f7c5a1342c48ba63b7a5a75c84d18845bfe12eb6c3c28a94c454d98aa43baa73

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\a0eeab4f971b5c5ccb237efa58fa3010_neikianalytics.exe = "c:\\users\\admin\\appdata\\local\\temp\\a0eeab4f971b5c5ccb237efa58fa3010_neikianalytics.exe:*:Enabled:SMPN"	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr = "c:\\windows\\wdfmgr.exe"	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe"	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wdfmgr\ImagePath = "c:\\windows\\wdfmgr.exe"	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr = "c:\\windows\\wdfmgr.exe"	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr = "c:\\windows\\wdfmgr.exe"	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe"	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\p:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\n:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\m:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\j:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\i:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\s:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\w:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\u:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\t:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\r:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\o:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\l:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\k:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\x:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\y:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\v:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\z:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\h:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\g:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened (read-only)	\??\e:	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\regedit.exe	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\mui\rctfd.sys	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\wdfmgr.exe	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File created	\??\c:\windows\regedit2.exe	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\regedit2.exe	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File created	\??\c:\windows\msrpc.exe	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\msrpc.exe	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File created	\??\c:\windows\wdfmgr.exe	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\lsassv.exe	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File created	\??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\AdobeLoader.scr	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File created	\??\c:\windows\Start Menu\Programs\Startup\AdobeLoader.scr	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File created	\??\c:\windows\lsassv.exe	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File created	\??\c:\windows\calc.exe	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\calc.exe	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\ThisEXE = "c:\\users\\admin\\appdata\\local\\temp\\a0eeab4f971b5c5ccb237efa58fa3010_neikianalytics.exe"	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\VerProg = "157"	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4512	a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a0eeab4f971b5c5ccb237efa58fa3010_NeikiAnalytics.exe"
1⤵
- Modifies firewall policy service
- Adds policy Run key to start application
- Sets service image path in registry
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

4

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery