4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 09:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
Size

5.8MB
MD5

8b77da2070882098b43dc48252f0d950
SHA1

8894c2c3d96988fc4fd0ce13bae4b3fcb12a59e7
SHA256

4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f
SHA512

c926b9cfcad89fc7c595d6b372fa8709956c88762b7237718d93f624fa37229bfdc8ecb7351d627b721ae6b3f0def17fcdee817bacaa1c866d8a57214ed4f9fb
SSDEEP

49152:n8YBA4/kLYjAFjYtalkMyXh/ZMlqFxp73ooGBHI+ruP3A5GhOoT8NXadkMG1hdAl:8IA+pMqnhIHVruP3Ld81hCHC/zZzo

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2972	analys32microsoft.exe
1660	systemmsadcor.exe
756	infopathoffice.exe
1816	toolsmicrosoft9.0.30729.4130.exe

Loads dropped DLL 4 IoCs

pid	Process
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WindowsSystem = "c:\\program files (x86)\\common files\\system\\ado\\msado15system.exe"	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EngineOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe"	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\EngineSource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe"	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\msadcorSystem = "c:\\program files (x86)\\common files\\system\\msadc\\de-de\\systemmsadcor.exe"	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices"	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicrosoftMicrosoft = "c:\\program files (x86)\\microsoft office\\office14\\infopathom\\infopathoffice.exe"	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\ANALYS32Microsoft = "c:\\program files (x86)\\microsoft office\\office14\\library\\analysis\\analys32microsoft.exe"	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OSPPREARMosppc = "c:\\program files (x86)\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcextosppcext.exe"	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioTools9.0.30729.4130 = "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\microsoft.visualstudio.tools.office.appinfodocument\\toolsmicrosoft9.0.30729.4130.exe"	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	analys32microsoft.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	systemmsadcor.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	infopathoffice.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	toolsmicrosoft9.0.30729.4130.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\de-DE\RCX3958.tmp	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\ado\msado15System.exe	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\ToolsMicrosoft9.0.30729.4130.exe	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RCX521A.tmp	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\RCX52B7.tmp	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\de-DE\Systemmsadcor.exe	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\de-DE\Systemmsadcor.exe	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\ANALYS32Microsoft.exe	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\RCX3AB2.tmp	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\RCX3A82.tmp	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\RCX51DB.tmp	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\osppcextosppcext.exe	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOffice.exe	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	systemmsadcor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	infopathoffice.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	toolsmicrosoft9.0.30729.4130.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	analys32microsoft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	analys32microsoft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	analys32microsoft.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	infopathoffice.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	systemmsadcor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	infopathoffice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	toolsmicrosoft9.0.30729.4130.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	systemmsadcor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	toolsmicrosoft9.0.30729.4130.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2972	analys32microsoft.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
1660	systemmsadcor.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
756	infopathoffice.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
1816	toolsmicrosoft9.0.30729.4130.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2972	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	30
PID 2904 wrote to memory of 2972	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	30
PID 2904 wrote to memory of 2972	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	30
PID 2904 wrote to memory of 2972	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	30
PID 2904 wrote to memory of 1660	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	32
PID 2904 wrote to memory of 1660	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	32
PID 2904 wrote to memory of 1660	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	32
PID 2904 wrote to memory of 1660	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	32
PID 2904 wrote to memory of 756	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	34
PID 2904 wrote to memory of 756	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	34
PID 2904 wrote to memory of 756	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	34
PID 2904 wrote to memory of 756	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	34
PID 2904 wrote to memory of 1816	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	35
PID 2904 wrote to memory of 1816	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	35
PID 2904 wrote to memory of 1816	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	35
PID 2904 wrote to memory of 1816	2904	4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe	35

C:\Users\Admin\AppData\Local\Temp\4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904
- \??\c:\program files (x86)\microsoft office\office14\library\analysis\analys32microsoft.exe
  "c:\program files (x86)\microsoft office\office14\library\analysis\analys32microsoft.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- \??\c:\program files (x86)\common files\system\msadc\de-de\systemmsadcor.exe
  "c:\program files (x86)\common files\system\msadc\de-de\systemmsadcor.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1660
- \??\c:\program files (x86)\microsoft office\office14\infopathom\infopathoffice.exe
  "c:\program files (x86)\microsoft office\office14\infopathom\infopathoffice.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:756
- \??\c:\program files (x86)\common files\microsoft shared\vsta\appinfodocument\microsoft.visualstudio.tools.office.appinfodocument\toolsmicrosoft9.0.30729.4130.exe
  "c:\program files (x86)\common files\microsoft shared\vsta\appinfodocument\microsoft.visualstudio.tools.office.appinfodocument\toolsmicrosoft9.0.30729.4130.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\msadc\de-DE\Systemmsadcor.exe

Filesize
5.8MB

MD5
8b77da2070882098b43dc48252f0d950

SHA1
8894c2c3d96988fc4fd0ce13bae4b3fcb12a59e7

SHA256
4f68b6c252cb52afa6dcb184edb81739be2130ac7753d4997bc49aeb3cd7747f

SHA512
c926b9cfcad89fc7c595d6b372fa8709956c88762b7237718d93f624fa37229bfdc8ecb7351d627b721ae6b3f0def17fcdee817bacaa1c866d8a57214ed4f9fb

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RCX521A.tmp

Filesize
5.8MB

MD5
8f6114754d6bd196938352f3c41260ae

SHA1
c88c4faf68ce360358ec5d8135ee05d3f9cfdf37

SHA256
d8862c88428be4b28dfefa58a15b741258669660299cf7d2d703d80aeffc3081

SHA512
fbb2d2f11b4f53ee512c4b16088a431f0d2004089f1255af2afbfa1ecc24e65c32c245dcaa02f483f13772f24fc8668c3b9bbcb7c9f7ebef5a45970863ff0875

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\RCX3AB2.tmp

Filesize
5.8MB

MD5
6a9710c9eb1bd2eb7988a2cbfa4dc68b

SHA1
53bc89bc198fa4cee40c5cc61aa23fc9dbf5b3fb

SHA256
b913c4f11ddb1c9741d77ddb26758de6c80b78424a7b58760e4164815f371dd8

SHA512
712b734b6a1cae37fb050a2e3fcea8c0ee47ee2842fb48f265988a96e255a460cf5064dd380e57cd028fe85245e5def4369c230d7b07db16923dc983f5cfbecd

Download Submit
\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOffice.exe

Filesize
5.8MB

MD5
c4cbf2fc507a50ffd397b178ac4712c1

SHA1
65aabc979ba0409e5a3238f8526cde084cf7d870

SHA256
f97c7873cdec8bcc6e1307a7e5918730b977d4ad11e05c393b7e7e24ca180878

SHA512
42999aca568cc70c7b96254b9a0a0124d619498869eddea8239f984c0f9829383e46b8b5e784bd42d4d4664b98e13beb5cd1f6b1c45c43603ebecb172a054ce1

Download Submit