Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 05:55
Static task
static1
Behavioral task
behavioral1
Sample
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe
-
Size
65KB
-
MD5
b9d40ccd1c8f9ea40fde1a87e53d4060
-
SHA1
b83c499ecf51a81d58ec27c662536b8f4439a0f6
-
SHA256
4b24ecf3367de6694027039009e22a6a84184f08a060c2709d7273342021e801
-
SHA512
9955863989cf09e7f9d4250ec3d0d6394185ea908295ba5c70534d06837810dad4b8df2bf9403885a6eb11ad68967e5d76974ca7310d2de0e49d44452272566d
-
SSDEEP
1536:6IdmyCJct5d3Ow/SJp/mxl2GfxzG0uRUUshIW:6IpoczX/Sr/mxl2GJGPUUK
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe -
Processes:
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe -
Processes:
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral2/memory/4860-1-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-16-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-18-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-19-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-5-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-21-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-7-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-3-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-22-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-23-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-24-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-25-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-26-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-28-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-29-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-30-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-32-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-33-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-35-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-39-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-41-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-45-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4860-49-0x00000000007E0000-0x000000000189A000-memory.dmp upx -
Processes:
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe -
Processes:
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exedescription ioc process File opened (read-only) \??\H: b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe File opened (read-only) \??\I: b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe File opened (read-only) \??\K: b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe File opened (read-only) \??\N: b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe File opened (read-only) \??\E: b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe File opened (read-only) \??\J: b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe File opened (read-only) \??\L: b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe File opened (read-only) \??\M: b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe File opened (read-only) \??\O: b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe File opened (read-only) \??\G: b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe -
Drops file in Program Files directory 3 IoCs
Processes:
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7zFM.exe b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zG.exe b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7z.exe b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe -
Drops file in Windows directory 2 IoCs
Processes:
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exedescription ioc process File created C:\Windows\e576ed7 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe File opened for modification C:\Windows\SYSTEM.INI b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exepid process 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Token: SeDebugPrivilege 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exedescription pid process target process PID 4860 wrote to memory of 796 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe fontdrvhost.exe PID 4860 wrote to memory of 804 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe fontdrvhost.exe PID 4860 wrote to memory of 392 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe dwm.exe PID 4860 wrote to memory of 2536 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe svchost.exe PID 4860 wrote to memory of 2548 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe sihost.exe PID 4860 wrote to memory of 2800 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe taskhostw.exe PID 4860 wrote to memory of 3544 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Explorer.EXE PID 4860 wrote to memory of 3696 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe svchost.exe PID 4860 wrote to memory of 3896 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe DllHost.exe PID 4860 wrote to memory of 3980 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe StartMenuExperienceHost.exe PID 4860 wrote to memory of 4072 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe RuntimeBroker.exe PID 4860 wrote to memory of 2784 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe SearchApp.exe PID 4860 wrote to memory of 4052 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe RuntimeBroker.exe PID 4860 wrote to memory of 4540 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe RuntimeBroker.exe PID 4860 wrote to memory of 2636 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe TextInputHost.exe PID 4860 wrote to memory of 4292 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe backgroundTaskHost.exe PID 4860 wrote to memory of 4484 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe backgroundTaskHost.exe PID 4860 wrote to memory of 796 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe fontdrvhost.exe PID 4860 wrote to memory of 804 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe fontdrvhost.exe PID 4860 wrote to memory of 392 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe dwm.exe PID 4860 wrote to memory of 2536 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe svchost.exe PID 4860 wrote to memory of 2548 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe sihost.exe PID 4860 wrote to memory of 2800 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe taskhostw.exe PID 4860 wrote to memory of 3544 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe Explorer.EXE PID 4860 wrote to memory of 3696 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe svchost.exe PID 4860 wrote to memory of 3896 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe DllHost.exe PID 4860 wrote to memory of 3980 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe StartMenuExperienceHost.exe PID 4860 wrote to memory of 4072 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe RuntimeBroker.exe PID 4860 wrote to memory of 2784 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe SearchApp.exe PID 4860 wrote to memory of 4052 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe RuntimeBroker.exe PID 4860 wrote to memory of 4540 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe RuntimeBroker.exe PID 4860 wrote to memory of 2636 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe TextInputHost.exe PID 4860 wrote to memory of 4292 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe backgroundTaskHost.exe PID 4860 wrote to memory of 3372 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe RuntimeBroker.exe PID 4860 wrote to memory of 4908 4860 b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe RuntimeBroker.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2536
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2548
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2800
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b9d40ccd1c8f9ea40fde1a87e53d4060_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3696
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3896
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4072
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2784
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4540
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2636
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4292
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4484
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4908
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5