neshta | 35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578

General

Target

35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
Size

160KB
MD5

23b8a501e32a71fa0fd3b293a33f4c80
SHA1

bd84241c2533e409ad516852417cba67a288969d
SHA256

35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578
SHA512

150b81f0359141da4265c0eac1496968ea830f4c949528cde9105a910b19ee3544439c82660cd87b929e348caee73f36b6b188a1dcb871d5cf0f5ed328228e2b
SSDEEP

3072:sr85CgmTlEpFNQ48BOLhO/DMZJxwpDQ48BOLhO/DMZJxwp6:k9gmGpFNQ7wLhOAZJ2Q7wLhOAZJP

Score

10^/10

neshta phorphiex evasion loader persistence spyware stealer trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://77.91.77.92/

http://91.202.233.141/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

Attributes

mutex
x99x998x7x
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	family_neshta
behavioral2/memory/4704-106-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4704-119-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4704-128-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

sysmablsvr.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysmablsvr.exe
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysmablsvr.exe

Phorphiex payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe	family_phorphiex
C:\Users\Admin\WINXSD~1.EXE	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\1051725183.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exesysmablsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

Executes dropped EXE 4 IoCs

Processes:

35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe1051725183.exesysmablsvr.exe333172204.exe

pid process

976 35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
684 1051725183.exe
4028 sysmablsvr.exe
4384 333172204.exe

pid	process
976	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
684	1051725183.exe
4028	sysmablsvr.exe
4384	333172204.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysmablsvr.exe35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe1051725183.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winxsdrvcsa.exe"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	1051725183.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\winxsdrvcsa.exe"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MIA062~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

Drops file in Windows directory 5 IoCs

Processes:

35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe1051725183.exe35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\winxsdrvcsa.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File opened for modification	C:\Windows\winxsdrvcsa.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
File created	C:\Windows\sysmablsvr.exe	1051725183.exe
File opened for modification	C:\Windows\sysmablsvr.exe	1051725183.exe
File opened for modification	C:\Windows\svchost.com	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

sysmablsvr.exe

pid process

4028 sysmablsvr.exe

pid	process
4028	sysmablsvr.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe1051725183.exesysmablsvr.exe

description	pid	process	target process
PID 4704 wrote to memory of 976	4704	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
PID 4704 wrote to memory of 976	4704	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
PID 4704 wrote to memory of 976	4704	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
PID 976 wrote to memory of 684	976	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe	1051725183.exe
PID 976 wrote to memory of 684	976	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe	1051725183.exe
PID 976 wrote to memory of 684	976	35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe	1051725183.exe
PID 684 wrote to memory of 4028	684	1051725183.exe	sysmablsvr.exe
PID 684 wrote to memory of 4028	684	1051725183.exe	sysmablsvr.exe
PID 684 wrote to memory of 4028	684	1051725183.exe	sysmablsvr.exe
PID 4028 wrote to memory of 4384	4028	sysmablsvr.exe	333172204.exe
PID 4028 wrote to memory of 4384	4028	sysmablsvr.exe	333172204.exe
PID 4028 wrote to memory of 4384	4028	sysmablsvr.exe	333172204.exe

C:\Users\Admin\AppData\Local\Temp\35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Users\Admin\AppData\Local\Temp\3582-490\35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe"
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\1051725183.exe
    C:\Users\Admin\AppData\Local\Temp\1051725183.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Windows\sysmablsvr.exe
      C:\Windows\sysmablsvr.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: SetClipboardViewer
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\Users\Admin\AppData\Local\Temp\333172204.exe
        
        C:\Users\Admin\AppData\Local\Temp\333172204.exe
        5⤵
        Executes dropped EXE
        
        PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1051725183.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\251932052.exe

Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\333172204.exe

Filesize
88KB

MD5
cf68718b0d7b63adceae3480c7e525f5

SHA1
acd48e3e03bbf71f254eb9387b0646c8e438881c

SHA256
c2515acb1648a8707d7ce693c41bac24eba62ff268f44da59eb0f7ee61728685

SHA512
ec616e40cc35a7a9f740cda0390d55ee3cf852c759f0b1fcc483ecb79860d4d269735fffe93b665fdb2ba6ad5438b9d909d1802f357ae0b6501a77a119a5699f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\35967cb42a74583690cf3dde02d74b96aa148d7109561359eb4038c3f6d9d578_NeikiAnalytics.exe

Filesize
120KB

MD5
03536cb1d6d54c079b663719ed9880a8

SHA1
d1e7a067aaf1f4ec9d9d6695b138c58e9b8054d6

SHA256
5086a3ba38e6be64bda6d35562860927f465352b835568fa0ec3cddde4ba8c32

SHA512
e6ddcd9e72fc64b9d174dca04e6d5de57f18edb688c54bc323956fa8eea68d08dba2a82300ed4e47b3636c6717fe6b9478be3424822070760479b0f0fb2b7ac1

Download Submit
C:\Users\Admin\WINXSD~1.EXE

Filesize
160KB

MD5
b0ad34995ef4ffa1457732a882962d0f

SHA1
c1bef6f0cb04bb1e027bba18b1cd657e2ac5dd5e

SHA256
fca97d762dabb754532c86390575b6d37142d3899224a74cd6b1df71681e4e07

SHA512
fbbc702c1ce9c07728b5ebb257b5d779b5e75a69cda50460573429ec4ee9cc31757669e32e780323a6de5f214165ee9f43fccb598371337b6ad99828187cd14e

Download Submit
memory/4704-106-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4704-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4704-128-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads