9bd5ab93699abc16600005f25db02a401418d543939b2068042d2f3f7b7c6046

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Size

91KB
MD5

3fe2822b1b7fa2aef1cbe21bc11f87d0
SHA1

630ffb82189c542249007064d7f0bb97633a5a64
SHA256

9bd5ab93699abc16600005f25db02a401418d543939b2068042d2f3f7b7c6046
SHA512

240b00e3ea0f9dd42ddbb22daf18246bdcfedc34d3570e7b0bf7f0f5705b09acb8b0626a73247a707d287e43bfa07c9b6129a4efa157ef192fb7ac211dd58408
SSDEEP

1536:XJRtlEnBHHIgabuYotV/JbJCX5SBiZJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQIZvtYxOuYotvYQIE

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
3024	xk.exe
1940	IExplorer.exe
1896	WINLOGON.EXE
2168	CSRSS.EXE
2460	SERVICES.EXE
2152	LSASS.EXE
1436	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000014a9a-8.dat	upx
behavioral1/files/0x0008000000015ccd-109.dat	upx
behavioral1/files/0x0006000000015d20-123.dat	upx
behavioral1/memory/1896-138-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015d56-144.dat	upx
behavioral1/memory/2168-150-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2460-163-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1712-189-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1436-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1712-182-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015d7f-181.dat	upx
behavioral1/memory/2152-174-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015d6b-171.dat	upx
behavioral1/memory/2460-164-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015d5f-160.dat	upx
behavioral1/memory/2168-155-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1896-141-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015d4e-135.dat	upx
behavioral1/memory/1940-128-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1940-127-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1712-118-0x0000000001EB0000-0x0000000001EDF000-memory.dmp	upx
behavioral1/memory/3024-115-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/3024-114-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
3024	xk.exe
1940	IExplorer.exe
1896	WINLOGON.EXE
2168	CSRSS.EXE
2460	SERVICES.EXE
2152	LSASS.EXE
1436	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3024	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 3024	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 3024	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 3024	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 1940	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	29
PID 1712 wrote to memory of 1940	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	29
PID 1712 wrote to memory of 1940	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	29
PID 1712 wrote to memory of 1940	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	29
PID 1712 wrote to memory of 1896	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	30
PID 1712 wrote to memory of 1896	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	30
PID 1712 wrote to memory of 1896	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	30
PID 1712 wrote to memory of 1896	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	30
PID 1712 wrote to memory of 2168	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	31
PID 1712 wrote to memory of 2168	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	31
PID 1712 wrote to memory of 2168	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	31
PID 1712 wrote to memory of 2168	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	31
PID 1712 wrote to memory of 2460	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	32
PID 1712 wrote to memory of 2460	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	32
PID 1712 wrote to memory of 2460	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	32
PID 1712 wrote to memory of 2460	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	32
PID 1712 wrote to memory of 2152	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	33
PID 1712 wrote to memory of 2152	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	33
PID 1712 wrote to memory of 2152	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	33
PID 1712 wrote to memory of 2152	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	33
PID 1712 wrote to memory of 1436	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	34
PID 1712 wrote to memory of 1436	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	34
PID 1712 wrote to memory of 1436	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	34
PID 1712 wrote to memory of 1436	1712	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3fe2822b1b7fa2aef1cbe21bc11f87d0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1712
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3024
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1940
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1896
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2168
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2460
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2152
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
e95f16a1cbf86edc4215d4b1750754f5

SHA1
53751f07fe0a7d3dfc91ae6b3dd103b47eb1543b

SHA256
fdaed3a43192545d50b35a3b01d40d6fec30890e66edcbe99a12ea934b9a44f6

SHA512
10173735c33c3ff55cd8185e21c6339159c86c622451a942a5a5e31ead68e9e5f2f1749beeeaa39a28f89b81f4412f0e22cfaf9f59a61b72025293f7acdbcea4

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
4844711a012ce69dd9bf5c9e71edc764

SHA1
024ab7585fecde5b13f28aeb11c20cf2369aa1e9

SHA256
9df031404f09b60238584517ba332390440134e15ad9fdac34028884c22dbf64

SHA512
d2919856ad987664b8194fdef34087fbd56113132039598ead4eb4b82dd8dbeb01fdd1a04c7015d7dce3eefda5f1f52051d8cd452116416af963f583d7027d6b

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
049257bdc9525fcde111d779bcf1e734

SHA1
9e43fa6314420b2afbd6816fdd94b460bed188d6

SHA256
dcc499fe4eda52f5d1108e6d0bc8fde59c368dfebf0cef989563ae451174a8d3

SHA512
8610447b908d69d76c79afcbc2dffe88fc77cc5956665319f95dd32f79119adaab29509fee11cc5768f93f2325b04aa8f04263387d4bc55a81ae1633947e837e

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
264f0be15af4456520912e7299f38d89

SHA1
935fdc968820db30dc91006e4047d2a8e72bd7fc

SHA256
7d78b9a4cb4401c364a63a298af5d2455e3c4962dfa27bd125d733c23a8c1627

SHA512
0387ab56e71dd4e1025564487b89cdf078310dc3f5c8bb5c8928bceb3754d236bac0f4fa0c7e0ec294afd1a2f22034edf11e44f8e2cdc16194e36125b6e1bf1f

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
3fe2822b1b7fa2aef1cbe21bc11f87d0

SHA1
630ffb82189c542249007064d7f0bb97633a5a64

SHA256
9bd5ab93699abc16600005f25db02a401418d543939b2068042d2f3f7b7c6046

SHA512
240b00e3ea0f9dd42ddbb22daf18246bdcfedc34d3570e7b0bf7f0f5705b09acb8b0626a73247a707d287e43bfa07c9b6129a4efa157ef192fb7ac211dd58408

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
67b25ac6b1ff600b8b41c00ffa04c004

SHA1
b6a4a1f47940ff61c380db9a5a0968d383fa37fe

SHA256
555c694ab6e30beb665565a1ce12fa856ed843131daa4b915b2e6edc1f309637

SHA512
7d76018f40d5d4cb1044f5af21ee7f2fdea28590d35ba3db0c01b62f013b4da496411f0f20fe385aa383b368b8df14f6fa7e805ecb83dea4882279fb8bc1b63a

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
e82752a087617d1aa2c9e7a856fc356c

SHA1
add22ac84bd5bc915bce746f972cb25394250739

SHA256
50fc704d883d50920c412377dfd5125da7cf8ce5d656433757bec21bc71fd1b0

SHA512
9927c10ee387f70aa787fdcfef20841a8272d162cea1a5875e0dd991ebd4730ac29db00ed68d935bad5be32f8e96772aeef7787b3359f4ad659cf248fd567ed8

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
a4c68c01d47d923dcbd3e73ffe716da4

SHA1
1028dda44cd345f8b6cbb490b2f84548314decd8

SHA256
3068a79eec2f5a17f7e74bfa90342287c03061a2518812e1360db31df103a82f

SHA512
c1b9e3d05657a6c48762ddef665c16878b9713742aced6c51dbf1c406c7834d52c754335510e0c14072f4ae79de23b62d590a104639163c7cd09830c9650a241

Download Submit
memory/1436-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-126-0x0000000001EB0000-0x0000000001EDF000-memory.dmp

Filesize
188KB

Download
memory/1712-184-0x0000000001EB0000-0x0000000001EDF000-memory.dmp

Filesize
188KB

Download
memory/1712-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-149-0x0000000001EB0000-0x0000000001EDF000-memory.dmp

Filesize
188KB

Download
memory/1712-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-112-0x0000000001EB0000-0x0000000001EDF000-memory.dmp

Filesize
188KB

Download
memory/1712-113-0x0000000001EB0000-0x0000000001EDF000-memory.dmp

Filesize
188KB

Download
memory/1712-136-0x0000000001EB0000-0x0000000001EDF000-memory.dmp

Filesize
188KB

Download
memory/1712-118-0x0000000001EB0000-0x0000000001EDF000-memory.dmp

Filesize
188KB

Download
memory/1712-137-0x0000000001EB0000-0x0000000001EDF000-memory.dmp

Filesize
188KB

Download
memory/1896-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download