134af024bce8aa2d4791fcddc646c36350eacd5dd177b2ed05ac1eba51d06d11

Analysis

max time kernel
93s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Size

91KB
MD5

49202c4c2cf07bce3828022e11c28a30
SHA1

75f5460a5dbe0b68ea7329e25cee3ed55b0576ae
SHA256

134af024bce8aa2d4791fcddc646c36350eacd5dd177b2ed05ac1eba51d06d11
SHA512

caff3c2f6afaa3a34e96d7a92cdc4f969460eeb8d73139f3638f190683aef0a19660de6f2eb1e7573371732d58d494d69bf2015c74f59d08eb40e82c460b4849
SSDEEP

768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3ImuCg3gRYjXbUeHORIC40:uT3OA3+KQsxfS4kT3OA3+KQsxfS4u

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
2748	xk.exe
2480	IExplorer.exe
2456	WINLOGON.EXE
2672	CSRSS.EXE
4512	SERVICES.EXE
4156	LSASS.EXE
1264	xk.exe
3384	IExplorer.exe
2944	WINLOGON.EXE
4072	CSRSS.EXE
2092	SERVICES.EXE
3848	LSASS.EXE
4924	SMSS.EXE
4744	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File created	C:\desktop.ini	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened for modification	F:\desktop.ini	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File created	F:\desktop.ini	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\J:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\M:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\N:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\S:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\T:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\U:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\W:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\B:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\H:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\R:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\V:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\E:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\G:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\I:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\K:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\L:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\P:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened (read-only)	\??\X:	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
2748	xk.exe
2480	IExplorer.exe
2456	WINLOGON.EXE
2672	CSRSS.EXE
4512	SERVICES.EXE
4156	LSASS.EXE
1264	xk.exe
3384	IExplorer.exe
2944	WINLOGON.EXE
4072	CSRSS.EXE
2092	SERVICES.EXE
3848	LSASS.EXE
4924	SMSS.EXE
4744	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 2748	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	82
PID 3164 wrote to memory of 2748	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	82
PID 3164 wrote to memory of 2748	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	82
PID 3164 wrote to memory of 2480	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	85
PID 3164 wrote to memory of 2480	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	85
PID 3164 wrote to memory of 2480	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	85
PID 3164 wrote to memory of 2456	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	86
PID 3164 wrote to memory of 2456	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	86
PID 3164 wrote to memory of 2456	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	86
PID 3164 wrote to memory of 2672	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	87
PID 3164 wrote to memory of 2672	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	87
PID 3164 wrote to memory of 2672	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	87
PID 3164 wrote to memory of 4512	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	88
PID 3164 wrote to memory of 4512	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	88
PID 3164 wrote to memory of 4512	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	88
PID 3164 wrote to memory of 4156	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	89
PID 3164 wrote to memory of 4156	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	89
PID 3164 wrote to memory of 4156	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	89
PID 3164 wrote to memory of 1264	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	90
PID 3164 wrote to memory of 1264	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	90
PID 3164 wrote to memory of 1264	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	90
PID 3164 wrote to memory of 3384	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	91
PID 3164 wrote to memory of 3384	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	91
PID 3164 wrote to memory of 3384	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	91
PID 3164 wrote to memory of 2944	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	92
PID 3164 wrote to memory of 2944	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	92
PID 3164 wrote to memory of 2944	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	92
PID 3164 wrote to memory of 4072	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	93
PID 3164 wrote to memory of 4072	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	93
PID 3164 wrote to memory of 4072	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	93
PID 3164 wrote to memory of 2092	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	94
PID 3164 wrote to memory of 2092	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	94
PID 3164 wrote to memory of 2092	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	94
PID 3164 wrote to memory of 3848	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	95
PID 3164 wrote to memory of 3848	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	95
PID 3164 wrote to memory of 3848	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	95
PID 3164 wrote to memory of 4924	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	96
PID 3164 wrote to memory of 4924	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	96
PID 3164 wrote to memory of 4924	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	96
PID 3164 wrote to memory of 4744	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	99
PID 3164 wrote to memory of 4744	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	99
PID 3164 wrote to memory of 4744	3164	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe	99

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\49202c4c2cf07bce3828022e11c28a30_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3164
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2748
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2480
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2456
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2672
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4512
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4156
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1264
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3384
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2944
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4072
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2092
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3848
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4924
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
f9ac8bd4385498271f8aadc8ef0f53d3

SHA1
4f84f13fd9b8e9eb0391285815d0df007e811105

SHA256
280cf009f1206e79159fa5e65365b21e3fb895d7bf62e7df90a23835e8ebc2ad

SHA512
cd2eebe23a0ba7a0a96b8eb6b70bef7c83fbbbaf834a4a465b920b152fd048247e82c67b002a5356061e9d10965c20c97237c5cf229dff10dcd6e7aefa82e9de

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
eed1cbad0bd076be630b1b48cec93d74

SHA1
d893def15bf54f22ecc3e1b9df4df8becbea0345

SHA256
274898ada8b9d707b5d824ca38f878de7cc5e7541371612cf33326e386433ff8

SHA512
caccab4b43ae5a5312803ed090d65e097ff64a87b01e0bd8b062282b2a4802cf2c8590eea4e94ad09c585526d5c6a322169e8598fce092d698b158d7077b060e

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
3e8d2dc16b3855b1325d7482952cd0cd

SHA1
e957cb376ae1b605ff462b49466c4a28213cf73a

SHA256
da3d936957d0274102bd6d1fda8ed4c9838b27f51c1fd487f4817d5e717efee4

SHA512
fad8c618e934ba992f084b84e31b8aff3c3b67f971c6fecfc4a07d6e009efa690e3fa43eb7986b29864b9c274a7ccfcac5c17ecf9ec7ef6dc0d4be9572b15a13

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
c70a08b080af419ddd1e4645974ec79c

SHA1
6e9bd9ac39359e9c0570d1beb454b75932c9e282

SHA256
280288d4e8b7eb34844691018c5e32c2c17caebc0b74aaa15ab47bc654c250bc

SHA512
bd9512e870842feea7f82f65fd0375a6d2965fdd8750aed0199164579b471f7c0a34a9d7545ba205a9d52904f28fa86f438b00a3b8ef368946860458b20010ed

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
6d45001ffe42dd62936363bc2ed9e129

SHA1
9ace6ea512adbff8461cf8ec5c0d8849ec46448a

SHA256
ec5502d274176c63e95360f4566b947f31541d0dc3b48b976149c454d0791d3e

SHA512
61c056f7d2b2977e5815bd6baa7e3c77101f401996f783d18172273cc76c57106949fc9488f10cf421dd33f33d0a09d6612c25e2bf4e385b3a707f4cd1df7888

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
1f20e64dc798b7fce5daf00869ca5874

SHA1
de483cc56e6055f561ee38b616e56a13e2b6b6f8

SHA256
1dc62f0744df9fb453eb45c9c45243aecf35be33fdc8ea7b7553a46a54be64ec

SHA512
6a7bf242a1d28d0c05bfd035910742d90d38446bb1f09f11fccff66f85ecf253442d558ce5b7e13a86f0ab2304d479e09ad9d2663e98890dbfb89c307c1235c5

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
010314ea0b9dd5b63d4b687d2cd4184d

SHA1
3636573fd40b56880d3db1f992edcf4547800c95

SHA256
c39a8b82ae7ccb93a49ba3d0186774f323759238957dea55df2295eec6491f04

SHA512
23e171de84545f37af3a3f525a4eb1c9194a0c371233d892f40a715079c830da072672b13298af54bc1109362d962f21148b0c4f5bdf4ec9c754840aabde7131

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
52404cda2ed48325e6c52a3fe8325fad

SHA1
f307da40e259333ac4e8f7bf63ee3071d3fdd2f1

SHA256
16ba09e3968bf2e87bab2bfc61f7232fe0b95b8dd57c0dfdefd3e7d20db090da

SHA512
40385b820b6d3645728fdd43af0cca3a5834ead4d63b87c72755608c464cfed8b456225a53018d6d9d13b76121dfae59cd7c99aab718f4dbe1428062e6c2c473

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
49202c4c2cf07bce3828022e11c28a30

SHA1
75f5460a5dbe0b68ea7329e25cee3ed55b0576ae

SHA256
134af024bce8aa2d4791fcddc646c36350eacd5dd177b2ed05ac1eba51d06d11

SHA512
caff3c2f6afaa3a34e96d7a92cdc4f969460eeb8d73139f3638f190683aef0a19660de6f2eb1e7573371732d58d494d69bf2015c74f59d08eb40e82c460b4849

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
3285c4e78aca40165c44455c2efff540

SHA1
530749432e8b54f32040fcc66db8d38e312660ae

SHA256
1fea7086016ef5fc6f93302d2875356ad75c5191f71f8967b43b64aca0d38bb3

SHA512
f7631099842976bb91dcb06a4c43e940eb03f88d491a961c1034ef3610195e5a194f2ccf60697b44d25f4ce560129e3e2681b9f46b3ad70b87fe4344edc964c2

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
a1263c74125c91dfca96ae2cdc7cd8e0

SHA1
5b57a7d7d366204ad990b8d6e2f0de7311cd6d3a

SHA256
9396ab770e0867934e253631f2020d4553ae258545c34d6f205355f90bad9686

SHA512
8bd7a486551c7eb994a37d612f9dd2c29c8f359f482754484dc0533902ac285d844284c8abf6118198d3d1c0684c4cde60eb9e041745a7ca11aa5d5ea02998aa

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
8a0ddd1e360b3785f106795972d6fd6d

SHA1
6d95d1278a86c4579df1f26381ca960a689c7d5a

SHA256
3c7d348580ec42bd55c6844539ae50e43153537bcae0a3826fdb590d315bb70a

SHA512
e91e7e2099d808abeaab8e1bfbc0e0304d3f77ba14dec95617671d007f0263d0bb71e8920c6130c1553604299eeab55738edbf75f62f4b33f7773b5d44ff5092

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
edf34a96acdda331a1d27be6d296db5e

SHA1
3e3e59420ff87e8a60b1ba840cdce8518318b024

SHA256
7e7bc61a95f430c5e3bcf80d68c9b0584508b696ab4ee6e7c6a406ac65e41b1d

SHA512
f5cc603b024eee7e41aa431c9fd669272921071588be881c464f9f7f6b0f0bbc7ef257f8bd7307ec26467943505a29ae5d84edd6ec2f0e7c3c4b8a2de06de4cb

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
f215065ed50fc2b5050d807ea9e2f819

SHA1
3a04721d0c5e2755c98228795572d12a6148c356

SHA256
d64e9d6b5f8c9630309dce2566885548cfc74908fc13577d2203105ad25d61b5

SHA512
538abe4932e7d2d07b42a5e3cd5b7cb687d471ceda13eb17be1eacec2501d3f59328120a3499bff4accc80e04a6c243f0f089f5c6dd8f8718899de282b1602e5

Download Submit
memory/1264-217-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/1264-223-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2092-248-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/2456-134-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/2456-138-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2480-130-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2480-127-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2480-123-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/2480-122-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2672-144-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/2672-148-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2672-149-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2748-112-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2748-114-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/2748-118-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2748-126-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2748-113-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2944-239-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2944-233-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/3164-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3164-305-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3164-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/3164-143-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/3164-306-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/3164-6-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/3164-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3164-2-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/3164-296-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3384-230-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3384-225-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/3848-255-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/3848-262-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3848-259-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4072-240-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/4072-245-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4156-178-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4156-163-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/4512-162-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4512-154-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/4512-153-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4744-299-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/4744-304-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4924-265-0x0000000074FD0000-0x000000007512D000-memory.dmp

Filesize
1.4MB

Download
memory/4924-276-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download