sality | 5fbdf8ec2016bd1182896f1dda346d12af71fb3fbfdca4ae7f9d0266151dbd2e

Windows Service

T1543.003

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

Processes:

Fun.exeSVIQ.EXEdc.exe

pid process

2584 Fun.exe
2428 SVIQ.EXE
3044 dc.exe
Loads dropped DLL 2 IoCs

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

pid process

1284 0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
1284 0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

pid	process
2584	Fun.exe
2428	SVIQ.EXE
3044	dc.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1284-1-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-4-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-6-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-10-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-8-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-31-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-29-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-7-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-30-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-9-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-48-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-50-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-75-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-83-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-82-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-85-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-86-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-88-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-89-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-92-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-119-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-118-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-122-0x00000000027C0000-0x000000000384E000-memory.dmp	upx
behavioral1/memory/1284-124-0x00000000027C0000-0x000000000384E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

dc.exe0e8acf4f2931765ede72461518632120_NeikiAnalytics.exeSVIQ.EXEFun.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\WINDOWS\\SVIQ.EXE"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\WINDOWS\\dc.exe"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\WINDOWS\\system\\Fun.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\WINDOWS\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\WINDOWS\\SVIQ.EXE"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\WINDOWS\\system\\Fun.exe"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\WINDOWS\\dc.exe"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\WINDOWS\\dc.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\WINDOWS\\system\\Fun.exe"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\WINDOWS\\dc.exe"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\WINDOWS\\SVIQ.EXE"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\WINDOWS\\system\\Fun.exe"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

description	ioc	process
File opened (read-only)	\??\I:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\W:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\G:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\N:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\U:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\J:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\K:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\M:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\O:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\R:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\X:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\E:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\H:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\L:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\P:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\S:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\T:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\V:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\autorun.inf	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened for modification	F:\autorun.inf	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

Drops file in Program Files directory 5 IoCs

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

Drops file in Windows directory 21 IoCs

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exeFun.exeSVIQ.EXEdc.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File created	C:\WINDOWS\SVIQ.EXE	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\dc.exe	Fun.exe
File created	C:\WINDOWS\system\Fun.exe	SVIQ.EXE
File created	C:\WINDOWS\SVIQ.EXE	SVIQ.EXE
File opened for modification	C:\WINDOWS\dc.exe	dc.exe
File created	C:\WINDOWS\dc.exe	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SVIQ.EXE	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SVIQ.EXE	Fun.exe
File created	C:\WINDOWS\dc.exe	dc.exe
File created	C:\WINDOWS\SVIQ.EXE	dc.exe
File created	C:\WINDOWS\system\Fun.exe	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\system\Fun.exe	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\dc.exe	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
File created	C:\WINDOWS\system\Fun.exe	Fun.exe
File opened for modification	C:\WINDOWS\dc.exe	SVIQ.EXE
File opened for modification	C:\WINDOWS\system\Fun.exe	Fun.exe
File opened for modification	C:\WINDOWS\system\Fun.exe	SVIQ.EXE
File opened for modification	C:\WINDOWS\SVIQ.exe	SVIQ.EXE
File opened for modification	C:\WINDOWS\system\Fun.exe	dc.exe
File created	C:\WINDOWS\system\Fun.exe	dc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exeFun.exeSVIQ.EXEdc.exe

pid	process
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2584	Fun.exe
2428	SVIQ.EXE
3044	dc.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2584	Fun.exe
2428	SVIQ.EXE
3044	dc.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2584	Fun.exe
2428	SVIQ.EXE
3044	dc.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2584	Fun.exe
2428	SVIQ.EXE
3044	dc.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2584	Fun.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2428	SVIQ.EXE
3044	dc.exe
2584	Fun.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2428	SVIQ.EXE
3044	dc.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2584	Fun.exe
2428	SVIQ.EXE
3044	dc.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2584	Fun.exe
2428	SVIQ.EXE
3044	dc.exe
2584	Fun.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2428	SVIQ.EXE
3044	dc.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2584	Fun.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2428	SVIQ.EXE
3044	dc.exe
2584	Fun.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2428	SVIQ.EXE
3044	dc.exe
2584	Fun.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2428	SVIQ.EXE
3044	dc.exe
2584	Fun.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2428	SVIQ.EXE
3044	dc.exe
2584	Fun.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2428	SVIQ.EXE
3044	dc.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2584	Fun.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2428	SVIQ.EXE
3044	dc.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
Token: SeDebugPrivilege	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exeFun.exeSVIQ.EXEdc.exe

