe PID 764 wrote to memory of 2992 764 _CACHE~2.EXE Synaptics.exe PID 764 wrote to memory of 2992 764 _CACHE~2.EXE Synaptics.exe PID 764 wrote to memory of 2992 764 _CACHE~2.EXE Synaptics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"6⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate7⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate11⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate11⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate12⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate15⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate15⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate16⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate18⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate19⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate19⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate20⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate22⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate23⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate23⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXEFilesize
859KB
MD502ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exeFilesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exeFilesize
186KB
MD558b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exeFilesize
1.1MB
MD5566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
C:\ProgramData\Synaptics\RCX451B.tmpFilesize
1.1MB
MD5571276888422ac851dcca297232ad8c9
SHA173f5418c8e5ceb2aee6a7757eaca9553c4d1eb4a
SHA256a847847a4cb7906241e58832e544b66bdfa0adae2f2c5d50ce52c2f3c47a946f
SHA5125e5760071728cea1954b118b70772542d52c79866a6819175dd93b6d6c4d978125cd6d993b5023e4c39430df8b9700cd85abd932ac2f7b0c2768bf2a0177c6f2
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXEFilesize
2.5MB
MD53168a31552404661098af0156860f0c0
SHA19c10beb703314d0c8843ba7a3c988f793d55e422
SHA2562a0546c07c3831073b3b1b83866c63150d56638358e20d8a5247417de1efa4ff
SHA5123a3c93f4ccf441c7b86d2aae33ba636c975fb38ce14c62653f2c4606312a1259aba21d11a44ad5164d36fbc6ad136e12f9158971c26866568582111b95a98f6c
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEFilesize
3.6MB
MD5d3d55a4e2c3a6576b369cf9830501d58
SHA1904ab1d3b592970762939ca44959ba19ac867f8a
SHA2563ab5a17ac7f98dfe6cd0eadf0f30539fac1c42748f84cfdb40aa01b284869dd0
SHA512a9d39b7020a5c4f97315dcb8e92c53b49782bf95817e5307ac1826e80ff4960537a1f176d7351468fab83bf43a9b6b72d047f361a3900d7095eb9b9341c30ea6
-
C:\Windows\directx.sysFilesize
57B
MD56b3bfceb3942a9508a2148acbee89007
SHA13622ac7466cc40f50515eb6fcdc15d1f34ad3be3
SHA256e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c
SHA512fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224
-
C:\Windows\svchost.comFilesize
40KB
MD52ff724ca136d4a831421dfd891e167c6
SHA15416f8de17ae4a8d9ea2e2d4570c5dd9ba7e5eb8
SHA256ff787f8231bb6f6a30eb61f46d56920e742ae22dd047622f8fbe6266d8bb864d
SHA5125ad202eb3222b9a95695ee1ffcebdaa3cd7235dbc8a1bf845e560736f514d9d7c92bc509c7089f53ff391bcd1d053050ccf0d889102a2b53b373d211dfbd9dc0
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\._cache_26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exeFilesize
3.6MB
MD5d9d56796c0b48436ac49221c071eee3d
SHA1672b3d260717645fce52c960d29f13e7576d162f
SHA2569ac4e811d439ed123fdf97c4cfae4b3fd2f26d71443f499e3bab35869f6d1cba
SHA512b8f0d838904d819a9571c54a7a01ad3f4a44d2395bf7539a2ce3b04c572e108b147c2c871fde3f7794e86b6dcb595dee95957843932281003ee9f64f379eabdc
-
\Users\Admin\AppData\Local\Temp\3582-490\26657dbd84cc9ce2da1c39064ecefde4a417a5e7fe53e32173fdd2bbf2edcc38_NeikiAnalytics.exeFilesize
4.7MB
MD57155b4d6b0d32bc4d8ad1493e4095786
SHA188968227197f2d9bd0e629c8d3b95cd5bb8fc3f9
SHA256449b020b762a435f758a2c7f9abce5abf9c2ccce055134820badcd509599b797
SHA512b9bae19c305812ab3aabb63efef6140fd647c6bac51a8b96e43ddececd67067a787bf22a1d8eb7befc13c24e7c4825b0dfbc4499d8b9f0f5a82e529da0450a51
-
memory/108-276-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/476-329-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/476-291-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/532-136-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/568-251-0x0000000000400000-0x00000000008BA000-memory.dmpFilesize
4.7MB
-
memory/764-145-0x0000000000400000-0x0000000000799000-memory.dmpFilesize
3.6MB
-
memory/884-167-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/996-171-0x0000000000400000-0x0000000000799000-memory.dmpFilesize
3.6MB
-
memory/1096-270-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1612-114-0x0000000000400000-0x0000000000799000-memory.dmpFilesize
3.6MB
-
memory/1892-146-0x00000000044F0000-0x000000000453C000-memory.dmpFilesize
304KB
-
memory/1892-142-0x0000000000880000-0x0000000000B04000-memory.dmpFilesize
2.5MB
-
memory/2180-104-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2404-266-0x0000000000400000-0x0000000000799000-memory.dmpFilesize
3.6MB
-
memory/2412-83-0x0000000000400000-0x0000000000799000-memory.dmpFilesize
3.6MB
-
memory/2424-277-0x0000000000400000-0x0000000000799000-memory.dmpFilesize
3.6MB
-
memory/2468-110-0x0000000000400000-0x00000000008BA000-memory.dmpFilesize
4.7MB
-
memory/2480-133-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2528-250-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2536-290-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2536-295-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2536-288-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2548-286-0x0000000000400000-0x0000000000799000-memory.dmpFilesize
3.6MB
-
memory/2556-74-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2584-60-0x0000000000400000-0x00000000008BA000-memory.dmpFilesize
4.7MB
-
memory/2584-12-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2628-90-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2708-244-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2728-143-0x0000000000560000-0x0000000000566000-memory.dmpFilesize
24KB
-
memory/2728-141-0x0000000000E60000-0x00000000010E4000-memory.dmpFilesize
2.5MB
-
memory/2920-289-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2920-287-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2920-293-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2964-149-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2992-170-0x0000000000400000-0x00000000008BA000-memory.dmpFilesize
4.7MB
-
memory/3000-140-0x0000000000400000-0x00000000008BA000-memory.dmpFilesize
4.7MB