Analysis
-
max time kernel
122s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:46
Static task
static1
Behavioral task
behavioral1
Sample
33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
-
Size
7.9MB
-
MD5
efeb18cb3559a77995618c8d419aee70
-
SHA1
031813582c485460d3a7ff185502f4cfc3842c2f
-
SHA256
33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443
-
SHA512
1dac843eaa518cbd988a4e8923aadf317e018b1ac872f528df799a6244afb9abbc4a62f492af78c1842d22e550da36466bdd383f06ff55e3e051fd930728fcca
-
SSDEEP
98304:CX9lzMRum1nuqyU7XtPCySwo47CctAWUmDrhyM4Znnf6vP/iq0iuWhiw0cEWaOLS:CX9lzMRum1nQUztPClmtPqq0iZinWpM
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 2692 MsiExec.exe 2692 MsiExec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exe33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exemsiexec.exedescription ioc process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\M: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\Q: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\V: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\G: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\Z: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\O: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\U: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\N: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\T: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe File opened (read-only) \??\M: msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exe33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exedescription pid process Token: SeRestorePrivilege 2760 msiexec.exe Token: SeTakeOwnershipPrivilege 2760 msiexec.exe Token: SeSecurityPrivilege 2760 msiexec.exe Token: SeCreateTokenPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeAssignPrimaryTokenPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeLockMemoryPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeIncreaseQuotaPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeMachineAccountPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeTcbPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeSecurityPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeTakeOwnershipPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeLoadDriverPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeSystemProfilePrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeSystemtimePrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeProfSingleProcessPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeIncBasePriorityPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeCreatePagefilePrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeCreatePermanentPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeBackupPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeRestorePrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeShutdownPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeDebugPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeAuditPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeSystemEnvironmentPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeChangeNotifyPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeRemoteShutdownPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeUndockPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeSyncAgentPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeEnableDelegationPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeManageVolumePrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeImpersonatePrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeCreateGlobalPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeCreateTokenPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeAssignPrimaryTokenPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeLockMemoryPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeIncreaseQuotaPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeMachineAccountPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeTcbPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeSecurityPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeTakeOwnershipPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeLoadDriverPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeSystemProfilePrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeSystemtimePrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeProfSingleProcessPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeIncBasePriorityPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeCreatePagefilePrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeCreatePermanentPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeBackupPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeRestorePrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeShutdownPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeDebugPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeAuditPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeSystemEnvironmentPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeChangeNotifyPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeRemoteShutdownPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeUndockPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeSyncAgentPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeEnableDelegationPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeManageVolumePrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeImpersonatePrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeCreateGlobalPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeCreateTokenPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeAssignPrimaryTokenPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe Token: SeLockMemoryPrivilege 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exemsiexec.exepid process 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe 3016 msiexec.exe 3016 msiexec.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
msiexec.exe33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exedescription pid process target process PID 2760 wrote to memory of 2692 2760 msiexec.exe MsiExec.exe PID 2760 wrote to memory of 2692 2760 msiexec.exe MsiExec.exe PID 2760 wrote to memory of 2692 2760 msiexec.exe MsiExec.exe PID 2760 wrote to memory of 2692 2760 msiexec.exe MsiExec.exe PID 2760 wrote to memory of 2692 2760 msiexec.exe MsiExec.exe PID 2760 wrote to memory of 2692 2760 msiexec.exe MsiExec.exe PID 2760 wrote to memory of 2692 2760 msiexec.exe MsiExec.exe PID 2488 wrote to memory of 3016 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe msiexec.exe PID 2488 wrote to memory of 3016 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe msiexec.exe PID 2488 wrote to memory of 3016 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe msiexec.exe PID 2488 wrote to memory of 3016 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe msiexec.exe PID 2488 wrote to memory of 3016 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe msiexec.exe PID 2488 wrote to memory of 3016 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe msiexec.exe PID 2488 wrote to memory of 3016 2488 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe msiexec.exe PID 2760 wrote to memory of 3044 2760 msiexec.exe WerFault.exe PID 2760 wrote to memory of 3044 2760 msiexec.exe WerFault.exe PID 2760 wrote to memory of 3044 2760 msiexec.exe WerFault.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Your Company\Your Application 1.0.0\install\Your Application.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1719546219 "2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B6C9334699919FD420047603C14DF4F1 C2⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2760 -s 8762⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSIB95.tmpFilesize
819KB
MD53604517a3e6e69ba339239cf82fc94a5
SHA1c4757e31f9c8a90ee5de233792da71c8915050c5
SHA256bdd1d14c9cb54b19f6a7f37adbc7537ce8fd2f6fa59a74a4a90b08c7979708d2
SHA512c22ffc410886fae221dfee6ab469e44694f87cecce14d505a059f5fe01c1b4e1ad93c15b78c7623e821a37737491e89c627ddae5d03c407a877835ab6d611619
-
C:\Users\Admin\AppData\Local\Temp\MSICFD.tmpFilesize
1.1MB
MD5cc048c7aadc4adf3a29d429f1f5eead0
SHA16b4d89df901427fe955be2d58ad91a6de30be9d6
SHA256d23c6ac751423ff6961694437e67d7b608102bd351e3e0cd10d34d026a1a08ca
SHA5120e67c0a4db70e19ead49f6c0fd41045f3fd9ee688d75a6da2916e347b70783843fa0e3d6cfc2b0bcd5e16a6045ba27707dff655556ebc725c126082e45cee2fa
-
C:\Users\Admin\AppData\Roaming\Your Company\Your Application 1.0.0\install\Your Application.msiFilesize
4.1MB
MD5c6f2c182d1946aa7c29ec6861fbf168f
SHA1f1f8b2e65d8581f966b577c5ff22a3af081d3994
SHA2566688cc74e524b2b68fae49e66d0e2c718e7d01e591883530bbe32e00d6d93392
SHA512eca4e43c79812578787f68ac912ca863356e0e3a16580d967b3eeaacfef32c53832b05acb57d0da61b55f75f241fe172faad4cc28a75b51383ffff7ca6a214f8
-
memory/2488-0-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB