99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
Size

587KB
MD5

cf31c96249df4f9d0b8fb251bf0a4200
SHA1

93ab8260cfed1d465a4ade310d8744d822414a8e
SHA256

99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5
SHA512

446f28011ebb00d38527f258febbda33272931d49a8f50459c90019dfe6e69106c1209381f1f3c7c8d7072657906fa0a28d39e1025244a389985ef0aaa1fc668
SSDEEP

6144:vwynAtMrOVRkidy9yIGWlUiPx4O8b8ITDnlznZhJQ5boeDtnx4bYE:vwKfOVRo9yRYX4O8b8ITDnlTO5bohsE

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe"	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe"	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RCX418C.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\MicrosoftSystem.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\MicrosoftSystem.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TabTip32Sistema.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcrplugin19.8.20071.303822.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCX87D9.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AcrobatAdobe19.10.20064.310990.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX92BA.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAdobe.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WindowsVulkan.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\Installerminiinstaller.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\RCX7296.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\RCX7D78.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\RCX6081.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\RCX7362.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\MicrosoftMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Runtimeccmeecc.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RCX7CAB.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\OperatingMicrosoft10.0.19041.746.160101.0800.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UnicodeComponents.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\RCX697C.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfoSystem.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkObjDummy.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\RCX73F0.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX8913.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX8A3D.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAcrobat.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\RCX5FE4.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\es-ES\WAB32resWindows.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\AcrobatAdobe.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Runtimeccmeecc.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\RCX69CB.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AdobeAdobe.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfoSystem.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WindowsVulkan.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\Installerminiinstaller.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\VisualTools.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\WindowsWindows.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX9328.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX9B95.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\RCX5E9B.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\es-ES\RCX693C.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RCX7D39.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UnicodeComponents.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..xthandler.resources_31bf3856ad364e35_10.0.19041.1_it-it_8cb23c6df4808b9b\operativoMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ckactions.resources_31bf3856ad364e35_10.0.19041.1_en-us_d0614ff964b434a8\MicrosoftSettingsHandlersQuickActions.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-syncsettings.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5358e27702980c8d\SyncSettingsdexploitation.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_microsoft.web.administration.resources_31bf3856ad364e35_10.0.19041.1_de-de_4d68a7cb2e65e735\resourcesMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-spp-installer_31bf3856ad364e35_10.0.19041.1_none_771c89027bfa68bd\WindowsMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_netfx35linq-microsoft.visualc.stlclr.ref_31bf3856ad364e35_10.0.19041.1_none_b5ec7e71b7fc6ae2\STLCLRVisualC9.00.30729.9625.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationBuildTasks.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\RCX8C06.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\IME\es-ES\operativoSpTip.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..optimization-cmdlet_31bf3856ad364e35_10.0.19041.1_none_684f47a118cf9499\MicrosoftWindows.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\fr\resourcesresources.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AXSLEfiles.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AXSLEfiles.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-syncres.resources_31bf3856ad364e35_10.0.19041.1_cs-cz_a0e6b272a7600631\Operacnsystm.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\msil_microsoft.virtualiz...settings.resources_31bf3856ad364e35_10.0.19041.1_es-es_b72d917b572e9b54\WindowsWindows.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..s-display.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_eaebdd74b822d4d8\MicrosoftSettingsHandlersDisplay.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..rk-msimtf.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_c4f853372cba12cd\WindowsWindows10.0.19041.1.160101.0800.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-desktopdispbroker_31bf3856ad364e35_10.0.19041.1266_none_718957bf95170700\DispBrokerOperating10.0.19041.1266.160101.0800.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_b5223a00568e734e\WindowsWindows6.6.19041.1.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-00000843_31bf3856ad364e35_10.0.19041.1_none_9e19e633030014f3\MicrosoftOperating.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-compact_31bf3856ad364e35_10.0.19041.1_none_ba3af2a08950d1cb\MicrosoftWindows.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.AppV.AppVClientWmi.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\RCX8B97.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\RCXD804.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-acledit_31bf3856ad364e35_10.0.19041.1_none_2827381e30503ebc\acleditMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..t-lookup-powershell_31bf3856ad364e35_10.0.19041.1_none_2b90387e98ff6682\WindowsMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..omerfeedbackmanager_31bf3856ad364e35_10.0.19041.844_none_c47fb20821633815\imecfmuiimecfmps.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d2d_31bf3856ad364e35_10.0.19041.1_none_67e29e9a2faf41a8\Systemd2d110.0.19041.1.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..cy-gptext.resources_31bf3856ad364e35_10.0.19041.1_de-de_d9e35635662e64cc\WindowsBetriebssystem.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..changjieds-binaries_31bf3856ad364e35_10.0.19041.746_none_22f5e946b6a0c359\OperatingMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Resources\3.0.0.0_it_b03f5f7f11d50a3a\RCX390F.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.19041.264_none_0fb1740332ea9706\WINDOWSWindows.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..providers.resources_31bf3856ad364e35_10.0.19041.1_de-de_dd46d950d4425cf9\BetriebssystemMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sysdm.resources_31bf3856ad364e35_10.0.19041.1_es-es_ebf67393850788fb\operativoSistema.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationBuildTasks.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\resourcesPresentationBuildTasks.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\fr\RCX2781.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..on-server2003compat_31bf3856ad364e35_10.0.19041.1_none_236fea524cf00d42\OperatingWindows.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\en-US\PresentationHostDllMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..datautils.resources_31bf3856ad364e35_10.0.19041.1_it-it_de36483a392a7ae3\Sistemaoperativo.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\RCXD825.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Resources\3.0.0.0_it_b03f5f7f11d50a3a\Microsoftmicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_10.0.19041.1_none_5d7644a9644fd29d\CTFMONMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..put-expressiveinput_31bf3856ad364e35_10.0.19041.746_none_4f6b86020d6fa14d\LibraryMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-r..sisengine.resources_31bf3856ad364e35_10.0.19041.1_es-es_0b568f65155ee721\RacEngnSistema.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tpm-tasks.resources_31bf3856ad364e35_10.0.19041.1_it-it_40e1be5bf82a3b75\operativoWindows.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_abec90e984f932ef\dexploitationdexploitation.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.153_none_c8fbed52dad932cb\systemresetMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..gon-tools.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_f5a6cd2c5f2cdd9c\WLRMNDRWindows.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\StartLayoutWindows.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_system.data.linq.resources_b77a5c561934e089_4.0.15805.0_de-de_358610dd33f6a276\LinqMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_system.data.common_b03f5f7f11d50a3a_4.0.15805.0_none_29e574b14c65ef0d\SystemMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\it-IT\MicrosoftFramework.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-quiethours.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_4a34f322069f98ee\MicrosoftWindows.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_9ae043ce1c0bc05c\operativoWalletService.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tasklist.resources_31bf3856ad364e35_10.0.19041.1_en-us_767dfbb1d31bba7f\tasklistOperating.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.DeveloperLicense.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\RCXD893.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\it\RCX26C5.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\it-IT\RCX6D26.tmp	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..server-provider-rll_31bf3856ad364e35_10.0.19041.1_none_1ae9045d25582451\Microsoftsqloledb.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_10.0.19041.1202_none_914650a100a16672\SystemMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-tokenbinding_31bf3856ad364e35_10.0.19041.546_none_656dc154fd482fff\WindowsMicrosoft.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\diagnostics\system\Printer\ja-JP\OperatingWindows10.0.19041.1.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-netbt.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_313b250ac8de0ade\Microsoftnetbtugc.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..onservice.resources_31bf3856ad364e35_10.0.19041.1_de-de_a4a7c3a916cf902b\BetriebssystemWindows.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vssservice.resources_31bf3856ad364e35_10.0.19041.1_es-es_82f9286f0a72a5d0\operativoSistema.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
File created	C:\Windows\Boot\PCAT\zh-TW\bootmgrWindows.exe	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
3776	99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX92BA.tmp

Filesize
589KB

MD5
9c1a956335cae42acf727be8682367ae

SHA1
1b82cd9f4d0466d7278bff044aaa00dfb8a02fcc

SHA256
2145bddf193eebe4d8063f75692643bbde28d293c7830af020e714b61ce82049

SHA512
3b37afe50ee0f1cd3ed9f427c4a09db049bc0e462af6bdc3ba3021c9482a898d9331a5fc5d0481258768aeadfb0f282cd0f53d3bd5e1d7c7b1bfca40b8609cc9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Runtimeccmeecc.exe

Filesize
1.2MB

MD5
a98f8ef2909357fbfabea3e3bd74c864

SHA1
1d264714fd44ef6aecdfc1df185416230e8e1323

SHA256
3b7dc023caf96d66461f0c25a556a72ab60223d269c94c673bf401abe1217c3e

SHA512
fd8c9da788e131a61f5ad5887112ad100bc43bd5697bf542b1c1193680cfaf9c8fa76f7cc21820b17e4de46150591f1baefd4c08810c3e09a0261acf1a1fa378

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UnicodeComponents.exe

Filesize
589KB

MD5
d92db150914d2ff58f3dea8b152bbf49

SHA1
c229d4d2e266e26b2f8696366e997448718b442f

SHA256
0b39296d5476cb18e71177c237263a1ccf15e72c76c40628d9e12915bb4800e4

SHA512
14295f28ae4576b3e533645a8249543b016ee276174864edd663087b480010b3fb81067c50450ece3bec5b495df8288dc781f57ffb8becca44b3ed15461217bc

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\VisualTools.exe

Filesize
589KB

MD5
bbc32c2f1af4c413eefc7c8e911567b0

SHA1
067c26f996b12e0c008aaeaa9c5ee25130abe06b

SHA256
8fbe36575a832074ad8bf2111d791ebd5da697b83fb856ee42313aa29ae24843

SHA512
e2395e369701c73405747f39d8d911e11369d5a0de60cb60e1232c96d62aaf223b27fc8a362a4a05deb93f35f494fd81bc0c5e7c102170ab1b78d2711014044d

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WindowsVulkan.exe

Filesize
587KB

MD5
cf31c96249df4f9d0b8fb251bf0a4200

SHA1
93ab8260cfed1d465a4ade310d8744d822414a8e

SHA256
99a47999c39cae04170bd139caab90fe229292e4810e637018e1f1afd7a4d3b5

SHA512
446f28011ebb00d38527f258febbda33272931d49a8f50459c90019dfe6e69106c1209381f1f3c7c8d7072657906fa0a28d39e1025244a389985ef0aaa1fc668

Download Submit