33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Size

7.9MB
MD5

efeb18cb3559a77995618c8d419aee70
SHA1

031813582c485460d3a7ff185502f4cfc3842c2f
SHA256

33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443
SHA512

1dac843eaa518cbd988a4e8923aadf317e018b1ac872f528df799a6244afb9abbc4a62f492af78c1842d22e550da36466bdd383f06ff55e3e051fd930728fcca
SSDEEP

98304:CX9lzMRum1nuqyU7XtPCySwo47CctAWUmDrhyM4Znnf6vP/iq0iuWhiw0cEWaOLS:CX9lzMRum1nQUztPClmtPqq0iZinWpM

Score

10^/10

execution persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1547.004

Modify Registry
T1112

Processes:

powershell.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\eqwqeq.cmd" powershell.exe
Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid process

4516 MsiExec.exe
4516 MsiExec.exe
4516 MsiExec.exe
4516 MsiExec.exe
2448 MsiExec.exe
2448 MsiExec.exe
2448 MsiExec.exe
2448 MsiExec.exe
2448 MsiExec.exe
2448 MsiExec.exe
2448 MsiExec.exe
3596 MsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\eqwqeq.cmd"	powershell.exe

pid	process
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
2448	MsiExec.exe
2448	MsiExec.exe
2448	MsiExec.exe
2448	MsiExec.exe
2448	MsiExec.exe
2448	MsiExec.exe
2448	MsiExec.exe
3596	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\O:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\X:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\R:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\E:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\N:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\P:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\V:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe

Drops file in Windows directory 21 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e577b0c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C57.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C96.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\msi7EA6.txt	MsiExec.exe
File opened for modification	C:\Windows\SystemTemp\Pro7EB9.tmp	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI7C37.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CA7.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3C9BA784-41ED-4515-A91B-66DCEF275851}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D93.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E02.tmp	msiexec.exe
File created	C:\Windows\Installer\e577b0c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CE7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e577b10.msi	msiexec.exe
File created	C:\Windows\SystemTemp\scr7EA7.ps1	MsiExec.exe
File created	C:\Windows\SystemTemp\scr7EA8.txt	MsiExec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B98.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C07.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp\pss7EB8.ps1	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3032 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3032	powershell.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000eb40c78f8f3426de0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000eb40c78f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900eb40c78f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1deb40c78f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000eb40c78f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 44 IoCs

Processes:

powershell.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe

Modifies registry class 20 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\SourceList\PackageName = "Your Application.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\487AB9C3DE1451549AB166CDFE728515\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Your Company\\Your Application 1.0.0\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Your Company\\Your Application 1.0.0\\install\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\68527174AD2FDB9479262B2574F8646F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\68527174AD2FDB9479262B2574F8646F\487AB9C3DE1451549AB166CDFE728515	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\487AB9C3DE1451549AB166CDFE728515	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\ProductName = "Your Application"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\PackageCode = "D0EC3C7E5DCE2DB42BDCC6729BAFC06F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\487AB9C3DE1451549AB166CDFE728515\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exepowershell.exe

pid process

224 msiexec.exe
224 msiexec.exe
3032 powershell.exe
3032 powershell.exe

pid	process
224	msiexec.exe
224	msiexec.exe
3032	powershell.exe
3032	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exe33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe

description	pid	process
Token: SeSecurityPrivilege	224	msiexec.exe
Token: SeCreateTokenPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeAssignPrimaryTokenPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeIncreaseQuotaPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeMachineAccountPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeTcbPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeSecurityPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeTakeOwnershipPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeSystemProfilePrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeSystemtimePrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeProfSingleProcessPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeCreatePagefilePrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeCreatePermanentPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeBackupPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeRestorePrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeShutdownPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeDebugPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeAuditPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeSystemEnvironmentPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeChangeNotifyPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeRemoteShutdownPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeUndockPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeSyncAgentPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeEnableDelegationPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeManageVolumePrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeImpersonatePrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeCreateGlobalPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeCreateTokenPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeAssignPrimaryTokenPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeIncreaseQuotaPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeMachineAccountPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeTcbPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeSecurityPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeTakeOwnershipPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeSystemProfilePrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeSystemtimePrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeProfSingleProcessPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeCreatePagefilePrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeCreatePermanentPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeBackupPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeRestorePrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeShutdownPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeDebugPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeAuditPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeSystemEnvironmentPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeChangeNotifyPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeRemoteShutdownPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeUndockPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeSyncAgentPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeEnableDelegationPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeManageVolumePrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeImpersonatePrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeCreateGlobalPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeCreateTokenPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeAssignPrimaryTokenPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeIncreaseQuotaPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
Token: SeMachineAccountPrivilege	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exemsiexec.exe