pid	process
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
2584	Fun.exe
2584	Fun.exe
2428	SVIQ.EXE
2428	SVIQ.EXE
3044	dc.exe
3044	dc.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exeFun.exe

description	pid	process	target process
PID 1284 wrote to memory of 1088	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	taskhost.exe
PID 1284 wrote to memory of 1168	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Dwm.exe
PID 1284 wrote to memory of 1200	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Explorer.EXE
PID 1284 wrote to memory of 792	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	DllHost.exe
PID 1284 wrote to memory of 2584	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Fun.exe
PID 1284 wrote to memory of 2584	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Fun.exe
PID 1284 wrote to memory of 2584	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Fun.exe
PID 1284 wrote to memory of 2584	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Fun.exe
PID 2584 wrote to memory of 2428	2584	Fun.exe	SVIQ.EXE
PID 2584 wrote to memory of 2428	2584	Fun.exe	SVIQ.EXE
PID 2584 wrote to memory of 2428	2584	Fun.exe	SVIQ.EXE
PID 2584 wrote to memory of 2428	2584	Fun.exe	SVIQ.EXE
PID 1284 wrote to memory of 3044	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	dc.exe
PID 1284 wrote to memory of 3044	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	dc.exe
PID 1284 wrote to memory of 3044	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	dc.exe
PID 1284 wrote to memory of 3044	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	dc.exe
PID 1284 wrote to memory of 1088	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	taskhost.exe
PID 1284 wrote to memory of 1168	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Dwm.exe
PID 1284 wrote to memory of 1200	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Explorer.EXE
PID 1284 wrote to memory of 2584	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Fun.exe
PID 1284 wrote to memory of 2584	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Fun.exe
PID 1284 wrote to memory of 2428	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	SVIQ.EXE
PID 1284 wrote to memory of 2428	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	SVIQ.EXE
PID 1284 wrote to memory of 3044	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	dc.exe
PID 1284 wrote to memory of 3044	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	dc.exe
PID 1284 wrote to memory of 1088	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	taskhost.exe
PID 1284 wrote to memory of 1168	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Dwm.exe
PID 1284 wrote to memory of 1200	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Explorer.EXE
PID 1284 wrote to memory of 1088	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	taskhost.exe
PID 1284 wrote to memory of 1168	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Dwm.exe
PID 1284 wrote to memory of 1200	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Explorer.EXE
PID 1284 wrote to memory of 1088	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	taskhost.exe
PID 1284 wrote to memory of 1168	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Dwm.exe
PID 1284 wrote to memory of 1200	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Explorer.EXE
PID 1284 wrote to memory of 1088	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	taskhost.exe
PID 1284 wrote to memory of 1168	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Dwm.exe
PID 1284 wrote to memory of 1200	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Explorer.EXE
PID 1284 wrote to memory of 1088	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	taskhost.exe
PID 1284 wrote to memory of 1168	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Dwm.exe
PID 1284 wrote to memory of 1200	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Explorer.EXE
PID 1284 wrote to memory of 1088	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	taskhost.exe
PID 1284 wrote to memory of 1168	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Dwm.exe
PID 1284 wrote to memory of 1200	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Explorer.EXE
PID 1284 wrote to memory of 1088	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	taskhost.exe
PID 1284 wrote to memory of 1168	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Dwm.exe
PID 1284 wrote to memory of 1200	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Explorer.EXE
PID 1284 wrote to memory of 1088	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	taskhost.exe
PID 1284 wrote to memory of 1168	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Dwm.exe
PID 1284 wrote to memory of 1200	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Explorer.EXE
PID 1284 wrote to memory of 1088	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	taskhost.exe
PID 1284 wrote to memory of 1168	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Dwm.exe
PID 1284 wrote to memory of 1200	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Explorer.EXE
PID 1284 wrote to memory of 1088	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	taskhost.exe
PID 1284 wrote to memory of 1168	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Dwm.exe
PID 1284 wrote to memory of 1200	1284	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe	Explorer.EXE

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1088

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0e8acf4f2931765ede72461518632120_NeikiAnalytics.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1284

C:\WINDOWS\system\Fun.exe
C:\WINDOWS\system\Fun.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584

C:\WINDOWS\SVIQ.EXE
C:\WINDOWS\SVIQ.EXE
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2428

C:\WINDOWS\dc.exe
C:\WINDOWS\dc.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:792

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media