Malware Analysis Report

2024-11-15 05:49

Sample ID 240514-egrv5ahh2s
Target 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics
SHA256 f3227b8dbb23c0388c1c761da0751316e0963dac4e15ed1a62c92a8a2d0a4601
Tags
rat dcrat evasion execution infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3227b8dbb23c0388c1c761da0751316e0963dac4e15ed1a62c92a8a2d0a4601

Threat Level: Known bad

The file 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer persistence trojan

Dcrat family

Process spawned unexpected child process

DCRat payload

Modifies WinLogon for persistence

UAC bypass

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-14 03:55

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 03:55

Reported

2024-05-14 03:57

Platform

win7-20240419-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\", \"C:\\Users\\Admin\\AppData\\audiodg.exe\", \"C:\\Windows\\Fonts\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\", \"C:\\Users\\Admin\\AppData\\audiodg.exe\", \"C:\\Windows\\Fonts\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\", \"C:\\Users\\Admin\\AppData\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\", \"C:\\Users\\Admin\\AppData\\audiodg.exe\", \"C:\\Windows\\Fonts\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\dllhost.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\Sample Music\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\Sample Music\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\Sample Music\explorer.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Public\\Downloads\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Public\\Downloads\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Admin\\AppData\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Sidebar\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Admin\\AppData\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Fonts\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Sidebar\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Public\\Music\\Sample Music\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Fonts\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Public\\Music\\Sample Music\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Music\Sample Music\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\Sample Music\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\services.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\dllhost.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Sidebar\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\RCX1CC8.tmp C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\services.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\RCX2544.tmp C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\dllhost.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\RCX22D3.tmp C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\System.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\System.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Public\Music\Sample Music\explorer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Public\Music\Sample Music\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A
N/A N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\Sample Music\explorer.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Music\Sample Music\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Music\Sample Music\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Music\Sample Music\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Downloads\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\features\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\features\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics6" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics6" /sc MINUTE /mo 12 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\AppData\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Users\Public\Music\Sample Music\explorer.exe

"C:\Users\Public\Music\Sample Music\explorer.exe"

Network

Country Destination Domain Proto
RU 94.250.255.250:80 94.250.255.250 tcp
RU 94.250.255.250:443 tcp
RU 94.250.255.250:443 tcp

Files

memory/2188-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

memory/2188-1-0x00000000009A0000-0x0000000000C60000-memory.dmp

memory/2188-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/2188-3-0x00000000004C0000-0x00000000004C8000-memory.dmp

memory/2188-4-0x00000000004D0000-0x00000000004EC000-memory.dmp

memory/2188-5-0x0000000000500000-0x0000000000508000-memory.dmp

memory/2188-6-0x0000000000510000-0x0000000000520000-memory.dmp

memory/2188-7-0x00000000005A0000-0x00000000005B6000-memory.dmp

memory/2188-8-0x00000000005C0000-0x00000000005C8000-memory.dmp

memory/2188-9-0x00000000005D0000-0x00000000005D8000-memory.dmp

memory/2188-10-0x0000000000900000-0x0000000000910000-memory.dmp

memory/2188-11-0x00000000005E0000-0x00000000005EA000-memory.dmp

memory/2188-12-0x0000000000910000-0x0000000000966000-memory.dmp

memory/2188-13-0x0000000000960000-0x0000000000968000-memory.dmp

memory/2188-14-0x0000000000970000-0x0000000000978000-memory.dmp

memory/2188-15-0x0000000000980000-0x000000000098C000-memory.dmp

memory/2188-16-0x0000000000990000-0x0000000000998000-memory.dmp

memory/2188-17-0x0000000002400000-0x000000000240C000-memory.dmp

memory/2188-18-0x0000000002410000-0x000000000241C000-memory.dmp

memory/2188-19-0x0000000002450000-0x0000000002458000-memory.dmp

memory/2188-20-0x0000000002420000-0x0000000002428000-memory.dmp

memory/2188-21-0x0000000002430000-0x000000000243C000-memory.dmp

memory/2188-22-0x0000000002440000-0x000000000244C000-memory.dmp

memory/2188-23-0x0000000002460000-0x0000000002468000-memory.dmp

memory/2188-24-0x0000000002470000-0x000000000247A000-memory.dmp

memory/2188-26-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/2188-25-0x0000000002480000-0x000000000248C000-memory.dmp

C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe

MD5 6fa32b421f0866b58f05526f85b6d590
SHA1 fb2463e84c81171c07f1cd6f4b661231cc6e01c2
SHA256 f3227b8dbb23c0388c1c761da0751316e0963dac4e15ed1a62c92a8a2d0a4601
SHA512 e74839e7e6b7e7c3c78e658878f86813c1470d881110c0b2ee96e859dd9f9dccb89561d83aafbafdbf682eafbb40e92cc129aa489f067dc94861113109d7dd45

memory/3064-119-0x0000000001370000-0x0000000001630000-memory.dmp

memory/836-122-0x00000000026E0000-0x00000000026E8000-memory.dmp

memory/836-121-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/2188-120-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 03:55

Reported

2024-05-14 03:57

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\Java\\jre8\\lib\\upfc.exe\", \"C:\\Program Files\\Common Files\\DESIGNER\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\", \"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Program Files\\Java\\jre8\\lib\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\unsecapp.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Default User\unsecapp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Java\\jre8\\lib\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Windows Security\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Uninstall Information\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\Windows Media Player\\uk-UA\\taskhostw.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Common Files\\DESIGNER\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Resource\\SaslPrep\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Defender\\es-ES\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Java\\jre8\\lib\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Common Files\\DESIGNER\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default User\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\unsecapp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\RCX6026.tmp C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\en-US\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre8\lib\upfc.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Media Player\uk-UA\ea9f0e6c9e2dcd C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\uk-UA\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Security\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\RCX64AC.tmp C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Media Player\uk-UA\taskhostw.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre8\lib\upfc.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Security\RCX5A18.tmp C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre8\lib\RCX6D4C.tmp C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\DESIGNER\RCX6FEC.tmp C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Uninstall Information\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\Idle.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\uk-UA\RCX5E22.tmp C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\RCX622B.tmp C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Security\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\Idle.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre8\lib\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\en-US\RCX66C1.tmp C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Security\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files\Uninstall Information\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\DESIGNER\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\RCX5C1D.tmp C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default User\unsecapp.exe N/A
N/A N/A C:\Users\Default User\unsecapp.exe N/A
N/A N/A C:\Users\Default User\unsecapp.exe N/A
N/A N/A C:\Users\Default User\unsecapp.exe N/A
N/A N/A C:\Users\Default User\unsecapp.exe N/A
N/A N/A C:\Users\Default User\unsecapp.exe N/A
N/A N/A C:\Users\Default User\unsecapp.exe N/A
N/A N/A C:\Users\Default User\unsecapp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\unsecapp.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default User\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default User\unsecapp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default User\unsecapp.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\en-US\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre8\lib\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Java\jre8\lib\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre8\lib\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\DESIGNER\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bHlpqKHqcm.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\unsecapp.exe

"C:\Users\Default User\unsecapp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
RU 94.250.255.250:80 94.250.255.250 tcp
RU 94.250.255.250:443 tcp
RU 94.250.255.250:443 tcp
US 8.8.8.8:53 250.255.250.94.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/464-0-0x00007FFC661F3000-0x00007FFC661F5000-memory.dmp

memory/464-1-0x00000000003F0000-0x00000000006B0000-memory.dmp

memory/464-2-0x00007FFC661F0000-0x00007FFC66CB1000-memory.dmp

memory/464-4-0x00000000028E0000-0x00000000028FC000-memory.dmp

memory/464-3-0x0000000002720000-0x0000000002728000-memory.dmp

memory/464-5-0x000000001B9B0000-0x000000001BA00000-memory.dmp

memory/464-7-0x0000000002900000-0x0000000002910000-memory.dmp

memory/464-6-0x0000000002730000-0x0000000002738000-memory.dmp

memory/464-9-0x000000001B320000-0x000000001B328000-memory.dmp

memory/464-11-0x000000001B340000-0x000000001B350000-memory.dmp

memory/464-12-0x000000001B960000-0x000000001B96A000-memory.dmp

memory/464-10-0x000000001B330000-0x000000001B338000-memory.dmp

memory/464-8-0x0000000002920000-0x0000000002936000-memory.dmp

memory/464-13-0x000000001BA00000-0x000000001BA56000-memory.dmp

memory/464-14-0x000000001B970000-0x000000001B978000-memory.dmp

memory/464-15-0x000000001B980000-0x000000001B988000-memory.dmp

memory/464-16-0x000000001B990000-0x000000001B99C000-memory.dmp

memory/464-17-0x000000001B9A0000-0x000000001B9A8000-memory.dmp

memory/464-18-0x000000001BA50000-0x000000001BA5C000-memory.dmp

memory/464-19-0x000000001BA60000-0x000000001BA6C000-memory.dmp

memory/464-20-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

memory/464-22-0x000000001BB70000-0x000000001BB7C000-memory.dmp

memory/464-24-0x000000001BCA0000-0x000000001BCA8000-memory.dmp

memory/464-26-0x000000001BD10000-0x000000001BD1C000-memory.dmp

memory/464-25-0x000000001BCB0000-0x000000001BCBA000-memory.dmp

memory/464-23-0x000000001BC90000-0x000000001BC9C000-memory.dmp

memory/464-21-0x000000001BC80000-0x000000001BC88000-memory.dmp

memory/464-27-0x00007FFC661F0000-0x00007FFC66CB1000-memory.dmp

memory/464-30-0x00007FFC661F0000-0x00007FFC66CB1000-memory.dmp

C:\Program Files\Uninstall Information\SppExtComObj.exe

MD5 6fa32b421f0866b58f05526f85b6d590
SHA1 fb2463e84c81171c07f1cd6f4b661231cc6e01c2
SHA256 f3227b8dbb23c0388c1c761da0751316e0963dac4e15ed1a62c92a8a2d0a4601
SHA512 e74839e7e6b7e7c3c78e658878f86813c1470d881110c0b2ee96e859dd9f9dccb89561d83aafbafdbf682eafbb40e92cc129aa489f067dc94861113109d7dd45

C:\Program Files\Java\jre8\lib\upfc.exe

MD5 101244fe43bfd248259c66f11280293b
SHA1 639be789566d70cab68376d70bc8a5aa058e7f0b
SHA256 24a1ed8397d97d35d02ee9f37a53ef201ea51d2504e40578c2659cbf8c57cd85
SHA512 de2208eafe48b23060a36bf154b29440b7c0848ee03ccddb720857f22959181d985aa2faad5de34c26e974d023531a59a85ed1cf8869031e4b65e55e531ea912

memory/4460-146-0x000002854F6B0000-0x000002854F6D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbbw3fw1.53c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/464-152-0x00007FFC661F0000-0x00007FFC66CB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bHlpqKHqcm.bat

MD5 aa1f28488ded42ac143e765c6790a539
SHA1 4e8764a2c5f9396243201654837982a38b1e6371
SHA256 d4e67fb656ec1ed1ab87e748fcb7305837f581fd2a139e51a9e83373faf4e714
SHA512 549dbceef2c89be04f903861cb27f2d58703c6c7ccc85724397553b4a5d35eb61a42461da6d5dd34a566eca07e6393bea3761bd445e03f393fbf9eca9aecc047