pid process

1540 33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
4200 msiexec.exe
4200 msiexec.exe

pid	process
1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
4200	msiexec.exe
4200	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exe33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exeMsiExec.exe

description	pid	process	target process
PID 224 wrote to memory of 4516	224	msiexec.exe	MsiExec.exe
PID 224 wrote to memory of 4516	224	msiexec.exe	MsiExec.exe
PID 224 wrote to memory of 4516	224	msiexec.exe	MsiExec.exe
PID 1540 wrote to memory of 4200	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe	msiexec.exe
PID 1540 wrote to memory of 4200	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe	msiexec.exe
PID 1540 wrote to memory of 4200	1540	33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe	msiexec.exe
PID 224 wrote to memory of 400	224	msiexec.exe	srtasks.exe
PID 224 wrote to memory of 400	224	msiexec.exe	srtasks.exe
PID 224 wrote to memory of 2448	224	msiexec.exe	MsiExec.exe
PID 224 wrote to memory of 2448	224	msiexec.exe	MsiExec.exe
PID 224 wrote to memory of 2448	224	msiexec.exe	MsiExec.exe
PID 224 wrote to memory of 3596	224	msiexec.exe	MsiExec.exe
PID 224 wrote to memory of 3596	224	msiexec.exe	MsiExec.exe
PID 224 wrote to memory of 3596	224	msiexec.exe	MsiExec.exe
PID 3596 wrote to memory of 3032	3596	MsiExec.exe	powershell.exe
PID 3596 wrote to memory of 3032	3596	MsiExec.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Your Company\Your Application 1.0.0\install\Your Application.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\33270120b823cc225606147457f6d086d97b5864450f16546982626902e46443_NeikiAnalytics.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1719565033 "
2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4200

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 32240A6DF8814B41A85B06AE375E2107 C
2⤵
- Loads dropped DLL
PID:4516

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:400

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 118C87AFAFF0803BA31E75E4228CD6BB
2⤵
- Loads dropped DLL
PID:2448

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C4AA0680BAB67571BDC250F21BE82EC2 E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\SystemTemp\pss7EB8.ps1" -propFile "C:\Windows\SystemTemp\msi7EA6.txt" -scriptFile "C:\Windows\SystemTemp\scr7EA7.ps1" -scriptArgsFile "C:\Windows\SystemTemp\scr7EA8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
3⤵
- Modifies WinLogon for persistence
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5056

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e577b0f.rbs
Filesize
11KB

MD5
075b3bb092b0cc28e280d42b489c5af3

SHA1
7a8010a93591ab741a48085df039f58569862fd2

SHA256
d05248ee670407793ca6985bd60a2c354bca3cafcdcf0c77c569d2a51df7a1e1

SHA512
d50cc0a3c76e02057b9cd064cbeed54499a3a29d2bd089bb34cf81de7b473649cf52e4a32e790a479a94cbc39e05e4a6c1459d399f0593844c503042b4fc4797

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5303.tmp
Filesize
819KB

MD5
3604517a3e6e69ba339239cf82fc94a5

SHA1
c4757e31f9c8a90ee5de233792da71c8915050c5

SHA256
bdd1d14c9cb54b19f6a7f37adbc7537ce8fd2f6fa59a74a4a90b08c7979708d2

SHA512
c22ffc410886fae221dfee6ab469e44694f87cecce14d505a059f5fe01c1b4e1ad93c15b78c7623e821a37737491e89c627ddae5d03c407a877835ab6d611619

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5373.tmp
Filesize
1.1MB

MD5
cc048c7aadc4adf3a29d429f1f5eead0

SHA1
6b4d89df901427fe955be2d58ad91a6de30be9d6

SHA256
d23c6ac751423ff6961694437e67d7b608102bd351e3e0cd10d34d026a1a08ca

SHA512
0e67c0a4db70e19ead49f6c0fd41045f3fd9ee688d75a6da2916e347b70783843fa0e3d6cfc2b0bcd5e16a6045ba27707dff655556ebc725c126082e45cee2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qqtviaqy.nli.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Your Company\Your Application 1.0.0\install\Your Application.msi
Filesize
4.1MB

MD5
c6f2c182d1946aa7c29ec6861fbf168f

SHA1
f1f8b2e65d8581f966b577c5ff22a3af081d3994

SHA256
6688cc74e524b2b68fae49e66d0e2c718e7d01e591883530bbe32e00d6d93392

SHA512
eca4e43c79812578787f68ac912ca863356e0e3a16580d967b3eeaacfef32c53832b05acb57d0da61b55f75f241fe172faad4cc28a75b51383ffff7ca6a214f8

Download Submit
C:\Windows\Installer\MSI7CE7.tmp
Filesize
877KB

MD5
899a6d5f1c9e00ec2f43e732c6b7548f

SHA1
a795646d8c878a21beb51120a8c709dc83b87960

SHA256
0ca4e5eb5a7bac56a3ee31df50110a4e89ab4781ecb1da43bb5cab66ff799491

SHA512
8467de1ede139dbf6f6d2225c58f379d140972101f2770e59ef50d98d6793bacfc62a4abe80644d7ab587ee20c8da02839efb95ae3f0689dfa837c4495c1a172

Download Submit
C:\Windows\Installer\MSI7E02.tmp
Filesize
758KB

MD5
419cea1c6064e430860508e269f0cd2f

SHA1
921841797df087a1adc93877467e30e00c7d1d7e

SHA256
10575139bca9cb43ea44a9883308fdd83cebe6df59f68036337ab72530f0a8f4

SHA512
c6597fff8febdc6aa26dc91147532af6892a49e789903fcfed57fe8131a43bbfaa59b93035a4b2bbfd580fcf098ddd478e2110890381269556f387c689fb3c35

Download Submit
C:\Windows\SystemTemp\pss7EB8.ps1
Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Windows\SystemTemp\scr7EA7.ps1
Filesize
528B

MD5
2fbae52477ff679cee8e0755a5b286e2

SHA1
c7318cd2a317e0092e5adfc8e8cd90081e3a102e

SHA256
c0c4317a1c6dbef47e86a3b67b40c3c98836138dfb42e223abcb94450d2edd1d

SHA512
adfbe6943401df15f012889d07bd13004581058ba9377e9570cf6e80f0faaa468636a8b03797e4d6921a4d566af45f7b9cdfeff8eeca1ba038dbd8a4bcac21ad

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
99ba5818e4cf70fb2286fd1a8840dcf0

SHA1
7e7580ece21ac6fca0251ea180338fdd4e09f1f5

SHA256
a814fa410015e232abbdfa4a26762831d81fd6e8be9f45198ec2819a806f32b1

SHA512
c7da0b70a2d9beee8b12a32d62427221849638aea67d8c83fde9ede8fd1d4d5678286b00c03b2939cc387d9b365d23f4aea8559a92a89831f55edf2ff3053bd9

Download Submit
\??\Volume{8fc740eb-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5e57cf92-c3b5-4a4d-9260-b37d53badefc}_OnDiskSnapshotProp
Filesize
6KB

MD5
c7cd574b40d7f9327d0f319997f9dabd

SHA1
cc2354314be9b28bd0e60a981a3111afc196cce2

SHA256
347900776f4109431466c8f2d7903f39820a264bdfd10fa53da3c37cb5fa84e6

SHA512
65660a7b981c2cbb83573f9020c3434153ec9b5e09c890188ab64fa21d77115ee77696cc8123ce0347c8515142d0b87e360c6b282f38e50f6904b7397be25935

Download Submit
memory/3032-82-0x0000021AE65B0000-0x0000021AE65D2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads