Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 05:14
Behavioral task
behavioral1
Sample
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
86ef16b6eb613bff73f73a75b7236310
-
SHA1
3de6bea5685131148fb7ef9b07c6dcce2d643929
-
SHA256
ea2c6dc28317191ff3aa2fc75fc9d3fd8a64510c4118b07074e67f1d0c6e1ef9
-
SHA512
9fd4a0bcbe5a454ea660d4ca6d7524161c2fe817be60e26d511e3f04093e1c6e0b10a11ba25ee3d709b766b63f9c5344d84ef448f5dc44884506a07b862c8e94
-
SSDEEP
49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 14 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Users\\Default\\Local Settings\\dwm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\spoolsv.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Users\\Default\\Local Settings\\dwm.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Users\\Default\\Local Settings\\dwm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\", \"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\", \"C:\\Users\\Default User\\wininit.exe\", \"C:\\Users\\Default\\Local Settings\\dwm.exe\", \"C:\\MSOCache\\All Users\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\", \"C:\\MSOCache\\All Users\\dllhost.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 700 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2888 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2880 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 2880 schtasks.exe -
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exewininit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Processes:
resource yara_rule behavioral1/memory/2956-1-0x0000000000BE0000-0x0000000000EA0000-memory.dmp dcrat C:\Program Files (x86)\Windows Defender\winlogon.exe dcrat behavioral1/memory/2852-135-0x0000000000990000-0x0000000000C50000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1124 powershell.exe 2472 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exewininit.exepid process 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2852 wininit.exe -
Adds Run key to start application 2 TTPs 28 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\dllhost.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Local Settings\\dwm.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default User\\wininit.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\dllhost.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\System.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Local Settings\\dwm.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\explorer.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Media Player\\de-DE\\wininit.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\explorer.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\audiodg.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Sidebar\\spoolsv.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Recorded TV\\Sample Media\\wininit.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Defender\\winlogon.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Sidebar\\spoolsv.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\sppsvc.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\Idle.exe\"" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe -
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exewininit.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Drops file in Program Files directory 14 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows Defender\winlogon.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\RCX142F.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\RCX18A4.tmp 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\spoolsv.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\56085415360792 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\f3b6ecef712a24 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\Filters\0a1fd5f707cd16 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\cc11b995f2a76d 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\winlogon.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Sidebar\spoolsv.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2772 schtasks.exe 1632 schtasks.exe 1856 schtasks.exe 792 schtasks.exe 2888 schtasks.exe 2224 schtasks.exe 772 schtasks.exe 2628 schtasks.exe 2496 schtasks.exe 2976 schtasks.exe 2828 schtasks.exe 1320 schtasks.exe 2444 schtasks.exe 2936 schtasks.exe 1580 schtasks.exe 2136 schtasks.exe 856 schtasks.exe 380 schtasks.exe 2316 schtasks.exe 2532 schtasks.exe 2488 schtasks.exe 2204 schtasks.exe 1664 schtasks.exe 1168 schtasks.exe 2920 schtasks.exe 2992 schtasks.exe 2084 schtasks.exe 1104 schtasks.exe 1848 schtasks.exe 3020 schtasks.exe 1452 schtasks.exe 896 schtasks.exe 1876 schtasks.exe 2516 schtasks.exe 700 schtasks.exe 1904 schtasks.exe 2108 schtasks.exe 2280 schtasks.exe 1656 schtasks.exe 1488 schtasks.exe 2824 schtasks.exe 1644 schtasks.exe -
Processes:
wininit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 wininit.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 wininit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exepowershell.exe86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exepowershell.exewininit.exepid process 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 1124 powershell.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 2472 powershell.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe 2852 wininit.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exepowershell.exepowershell.exewininit.exedescription pid process Token: SeDebugPrivilege 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Token: SeDebugPrivilege 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2852 wininit.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.execmd.exedescription pid process target process PID 2956 wrote to memory of 1124 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1124 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1124 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 536 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe PID 2956 wrote to memory of 536 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe PID 2956 wrote to memory of 536 2956 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe PID 536 wrote to memory of 2472 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe powershell.exe PID 536 wrote to memory of 2472 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe powershell.exe PID 536 wrote to memory of 2472 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe powershell.exe PID 536 wrote to memory of 2776 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe cmd.exe PID 536 wrote to memory of 2776 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe cmd.exe PID 536 wrote to memory of 2776 536 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe cmd.exe PID 2776 wrote to memory of 2376 2776 cmd.exe w32tm.exe PID 2776 wrote to memory of 2376 2776 cmd.exe w32tm.exe PID 2776 wrote to memory of 2376 2776 cmd.exe w32tm.exe PID 2776 wrote to memory of 2852 2776 cmd.exe wininit.exe PID 2776 wrote to memory of 2852 2776 cmd.exe wininit.exe PID 2776 wrote to memory of 2852 2776 cmd.exe wininit.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exewininit.exe86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\86ef16b6eb613bff73f73a75b7236310_NeikiAnalytics.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IFf9IaIrAX.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:24⤵PID:2376
-
-
C:\Users\Default User\wininit.exe"C:\Users\Default User\wininit.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2852
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\Filters\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD586ef16b6eb613bff73f73a75b7236310
SHA13de6bea5685131148fb7ef9b07c6dcce2d643929
SHA256ea2c6dc28317191ff3aa2fc75fc9d3fd8a64510c4118b07074e67f1d0c6e1ef9
SHA5129fd4a0bcbe5a454ea660d4ca6d7524161c2fe817be60e26d511e3f04093e1c6e0b10a11ba25ee3d709b766b63f9c5344d84ef448f5dc44884506a07b862c8e94
-
Filesize
198B
MD5c6a6df61dc5119b1e88ca3a29123bbe0
SHA1f9582841d43b651002b439fca23e6ecd5fabf7f2
SHA25633f5b03c80a823e0e519c9e2a35b9fd4e96d3c727fb4a08558cbdf75fbca7196
SHA51257a418f812244772ccc575a9014302c3d4339a96c329e5ac304ff70b5f04b1115fd40cc29aa84065af798afd9bf214b3facb6d78b1802d1511dc0130c7967700
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b192355378d7bcfaa642fc8da264ec49
SHA1aab9c22bbb0bc31b0d8ac7dfe4d04a2623cedbd7
SHA256e0d1936b40c311ba873830ef700d6f9be68a0a161c06e4954921728f8c3bd1b6
SHA5129fbd0af75c9cbb173d4569f8355e9db0b4dbc1bd85eca0a03aee18a30ab16fdceb4077fdbca88a9712429e1d36dada162021885185d2cce93c8adeb3e986e833