2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c

Analysis

max time kernel
48s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
Size

8.1MB
MD5

61323bec06295e7e27904f77250c0b50
SHA1

16de40a2047a23ef7731aa5196e808f75bdade92
SHA256

2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c
SHA512

8ba5a2f6f3258e07d1b02f4f2a3df0f6348a6a258e7206fa8828263d759c7e108766b4b0b5be369f91a107cef60d25fb9bfb92867bcfdeb9b0d60efc1d074f67
SSDEEP

49152:r8YaEeGymVQsYgakQBAY4x9vu8T+wwJbeuR/oSHPwolWhHHeH0WKDAI2LF7AL/1z:I3BovupF73XqyLfPeex81h+RHs2y

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe"	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe"	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe

description ioc process

File created C:\Windows\SysWOW64\ntdll.dll.dll 2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe

Drops file in Program Files directory 29 IoCs

Processes:

2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\RCXD43A.tmp	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\WindowsWAB32.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\RCXE7F6.tmp	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\BrowserAcroPDFImpl.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAcrobat.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\RCXF277.tmp	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\ContentLink10.0.15063.468.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\ContentLink10.0.15063.468.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCXF382.tmp	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\Windowsoperativo.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCXD30F.tmp	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\RCXDD53.tmp	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcrobatAdobe.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\SystemOperating.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\it-IT\operativooperativo.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\RCXE910.tmp	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\MicrosoftDAO360.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RCXDDB2.tmp	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXD3DB.tmp	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\it-IT\RCXDE30.tmp	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXE739.tmp	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\Windowsoperativo.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\WindowsWAB32.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AcrobatAdobe.exe	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXF42F.tmp	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe

pid	process
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
3076	2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3076

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RCXDDB2.tmp
Filesize
8.1MB

MD5
e1c172ba360192bfcf1249cd3005bf26

SHA1
8d93eeb1a87ca9e54f94f161dbc245c8836e6f94

SHA256
32ac4c95ec207e5c4d543b25187131d002d0d0f44c5dc7c452a800638c4e1729

SHA512
08be72559cc9eb239981e0a7356815ea0a7a3b414cc5bf477c9185cc21cebdb181789d74b0ec3816a4342933fb98c634bbdfb3b2fee7b3e88d21fc1375b64e6b

Download Submit
C:\Program Files (x86)\Common Files\System\it-IT\operativooperativo.exe
Filesize
8.1MB

MD5
a2b3cbad210f8f84c1acff733ef0ab17

SHA1
3293ebfca9adaff76247abbf5fa07c1bbd8d6582

SHA256
496077a1a0e1138fac358f5c6fbb293cdad6f00dd5cc3dd9fe4788d8b177f6b3

SHA512
8aede3a38c05316b687aa460e7be6297c45b9a678032fde520645d25f1e047f572055b81b43f7eec70fc58db396f0b431af14dade404bf85eabfab8daf6cc0b2

Download Submit
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Filesize
8.0MB

MD5
43c3a838f1b7c2d6c9ffb4b6323a5dab

SHA1
79c4b002c485fc1aaa8855a5e043265cd6207145

SHA256
f1e2599e1eb1dc8c58971429d57bef4ef40e62e3d2d4a432f45f21c0d9a6c57a

SHA512
01907592c7eb93376ca7c1cf8a1be648169e584df2d40072efd87be547f01713e222761ce00a4bb6e5fdaaf477cd3ad8e52c98ded2a23fac7fef0ad44f835c10

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Windowsoperativo.exe
Filesize
8.1MB

MD5
61323bec06295e7e27904f77250c0b50

SHA1
16de40a2047a23ef7731aa5196e808f75bdade92

SHA256
2e23d4b9080083dcdbb9e8ce7feb5cc9246be6dccf33cf8fe6de41f367ed402c

SHA512
8ba5a2f6f3258e07d1b02f4f2a3df0f6348a6a258e7206fa8828263d759c7e108766b4b0b5be369f91a107cef60d25fb9bfb92867bcfdeb9b0d60efc1d074f67

Download Submit