Malware Analysis Report

2024-11-13 16:30

Sample ID 240510-h154msda89
Target 9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics
SHA256 105661772dbcadfa0e07c1d790efb26adce0e54d33ecb6bee0e42ae201eecef1
Tags
zgrat persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

105661772dbcadfa0e07c1d790efb26adce0e54d33ecb6bee0e42ae201eecef1

Threat Level: Known bad

The file 9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

zgrat persistence rat spyware stealer

ZGRat

Modifies WinLogon for persistence

Zgrat family

Process spawned unexpected child process

Detect ZGRat V1

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 07:13

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 07:13

Reported

2024-05-10 07:15

Platform

win7-20240220-en

Max time kernel

126s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\sppsvc.exe\", \"C:\\Users\\Default\\Recent\\audiodg.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\spoolsv.exe\", \"C:\\Windows\\Downloaded Program Files\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\sppsvc.exe\", \"C:\\Users\\Default\\Recent\\audiodg.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\spoolsv.exe\", \"C:\\Windows\\Downloaded Program Files\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\sppsvc.exe\", \"C:\\Users\\Default\\Recent\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\sppsvc.exe\", \"C:\\Users\\Default\\Recent\\audiodg.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Downloads\\sppsvc.exe\", \"C:\\Users\\Default\\Recent\\audiodg.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\spoolsv.exe\", \"C:\\Windows\\Downloaded Program Files\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

ZGRat

rat zgrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Downloads\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Downloads\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default\\Recent\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Downloaded Program Files\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Downloaded Program Files\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Default\\Recent\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC42E97CB6EBA840E98D1EF51BA7FC9ABE.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\u7e72d.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Downloaded Program Files\csrss.exe C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
File created C:\Windows\Downloaded Program Files\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2836 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2836 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2580 wrote to memory of 2024 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2580 wrote to memory of 2024 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2580 wrote to memory of 2024 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2836 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2836 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2836 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2452 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2452 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2452 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2452 wrote to memory of 272 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2452 wrote to memory of 272 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2452 wrote to memory of 272 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2452 wrote to memory of 2144 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe
PID 2452 wrote to memory of 2144 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe
PID 2452 wrote to memory of 2144 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tmkw0gqi\tmkw0gqi.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FB8.tmp" "c:\Windows\System32\CSC42E97CB6EBA840E98D1EF51BA7FC9ABE.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Recent\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics9" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics9" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cy8ISVXXgP.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe

"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bundlepro.top udp
US 172.67.208.218:80 bundlepro.top tcp
US 172.67.208.218:80 bundlepro.top tcp

Files

memory/2836-0-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

memory/2836-1-0x0000000000FD0000-0x00000000011AA000-memory.dmp

memory/2836-2-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

memory/2836-3-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

memory/2836-4-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

memory/2836-6-0x0000000000270000-0x000000000027E000-memory.dmp

memory/2836-8-0x0000000000430000-0x000000000044C000-memory.dmp

memory/2836-9-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

memory/2836-11-0x0000000000450000-0x0000000000468000-memory.dmp

memory/2836-13-0x0000000000410000-0x000000000041C000-memory.dmp

memory/2836-14-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

C:\Users\Default\Downloads\sppsvc.exe

MD5 9c9cfb46f054ba152005a24e4bc13cd0
SHA1 894e8cce959ed8d0fccfefa585891f5fd85c6aeb
SHA256 105661772dbcadfa0e07c1d790efb26adce0e54d33ecb6bee0e42ae201eecef1
SHA512 3923648a5708f884150318bb5ee9f4df2713bd826b85861bbf2cf1026487ab8b1d5668e361081493ab4cd8b3ede7b7cf9bd173dc7b72eaf95c4082b20aad98a4

memory/2836-26-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

memory/2836-27-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

memory/2836-28-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\tmkw0gqi\tmkw0gqi.cmdline

MD5 9eb425b515c1ac1bbd8ab191a628a73d
SHA1 a3bfe3c5b71d756c08dd6aea3aa9ab6aa1e5ddab
SHA256 37b8425ca82440b74fdd022f6ee673e041c34d67779eb346fd937a910f5988cc
SHA512 cacc2ddba84f7689e76c088c3bbf494824f904533d1142f38fe710a1231d745fa4fbabf20c5abfd0547734c8c6cdbf860349fdc721f7474758e27af466bb7035

\??\c:\Users\Admin\AppData\Local\Temp\tmkw0gqi\tmkw0gqi.0.cs

MD5 e8eb652a53aa4ca8b5fa2c826aededeb
SHA1 c57b622e1435b3e25e872416c78fa3c4421ee012
SHA256 e26c92c65129475b22cc9bc3dab758a3f5a87cd8893e8907278ed122252f78fb
SHA512 9fad7bf8270feb9776e009682907d459d6884749c168ec5b5d7b441bdc5a00718f030c078a26bc050f358927c2c31d2aa60e31aa69c7cacb975b47011efad6af

\??\c:\Windows\System32\CSC42E97CB6EBA840E98D1EF51BA7FC9ABE.TMP

MD5 984924caf6574026769de34f35c2358e
SHA1 6dd41e492235d812252231912aa025f47fa7a9e7
SHA256 2bf5f65c8161575847113a1b4194625204c6ddce042f9b3432011c31348bb986
SHA512 5918fdc8d27ff5421dea1455df93c6cf85738e94c5079701ba7fded59b01bda482b70e2a500ba2c2aebedb6d2b0815d094d9bb271133de738f9e630167f6be46

C:\Users\Admin\AppData\Local\Temp\RES2FB8.tmp

MD5 9f9c25531140b51433e397aa78516839
SHA1 a3b95b2ddf33f797c7072f40c3bd7475ed541822
SHA256 eebbf1835b4f5d41ad5037835164630ad0da323ecd714059e0b987e27709b93e
SHA512 e2fb885f80abf2230f52fbd64dd67f082c4cb1362ac8ebc25c96d637a2407b84ad4c3e312742bb6409968ef40d99935b2793803b3f8c943624327f6c4e096d93

C:\Users\Admin\AppData\Local\Temp\cy8ISVXXgP.bat

MD5 997e755e20d49d06d4c16d4f69e10784
SHA1 a149db9f5cb73b14f9bd60b080a78fc279616b28
SHA256 d49a2de3f6c70181c42898201a9c6fc427d8e3e75b45e70fc08ac1724b3d4f7d
SHA512 eb477dd236877fc79da5f826117b11a17322abc29d5f5d3552c5c624af5d6025bf54ba8f51d7f73cd59086ed105c323866de6a7929115254b8f0c7dfef905111

memory/2836-46-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

memory/2144-49-0x0000000000EA0000-0x000000000107A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 07:13

Reported

2024-05-10 07:15

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\", \"C:\\Users\\Default User\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\", \"C:\\Users\\Default User\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\", \"C:\\Users\\Default User\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\", \"C:\\Users\\Default User\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Default User\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Default User\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\iehhk_.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\CSC4675A77895C348E6B02ECABC90B5CD34.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Provisioning\Autopilot\csrss.exe C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
File created C:\Windows\Provisioning\Autopilot\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4912 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4912 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2176 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2176 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4912 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 4912 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 4608 wrote to memory of 1560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4608 wrote to memory of 1560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4608 wrote to memory of 4684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4608 wrote to memory of 4684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4608 wrote to memory of 2972 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe
PID 4608 wrote to memory of 2972 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d52yz0tu\d52yz0tu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89D1.tmp" "c:\Windows\System32\CSC4675A77895C348E6B02ECABC90B5CD34.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Autopilot\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Autopilot\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics9" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics9" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cya3h2BZSK.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe

"C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 bundlepro.top udp
US 172.67.208.218:80 bundlepro.top tcp
US 172.67.208.218:80 bundlepro.top tcp
US 8.8.8.8:53 218.208.67.172.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4912-0-0x00007FFA71593000-0x00007FFA71595000-memory.dmp

memory/4912-1-0x00000000007F0000-0x00000000009CA000-memory.dmp

memory/4912-2-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

memory/4912-3-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

memory/4912-4-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

memory/4912-5-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

memory/4912-7-0x0000000002A90000-0x0000000002A9E000-memory.dmp

memory/4912-9-0x0000000002C10000-0x0000000002C2C000-memory.dmp

memory/4912-10-0x000000001B9D0000-0x000000001BA20000-memory.dmp

memory/4912-11-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

memory/4912-13-0x0000000002C30000-0x0000000002C48000-memory.dmp

memory/4912-15-0x0000000002AA0000-0x0000000002AAC000-memory.dmp

memory/4912-16-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

memory/4912-17-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

C:\Users\Default\sppsvc.exe

MD5 9c9cfb46f054ba152005a24e4bc13cd0
SHA1 894e8cce959ed8d0fccfefa585891f5fd85c6aeb
SHA256 105661772dbcadfa0e07c1d790efb26adce0e54d33ecb6bee0e42ae201eecef1
SHA512 3923648a5708f884150318bb5ee9f4df2713bd826b85861bbf2cf1026487ab8b1d5668e361081493ab4cd8b3ede7b7cf9bd173dc7b72eaf95c4082b20aad98a4

memory/4912-29-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

memory/4912-30-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

memory/4912-31-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

memory/4912-32-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\d52yz0tu\d52yz0tu.cmdline

MD5 2dd34cdb1193d89666a9350260e73ea9
SHA1 9e98ebc1879ec1289b513b42885a19cdbe1eb231
SHA256 5b9d789a552c4bb809784c273c198cd6d6b58febf18567bf061a210870ea26b2
SHA512 0385dfcad2ba278a5b307112fb8b5594438fdf578a193344f32a91d950fee3a77195895f9b87dd85a8e3eab0be0d5ae43e6507b20370ef015da975ad979242f5

\??\c:\Users\Admin\AppData\Local\Temp\d52yz0tu\d52yz0tu.0.cs

MD5 2b89f60385e4a7f08bc7d93fa670a32d
SHA1 396e5caa48629eb94642b32566b711e1cff7d861
SHA256 5d56c2bf57820c71c81d45c4ff3807b26fe96a544e22b15552513410ebfaa9a6
SHA512 1f11e75d910df0f74374e1e1ecd0d1b2ad93aad2aa86507d4273a8b7dfebc4340d26cc9a189d0347c5f32c2a5608c96f0e3625b9c7477307493ee6ff0399062d

\??\c:\Windows\System32\CSC4675A77895C348E6B02ECABC90B5CD34.TMP

MD5 6c8d705f12e071558058fc19e815fe28
SHA1 25c4f0b2bfaff4f8264f6cc36185e4b148c0e0b7
SHA256 9e6e446a2e264c8af311438fc1e8b4456c3b56aa4836ff9448f4385e6b77ca5d
SHA512 9195980872a010dc9c6d7012cd8b6f195dda94b50b19aa2024295e13651af6c9e89e0778d2f2e337ba84bafeb7d6cb5a2fc5ac0e4a94eee1d924ddb177e3e955

C:\Users\Admin\AppData\Local\Temp\RES89D1.tmp

MD5 1cbbe310f1151aae2d3ab8cd98c8316f
SHA1 1c05e1908d34658e0bce0b7f7b44fd83fc03d87f
SHA256 33340add363e33dc38aa8b8412cad082c67660b08a1d88d69a4b00be53a5f135
SHA512 1329a70727c278651c3afd3807d870496b5ee667b4e1157720616849033908770412a4280ab0cb127cde59ace9a11550c647f7bbbc6fb229922d3cb5045c901e

memory/4912-50-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cya3h2BZSK.bat

MD5 7406adf112133dad8452e6d58085edff
SHA1 745c0f162b7baef6ad243371120a8c5cb15f1bbe
SHA256 e5c185ddbdc5544ed43011958821956c771ebef422d3c20870dbce614dc0691d
SHA512 991865af7a172b10020c947026cf1c4cc7e9037934131f867af16cd21ae00c1db7b23a412e2d865a7ce87d3df6aba51e7d94f563321b26d555b8aae7ed5b7d38

memory/2972-59-0x000000001AF60000-0x000000001AF68000-memory.dmp