Analysis
-
max time kernel
149s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 04:09
Static task
static1
Behavioral task
behavioral1
Sample
a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe
-
Size
1015KB
-
MD5
a3c64e52e7d5a52602a9af68a7d6a630
-
SHA1
94e5e8a8befc15b8fc30fe429628391aa0465884
-
SHA256
a76cfe68e2df2450412ea3bd95d8e1df0bed4c01b375d0c5afee7e142e05f64d
-
SHA512
c5cb25f47443adecd9d8ec70dc5dec32bc2e17c98e53501445f3fe36a44b083b2fb45d08c6de559c2f7a5e0bc765b42ee1dae806c428284d4fdec5df5614d73d
-
SSDEEP
24576:H7z7G7ws7X71Fkx7I7+Kt47l7ZsZGC757q7g7O7hGLb47hGdb0Gd6zam8:H7z7G7ws7X71Fkx7I7+R7l7xC757qU77
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe -
Processes:
a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe -
Processes:
a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe -
Executes dropped EXE 3 IoCs
Processes:
Logo1_.exea3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exea3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exepid process 1904 Logo1_.exe 1368 a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe 432 a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral2/memory/1368-26-0x00000000007C0000-0x000000000184E000-memory.dmp upx behavioral2/memory/1368-28-0x00000000007C0000-0x000000000184E000-memory.dmp upx behavioral2/memory/1368-29-0x00000000007C0000-0x000000000184E000-memory.dmp upx behavioral2/memory/1368-31-0x00000000007C0000-0x000000000184E000-memory.dmp upx -
Processes:
a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe -
Processes:
a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fil-PH\View3d\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\_desktop.ini Logo1_.exe -
Drops file in Windows directory 7 IoCs
Processes:
a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exeLogo1_.exea3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exedescription ioc process File created C:\Windows\Logo1_.exe a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe File opened for modification C:\Windows\SYSTEM.INI a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\rundl132.exe a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe File created C:\Windows\Logo1_.exe a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File opened for modification C:\Windows\rundl132.exe a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe 1904 Logo1_.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exeLogo1_.exenet.execmd.exea3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.execmd.exedescription pid process target process PID 116 wrote to memory of 1336 116 a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe cmd.exe PID 116 wrote to memory of 1336 116 a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe cmd.exe PID 116 wrote to memory of 1336 116 a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe cmd.exe PID 116 wrote to memory of 1904 116 a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Logo1_.exe PID 116 wrote to memory of 1904 116 a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Logo1_.exe PID 116 wrote to memory of 1904 116 a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe Logo1_.exe PID 1904 wrote to memory of 4708 1904 Logo1_.exe net.exe PID 1904 wrote to memory of 4708 1904 Logo1_.exe net.exe PID 1904 wrote to memory of 4708 1904 Logo1_.exe net.exe PID 4708 wrote to memory of 3268 4708 net.exe net1.exe PID 4708 wrote to memory of 3268 4708 net.exe net1.exe PID 4708 wrote to memory of 3268 4708 net.exe net1.exe PID 1336 wrote to memory of 1368 1336 cmd.exe a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe PID 1336 wrote to memory of 1368 1336 cmd.exe a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe PID 1336 wrote to memory of 1368 1336 cmd.exe a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe PID 1368 wrote to memory of 4928 1368 a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe cmd.exe PID 1368 wrote to memory of 4928 1368 a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe cmd.exe PID 1368 wrote to memory of 4928 1368 a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe cmd.exe PID 1904 wrote to memory of 3504 1904 Logo1_.exe Explorer.EXE PID 1904 wrote to memory of 3504 1904 Logo1_.exe Explorer.EXE PID 4928 wrote to memory of 432 4928 cmd.exe a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe PID 4928 wrote to memory of 432 4928 cmd.exe a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe PID 4928 wrote to memory of 432 4928 cmd.exe a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4BCE.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4DB2.bat5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe"6⤵
