7e14114a882e13f10fc3dba19d4f70f4c804f34584fcd816e92ff54764b44fee

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Size

170KB
MD5

420f9d09781da5efa88c07bc6464c350
SHA1

e484e30648fd498b28128ed8145e5164c80a1b8f
SHA256

7e14114a882e13f10fc3dba19d4f70f4c804f34584fcd816e92ff54764b44fee
SHA512

ed1dcced5a5db08e0037570fd27482685c3e832383cf07a5bf80bd0bd703d0a82c4f5a60198324d477a7eb0445b9f474493b074fcbbfce9dd83d27aede6c37a9
SSDEEP

3072:s/JpOm5axh63laEo+pXX1pQD2UCohD8mxLCj+5cmeDye42L712xrpdJ8xLeb7Ux:sBAm5oh63laEo+pXX1pkF8mxeq5+4m7D

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
388	ntuser.exe
2436	ntuser.exe
3152	ntuser.exe
1256	ntuser.exe
1392	ntuser.exe
1612	ntuser.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	ntuser.exe
File opened (read-only)	\??\Q:	ntuser.exe
File opened (read-only)	\??\e:	ntuser.exe
File opened (read-only)	\??\H:	ntuser.exe
File opened (read-only)	\??\k:	ntuser.exe
File opened (read-only)	\??\U:	ntuser.exe
File opened (read-only)	\??\l:	ntuser.exe
File opened (read-only)	\??\I:	ntuser.exe
File opened (read-only)	\??\P:	ntuser.exe
File opened (read-only)	\??\p:	ntuser.exe
File opened (read-only)	\??\p:	ntuser.exe
File opened (read-only)	\??\v:	ntuser.exe
File opened (read-only)	\??\W:	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
File opened (read-only)	\??\B:	ntuser.exe
File opened (read-only)	\??\V:	ntuser.exe
File opened (read-only)	\??\S:	ntuser.exe
File opened (read-only)	\??\b:	ntuser.exe
File opened (read-only)	\??\o:	ntuser.exe
File opened (read-only)	\??\A:	ntuser.exe
File opened (read-only)	\??\Y:	ntuser.exe
File opened (read-only)	\??\L:	ntuser.exe
File opened (read-only)	\??\P:	ntuser.exe
File opened (read-only)	\??\H:	ntuser.exe
File opened (read-only)	\??\j:	ntuser.exe
File opened (read-only)	\??\Q:	ntuser.exe
File opened (read-only)	\??\m:	ntuser.exe
File opened (read-only)	\??\J:	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
File opened (read-only)	\??\X:	ntuser.exe
File opened (read-only)	\??\M:	ntuser.exe
File opened (read-only)	\??\O:	ntuser.exe
File opened (read-only)	\??\X:	ntuser.exe
File opened (read-only)	\??\n:	ntuser.exe
File opened (read-only)	\??\O:	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
File opened (read-only)	\??\A:	ntuser.exe
File opened (read-only)	\??\X:	ntuser.exe
File opened (read-only)	\??\N:	ntuser.exe
File opened (read-only)	\??\W:	ntuser.exe
File opened (read-only)	\??\S:	ntuser.exe
File opened (read-only)	\??\W:	ntuser.exe
File opened (read-only)	\??\a:	ntuser.exe
File opened (read-only)	\??\i:	ntuser.exe
File opened (read-only)	\??\n:	ntuser.exe
File opened (read-only)	\??\X:	ntuser.exe
File opened (read-only)	\??\L:	ntuser.exe
File opened (read-only)	\??\G:	ntuser.exe
File opened (read-only)	\??\Y:	ntuser.exe
File opened (read-only)	\??\Q:	ntuser.exe
File opened (read-only)	\??\o:	ntuser.exe
File opened (read-only)	\??\s:	ntuser.exe
File opened (read-only)	\??\q:	ntuser.exe
File opened (read-only)	\??\a:	ntuser.exe
File opened (read-only)	\??\U:	ntuser.exe
File opened (read-only)	\??\U:	ntuser.exe
File opened (read-only)	\??\T:	ntuser.exe
File opened (read-only)	\??\j:	ntuser.exe
File opened (read-only)	\??\G:	ntuser.exe
File opened (read-only)	\??\U:	ntuser.exe
File opened (read-only)	\??\J:	ntuser.exe
File opened (read-only)	\??\O:	ntuser.exe
File opened (read-only)	\??\b:	ntuser.exe
File opened (read-only)	\??\R:	ntuser.exe
File opened (read-only)	\??\M:	ntuser.exe
File opened (read-only)	\??\S:	ntuser.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	icanhazip.com

Maps connected drives based on registry 3 TTPs 14 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntuser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntuser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntuser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntuser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntuser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntuser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntuser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntuser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntuser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntuser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntuser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntuser.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ntuser.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ntuser.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ntuser.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\2I9NBRB6.txt	ntuser.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ntuser.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ntuser.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ntuser.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	ntuser.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	ntuser.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ntuser.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ntuser.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ntuser.exe

Modifies registry class 62 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\runas\command\IsolatedCommand = "\"%1\" %*"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv\DefaultIcon\ = "%1"	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv\shell\open\command\IsolatedCommand = "\"%1\" %*"	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\open\command	ntuser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\DefaultIcon\ = "%1"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\ = "\"C:\\ProgramData\\SysEXT\\ntuser.exe\" /START \"%1\" %*"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe	ntuser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv\DefaultIcon	ntuser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv\shell\open\command	ntuser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\open\command\IsolatedCommand = "\"%1\" %*"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\oemdrv\shell\runas\command	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv	ntuser.exe
Key created	\REGISTRY\MACHINE\Software\Classes\oemdrv\shell\open\command	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv\ = "Application"	ntuser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell	ntuser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\open	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\open\command\ = "\"C:\\ProgramData\\SysEXT\\ntuser.exe\" /START \"%1\" %*"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "oemdrv"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv\shell\runas\command\ = "\"%1\" %*"	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	ntuser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\Content-Type = "application/x-msdownload"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\DefaultIcon\ = "%1"	ntuser.exe
Key created	\REGISTRY\MACHINE\Software\Classes\oemdrv	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\runas	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\runas\command	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\ = "oemdrv"	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	ntuser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\ = "Application"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\command	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv\Content-Type = "application/x-msdownload"	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv\shell\runas\command	ntuser.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\DefaultIcon	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv\shell\runas\command\IsolatedCommand = "\"%1\" %*"	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\Content-Type = "application/x-msdownload"	ntuser.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv\shell\open	ntuser.exe
Key created	\REGISTRY\MACHINE\Software\Classes\oemdrv\DefaultIcon	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv\shell\runas	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\DefaultIcon	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv\shell	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\oemdrv\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SysEXT\\ntuser.exe\" /START \"%1\" %*"	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\SysEXT\\ntuser.exe\" /START \"%1\" %*"	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\runas	ntuser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\open\command	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content-Type = "application/x-msdownload"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\ = "\"%1\" %*"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\open	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\runas\command	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	ntuser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\runas\command\ = "\"%1\" %*"	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3484	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
3484	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
2436	ntuser.exe
2436	ntuser.exe
388	ntuser.exe
388	ntuser.exe
3152	ntuser.exe
3152	ntuser.exe
1256	ntuser.exe
1256	ntuser.exe
1392	ntuser.exe
1392	ntuser.exe
1612	ntuser.exe
1612	ntuser.exe
3152	ntuser.exe
3152	ntuser.exe
2436	ntuser.exe
2436	ntuser.exe
3152	ntuser.exe
3152	ntuser.exe
1612	ntuser.exe
1612	ntuser.exe
2436	ntuser.exe
2436	ntuser.exe
3152	ntuser.exe
3152	ntuser.exe
1612	ntuser.exe
1612	ntuser.exe
2436	ntuser.exe
2436	ntuser.exe
3152	ntuser.exe
3152	ntuser.exe
1612	ntuser.exe
1612	ntuser.exe
2436	ntuser.exe
2436	ntuser.exe
3152	ntuser.exe
3152	ntuser.exe
1612	ntuser.exe
1612	ntuser.exe
2436	ntuser.exe
2436	ntuser.exe
3152	ntuser.exe
3152	ntuser.exe
1612	ntuser.exe
1612	ntuser.exe
2436	ntuser.exe
2436	ntuser.exe
3152	ntuser.exe
3152	ntuser.exe
1612	ntuser.exe
1612	ntuser.exe
2436	ntuser.exe
2436	ntuser.exe
3152	ntuser.exe
3152	ntuser.exe
1612	ntuser.exe
1612	ntuser.exe
2436	ntuser.exe
2436	ntuser.exe
3152	ntuser.exe
3152	ntuser.exe
1612	ntuser.exe
1612	ntuser.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3484	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3484	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	388	ntuser.exe
Token: SeIncBasePriorityPrivilege	2436	ntuser.exe
Token: SeIncBasePriorityPrivilege	1392	ntuser.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3152	ntuser.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 388	3484	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe	81
PID 3484 wrote to memory of 388	3484	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe	81
PID 3484 wrote to memory of 388	3484	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe	81
PID 3484 wrote to memory of 2436	3484	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe	82
PID 3484 wrote to memory of 2436	3484	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe	82
PID 3484 wrote to memory of 2436	3484	420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe	82
PID 388 wrote to memory of 3152	388	ntuser.exe	83
PID 388 wrote to memory of 3152	388	ntuser.exe	83
PID 388 wrote to memory of 3152	388	ntuser.exe	83
PID 2436 wrote to memory of 1256	2436	ntuser.exe	85
PID 2436 wrote to memory of 1256	2436	ntuser.exe	85
PID 2436 wrote to memory of 1256	2436	ntuser.exe	85
PID 1392 wrote to memory of 1612	1392	ntuser.exe	87
PID 1392 wrote to memory of 1612	1392	ntuser.exe	87
PID 1392 wrote to memory of 1612	1392	ntuser.exe	87

C:\Users\Admin\AppData\Local\Temp\420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\420f9d09781da5efa88c07bc6464c350_NeikiAnalytics.exe"
1⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484
- C:\ProgramData\SysEXT\ntuser.exe
  "C:\ProgramData\SysEXT\ntuser.exe" 1
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Users\Admin\AppData\Roaming\SysEXT\ntuser.exe
    "C:\Users\Admin\AppData\Roaming\SysEXT\ntuser.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3152
- C:\ProgramData\SysEXT\ntuser.exe
  "C:\ProgramData\SysEXT\ntuser.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\ProgramData\SysEXT\ntuser.exe
    "C:\ProgramData\SysEXT\ntuser.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1256

C:\ProgramData\SysEXT\ntuser.exe
C:\ProgramData\SysEXT\ntuser.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392
- C:\ProgramData\SysEXT0\ntuser.exe
  "C:\ProgramData\SysEXT0\ntuser.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SysEXT0\obeterguf.dmp

Filesize
5KB

MD5
c158f8faa00ea866b9fcde4280cf36e2

SHA1
572653f2eed2ca2cccfbb92349710b2fa6032114

SHA256
7fe7f772f5748a72cbfbde60f51429d6977ea7e07160a36c4c7fbb891d192011

SHA512
d9045c4ead52f19023ec18cd11d9601afef4a18b4f15efb3068ed6c34447cb9f2d5e2027fcf98adf05ca34b62a96468011c27ab973a7202f4ca51b233ade563c

Download Submit
C:\ProgramData\SysEXT\ntuser.exe

Filesize
170KB

MD5
60eef945d13c8f560f9ec2c9e7d4a09b

SHA1
cef1d95980515b88d220d4126ed1f651973b06db

SHA256
457b198c831e45bdbff044e60b2e1dcb139547d88e006dd491c5582557f667fb

SHA512
b88368116569d61063318b55c130d34d006cc83360314e6e376c733bfc86407e52648a38a43291f57ab40ab93b41435fb5085b50d3a615593ab11bbddcf1296d

Download Submit
C:\Users\Admin\AppData\Roaming\SysEXT\ntuser.exe

Filesize
170KB

MD5
72ea59074c570d6c257cc89db2fecee8

SHA1
12265244ae0cc18699b3ce997cf38fa594329645

SHA256
fb831b7b2c641d208390f285f35f6229006ee946492ed967759a92fb01f09714

SHA512
1aed2d509d83af9873b15a29042f4dbb817b0ed0896e65c76727b898f53ce91dafbd3798109bcbb2fed8f58dbc9ce8b1dd26bf10d0702b4ce8ac5c45cd4f6638

Download Submit
memory/3152-23-0x0000000074570000-0x00000000745A9000-memory.dmp

Filesize
228KB

Download