Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17/05/2024, 06:44
Static task
static1
Behavioral task
behavioral1
Sample
c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe
-
Size
65KB
-
MD5
c4a503e521841de9d02ad5e62cfe8d90
-
SHA1
8ec0ed429b58c8b0ea313669e4da8cef0d564a86
-
SHA256
a8584b9bc4a3b5cf55b58910a844e2d468b091c5be7ed150d58884217234355f
-
SHA512
432ccb2a68b669c38622350ae8a167f934dd8f0a96524c24824074df7ccaf2c9aca4fba338b139d56948ac7fb39213097e4185044826f84fb7ebc06bc0f2a7c4
-
SSDEEP
1536:tDHGQt34Efq77FlNayvHvk+NYFqx1rIEJQ4cjxwyIYGpxFK:tDH1t3dq7JzvvZjRIEJeNwdK
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe -
resource yara_rule behavioral2/memory/3688-7-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-6-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-17-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-14-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-8-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-5-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-3-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-4-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-18-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-21-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-22-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-23-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-24-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-25-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-26-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-28-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-29-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-30-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-31-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-33-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-35-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-38-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-39-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-41-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-44-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/3688-46-0x0000000000870000-0x000000000192A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe File opened (read-only) \??\N: c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe File opened (read-only) \??\E: c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe File opened (read-only) \??\G: c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe File opened (read-only) \??\I: c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe File opened (read-only) \??\K: c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe File opened (read-only) \??\H: c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe File opened (read-only) \??\J: c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe File opened (read-only) \??\L: c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe File opened (read-only) \??\O: c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zG.exe c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\e57d0bd c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe File opened for modification C:\Windows\SYSTEM.INI c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe Token: SeDebugPrivilege 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 3688 wrote to memory of 772 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 8 PID 3688 wrote to memory of 780 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 9 PID 3688 wrote to memory of 68 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 13 PID 3688 wrote to memory of 2556 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 44 PID 3688 wrote to memory of 2572 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 45 PID 3688 wrote to memory of 2968 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 51 PID 3688 wrote to memory of 3436 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 56 PID 3688 wrote to memory of 3564 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 57 PID 3688 wrote to memory of 3752 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 58 PID 3688 wrote to memory of 3848 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 59 PID 3688 wrote to memory of 3912 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 60 PID 3688 wrote to memory of 3992 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 61 PID 3688 wrote to memory of 4156 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 62 PID 3688 wrote to memory of 3944 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 74 PID 3688 wrote to memory of 4216 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 76 PID 3688 wrote to memory of 3088 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 77 PID 3688 wrote to memory of 3972 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 78 PID 3688 wrote to memory of 3596 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 79 PID 3688 wrote to memory of 3544 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 80 PID 3688 wrote to memory of 5008 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 81 PID 3688 wrote to memory of 3704 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 83 PID 3688 wrote to memory of 2408 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 84 PID 3688 wrote to memory of 4260 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 89 PID 3688 wrote to memory of 3592 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 90 PID 3688 wrote to memory of 772 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 8 PID 3688 wrote to memory of 780 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 9 PID 3688 wrote to memory of 68 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 13 PID 3688 wrote to memory of 2556 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 44 PID 3688 wrote to memory of 2572 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 45 PID 3688 wrote to memory of 2968 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 51 PID 3688 wrote to memory of 3436 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 56 PID 3688 wrote to memory of 3564 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 57 PID 3688 wrote to memory of 3752 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 58 PID 3688 wrote to memory of 3848 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 59 PID 3688 wrote to memory of 3912 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 60 PID 3688 wrote to memory of 3992 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 61 PID 3688 wrote to memory of 4156 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 62 PID 3688 wrote to memory of 3944 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 74 PID 3688 wrote to memory of 4216 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 76 PID 3688 wrote to memory of 3088 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 77 PID 3688 wrote to memory of 3972 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 78 PID 3688 wrote to memory of 3596 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 79 PID 3688 wrote to memory of 3544 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 80 PID 3688 wrote to memory of 5008 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 81 PID 3688 wrote to memory of 4260 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 89 PID 3688 wrote to memory of 3592 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 90 PID 3688 wrote to memory of 3880 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 93 PID 3688 wrote to memory of 4736 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 94 PID 3688 wrote to memory of 2928 3688 c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe 95 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:68
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2572
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2968
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c4a503e521841de9d02ad5e62cfe8d90_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3688
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4156
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵PID:3088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x24c,0x7ffc370eceb8,0x7ffc370ecec4,0x7ffc370eced02⤵PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2316,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:22⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1992,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3308 /prefetch:32⤵PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2360,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3324 /prefetch:82⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3864,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:82⤵PID:2928
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3704
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2408
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4260
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3592
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3880
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4736
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5