- Executes dropped EXE
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exeFilesize
251KB
MD54cd836cb7315137caef2e00f915022f6
SHA1640651bd615542cd88f9b0ba32aefd49add3cbf7
SHA256d81a2f9c21d3c144a4819e634be2940e7528d43d748a5ce84ea3ff38f4e0c4e2
SHA5126da5df97fee3ef22ecd7174524f775fd95b755fdaab21417c865664f3da999c02eb0f33cb736204cb353c260b7b92f6589006c07b3b57a2b52d468a1322234f6
-
C:\Program Files\7-Zip\7z.exeFilesize
570KB
MD5c6ab43ce192643c240e4d16fdf00f07f
SHA1432b50919c07a6342fa3dba3d238258559add237
SHA25643d390617b81ff919be9e6a8a6c7bf790b60cca9cf37a5ac27c1601143032c00
SHA5121597b7ae0758c083bf0558d1d2349b6c29a1a1aa6cb98eb553496cb2efaf2f5f05aa6c57d6f08655dcfbfada51fbb83fbbd5fed9fde91f260131e8e5ca54c0f7
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exeFilesize
636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
C:\Users\Admin\AppData\Local\Temp\$$a4BCE.batFilesize
620B
MD56287195d7696e864edabe3ad0a1b524e
SHA1dab5c79e8349c4f7d2b46167979d3480ca2b0692
SHA256d5d19e45db0b001df756eaae25097a966a5d921b4fccef2ffb529ceca7f026e7
SHA512698bfc129198135dd41cd98e7da63bf42d2ab1719d287ff023feaed4325f07936ac6b0ca64df8bac785146e09d248f9cf66e29ece8db6aa32c3997f34875229c
-
C:\Users\Admin\AppData\Local\Temp\$$a4DB2.batFilesize
620B
MD55e77825febae3a9c77d824ee99250e0f
SHA1877b00660c34060fb62e4e045e3ea6bedd9e25cd
SHA2561b1c6b4d1e82aaf609773c70f3a5cb78db8dd18e3130cb505c4caa33f5283bff
SHA512f50a261a44dad3c3aaedbc4508415d72271a50352037a25c4f071893889db69110db8a766b30b70363546b929fb568d978fa30051dbd858c0c24b90cdcfef89f
-
C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe.exeFilesize
962KB
MD504e9563c7bba02d1378bf3eeef7bc4bb
SHA1be811a8564a5c215fb9d037e093273bdef0806a0
SHA2569fb2f67b3cfa0bcf0b2557792b652e8f0b08ff18a7f8a03127abbaf840ef6d93
SHA512c9f59138844261359d7e1f00613ca8691cb9100bf4ebccf29091522fe99fb9b97878703637acf2cdccabbf7bc049c6bc0f96e21cfbf208c2a16b3e5557d99619
-
C:\Users\Admin\AppData\Local\Temp\a3c64e52e7d5a52602a9af68a7d6a630_NeikiAnalytics.exe.exeFilesize
989KB
MD5f22571c6d92113e9cff6c5c2dc5a7366
SHA170cb002b768551b0fe90f1c226cf38b0e5067746
SHA2566fa687e8e811b62ba14ba7d99bae55dcad0fc54a27f1014a1b80bd0f922db369
SHA51201d7794270e24647e9aa4a84e79d999d30d8194f7b53f88e1468cb178e4e51e4a768bb746090fe27902b77608dfa05f1a6ded11dccdc5cdf29017d5fbaf91ac3
-
C:\Windows\rundl132.exeFilesize
26KB
MD57fed7b53952578d87020b408a92977f7
SHA137142388d44b6402b174d18c26052474dd291980
SHA256fbf4af6393fcd93fea4f2081dc472703c282967d35d5231e93592643b93eb882
SHA512a1ed93f597ee723adbd62a9d7b2b7027685bd13ee64f99aab90e20338e9ab51f67fea3b4556782189161a861a3a42d0f627ad4e136abf8d52c1519523982cdd1
-
C:\Windows\rundl132.exeFilesize
26KB
MD557d96c198adb32be1a39065a02a20f3c
SHA1abbe60c6ab6a703bdea9ce99bf2fc59510001abe
SHA25608611b2014b8e9d4ea0ffed9cb688dc5bacaf2ec1403e368f60ed1e90e373f27
SHA51273cc04e41fd0885c34cbfebbaf16d1fb067cacc851986a47f0c812a37615cab9e043b8c1c1dd2a7c091cca1c99bdcb8560f579b7b87c49a38cb0b0b7cf7307fa
-
F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\_desktop.iniFilesize
9B
MD5de299d58575b595bc358a5c5edd0767d
SHA10d30c906a5b5647289c7788d31dd3afd642350a4
SHA25632ef1af1131d89e96d59ac0d3f8e232e839355587a679a2df2479b5277a704e3
SHA512c8e20bb98c427a3a0eea8769df090d59353f0b484321e82b381cfca18b111bd1d782713f2f5bf815e5832a0e12ec909a0324fe9ba013c626327cabf27a464bbc
-
memory/116-9-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/116-0-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/432-39-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/1368-28-0x00000000007C0000-0x000000000184E000-memory.dmpFilesize
16.6MB
-
memory/1368-34-0x0000000000400000-0x0000000000445000-memory.dmpFilesize
276KB
-
memory/1368-31-0x00000000007C0000-0x000000000184E000-memory.dmpFilesize
16.6MB
-
memory/1368-19-0x0000000000400000-0x0000000000445000-memory.dmpFilesize
276KB
-
memory/1368-29-0x00000000007C0000-0x000000000184E000-memory.dmpFilesize
16.6MB
-
memory/1368-26-0x00000000007C0000-0x000000000184E000-memory.dmpFilesize
16.6MB
-
memory/1904-40-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1904-57-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1904-13-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1904-739-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1904-1252-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1904-1281-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1904-53-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1904-4807-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1904-47-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1904-5246-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB