Analysis
-
max time kernel
31s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 07:30
Static task
static1
Behavioral task
behavioral1
Sample
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe
-
Size
744KB
-
MD5
d26dc22db6445c1ce36114677a5e7240
-
SHA1
97a7668972f7fc8c33eef6ea828b597203470085
-
SHA256
4911224219921b359aff5e4a17efd0ea02039e501a80461aafbab0fa0d2fc3f4
-
SHA512
b21747d8d0ab194429d03118e824b061bb7619eabd45e5f687cf715b2bdb836de550019d1447cf6ac84d3e7060c5153b8d976317199f45e2280329a4313846a1
-
SSDEEP
12288:kTyjXW+48qWywrU4kGFezOAVuJ5PIQww7F5DO3HYffXXjYBw:SIXW/8yw1ez54lImF5SXYHn8y
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rundll32.exe -
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe -
Processes:
rundll32.exed26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 2472 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
rundll32.exepid process 2472 rundll32.exe -
Processes:
resource yara_rule behavioral2/memory/1784-1-0x0000000002FC0000-0x000000000404E000-memory.dmp upx behavioral2/memory/1784-4-0x0000000002FC0000-0x000000000404E000-memory.dmp upx behavioral2/memory/1784-8-0x0000000002FC0000-0x000000000404E000-memory.dmp upx behavioral2/memory/1784-6-0x0000000002FC0000-0x000000000404E000-memory.dmp upx behavioral2/memory/1784-5-0x0000000002FC0000-0x000000000404E000-memory.dmp upx behavioral2/memory/1784-9-0x0000000002FC0000-0x000000000404E000-memory.dmp upx behavioral2/memory/1784-15-0x0000000002FC0000-0x000000000404E000-memory.dmp upx behavioral2/memory/1784-7-0x0000000002FC0000-0x000000000404E000-memory.dmp upx behavioral2/memory/1784-16-0x0000000002FC0000-0x000000000404E000-memory.dmp upx behavioral2/memory/1784-22-0x0000000002FC0000-0x000000000404E000-memory.dmp upx behavioral2/memory/1784-28-0x0000000002FC0000-0x000000000404E000-memory.dmp upx behavioral2/memory/1784-23-0x0000000002FC0000-0x000000000404E000-memory.dmp upx behavioral2/memory/2472-45-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-49-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-58-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-54-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-48-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-47-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-51-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-53-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-52-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-50-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-61-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-60-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-62-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-65-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-66-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-68-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-69-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-70-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-72-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-73-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-76-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-77-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-79-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-81-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-82-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-83-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-86-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-113-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx behavioral2/memory/2472-142-0x0000000004F10000-0x0000000005F9E000-memory.dmp upx -
Processes:
rundll32.exed26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe -
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\K: rundll32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe rundll32.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe rundll32.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exepid process 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe 2472 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Token: SeDebugPrivilege 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exepid process 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe 2472 rundll32.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exerundll32.exedescription pid process target process PID 1784 wrote to memory of 792 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe fontdrvhost.exe PID 1784 wrote to memory of 796 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe fontdrvhost.exe PID 1784 wrote to memory of 64 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe dwm.exe PID 1784 wrote to memory of 2636 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe sihost.exe PID 1784 wrote to memory of 2648 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe svchost.exe PID 1784 wrote to memory of 2984 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe taskhostw.exe PID 1784 wrote to memory of 3448 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe Explorer.EXE PID 1784 wrote to memory of 3588 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe svchost.exe PID 1784 wrote to memory of 3796 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe DllHost.exe PID 1784 wrote to memory of 3884 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe StartMenuExperienceHost.exe PID 1784 wrote to memory of 3952 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe RuntimeBroker.exe PID 1784 wrote to memory of 4052 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe SearchApp.exe PID 1784 wrote to memory of 3996 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe RuntimeBroker.exe PID 1784 wrote to memory of 4544 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe RuntimeBroker.exe PID 1784 wrote to memory of 3760 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe TextInputHost.exe PID 1784 wrote to memory of 4684 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe backgroundTaskHost.exe PID 1784 wrote to memory of 464 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe backgroundTaskHost.exe PID 1784 wrote to memory of 2472 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe rundll32.exe PID 1784 wrote to memory of 2472 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe rundll32.exe PID 1784 wrote to memory of 2472 1784 d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe rundll32.exe PID 2472 wrote to memory of 792 2472 rundll32.exe fontdrvhost.exe PID 2472 wrote to memory of 796 2472 rundll32.exe fontdrvhost.exe PID 2472 wrote to memory of 64 2472 rundll32.exe dwm.exe PID 2472 wrote to memory of 2636 2472 rundll32.exe sihost.exe PID 2472 wrote to memory of 2648 2472 rundll32.exe svchost.exe PID 2472 wrote to memory of 2984 2472 rundll32.exe taskhostw.exe PID 2472 wrote to memory of 3448 2472 rundll32.exe Explorer.EXE PID 2472 wrote to memory of 3588 2472 rundll32.exe svchost.exe PID 2472 wrote to memory of 3796 2472 rundll32.exe DllHost.exe PID 2472 wrote to memory of 3884 2472 rundll32.exe StartMenuExperienceHost.exe PID 2472 wrote to memory of 3952 2472 rundll32.exe RuntimeBroker.exe PID 2472 wrote to memory of 4052 2472 rundll32.exe SearchApp.exe PID 2472 wrote to memory of 3996 2472 rundll32.exe RuntimeBroker.exe PID 2472 wrote to memory of 4544 2472 rundll32.exe RuntimeBroker.exe PID 2472 wrote to memory of 3760 2472 rundll32.exe TextInputHost.exe PID 2472 wrote to memory of 4684 2472 rundll32.exe backgroundTaskHost.exe PID 2472 wrote to memory of 1208 2472 rundll32.exe RuntimeBroker.exe PID 2472 wrote to memory of 2136 2472 rundll32.exe RuntimeBroker.exe PID 2472 wrote to memory of 792 2472 rundll32.exe fontdrvhost.exe PID 2472 wrote to memory of 796 2472 rundll32.exe fontdrvhost.exe PID 2472 wrote to memory of 64 2472 rundll32.exe dwm.exe PID 2472 wrote to memory of 2636 2472 rundll32.exe sihost.exe PID 2472 wrote to memory of 2648 2472 rundll32.exe svchost.exe PID 2472 wrote to memory of 2984 2472 rundll32.exe taskhostw.exe PID 2472 wrote to memory of 3448 2472 rundll32.exe Explorer.EXE PID 2472 wrote to memory of 3588 2472 rundll32.exe svchost.exe PID 2472 wrote to memory of 3796 2472 rundll32.exe DllHost.exe PID 2472 wrote to memory of 3884 2472 rundll32.exe StartMenuExperienceHost.exe PID 2472 wrote to memory of 3952 2472 rundll32.exe RuntimeBroker.exe PID 2472 wrote to memory of 4052 2472 rundll32.exe SearchApp.exe PID 2472 wrote to memory of 3996 2472 rundll32.exe RuntimeBroker.exe PID 2472 wrote to memory of 4544 2472 rundll32.exe RuntimeBroker.exe PID 2472 wrote to memory of 3760 2472 rundll32.exe TextInputHost.exe PID 2472 wrote to memory of 4684 2472 rundll32.exe backgroundTaskHost.exe PID 2472 wrote to memory of 1208 2472 rundll32.exe RuntimeBroker.exe PID 2472 wrote to memory of 2136 2472 rundll32.exe RuntimeBroker.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
rundll32.exed26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rundll32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exeC:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe3⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
8Hide Artifacts
2Hidden Files and Directories
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0E575CF5_Rar\rundll32.exeFilesize
664KB
MD52eb5d76180ce7b3241b281fa79ab3483
SHA106293dea80e39c7eb7ee2bdb00d60b58d932fa8a
SHA256e1b9beb4617a720d55afaec364941bb18ea2c456a8b06b30a736f0cbb5c297e8
SHA51235f553c76fc67afb88a6a090fcbad6af3e2faae154c9c84bd869714194012525a2d42b76dad855805f107a37c351f0de08fd9a03d8ddc1dd400d64640d81b90b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exeFilesize
744KB
MD5d26dc22db6445c1ce36114677a5e7240
SHA197a7668972f7fc8c33eef6ea828b597203470085
SHA2564911224219921b359aff5e4a17efd0ea02039e501a80461aafbab0fa0d2fc3f4
SHA512b21747d8d0ab194429d03118e824b061bb7619eabd45e5f687cf715b2bdb836de550019d1447cf6ac84d3e7060c5153b8d976317199f45e2280329a4313846a1
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5b93583d8c0c4f7dc12411dcb3fed74d2
SHA1288ab2690cc700f5fbea748babe330cd875915b7
SHA256279b6c214341b486fa8c3b95cfb8b1cc7dbe78b8c1ffe1037d779deec2794881
SHA51231b6232f37a57846b2ca10c7d3a0f0dd7b3cbdae593e2565adf26f2fe89cdd62d09dc9b2d35914ab49164aa46ec5f0e98e0f023a0ec2d0eadde0d8a0455bca9c
-
C:\rgxytq.pifFilesize
100KB
MD517493c3d025be90ea3d12f00c58997b2
SHA11cd690eda5b805d5dbc224f510be7bf4e3de5892
SHA2567b6d701ebac3ae2a50236ce26afa99c714f343cee833f596a8e5e8563c7706f9
SHA512242f5ac4c110d29442d3970ed698456e5b583b07461d43ba50030ce6097e2969ed8947ca225a49d83c2362c0d31d9bce9413ea39bcad7161d00d8d20c2573191
-
memory/1784-5-0x0000000002FC0000-0x000000000404E000-memory.dmpFilesize
16.6MB
-
memory/1784-16-0x0000000002FC0000-0x000000000404E000-memory.dmpFilesize
16.6MB
-
memory/1784-13-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/1784-17-0x0000000000980000-0x0000000000982000-memory.dmpFilesize
8KB
-
memory/1784-18-0x0000000000980000-0x0000000000982000-memory.dmpFilesize
8KB
-
memory/1784-9-0x0000000002FC0000-0x000000000404E000-memory.dmpFilesize
16.6MB
-
memory/1784-15-0x0000000002FC0000-0x000000000404E000-memory.dmpFilesize
16.6MB
-
memory/1784-7-0x0000000002FC0000-0x000000000404E000-memory.dmpFilesize
16.6MB
-
memory/1784-12-0x0000000000980000-0x0000000000982000-memory.dmpFilesize
8KB
-
memory/1784-0-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1784-22-0x0000000002FC0000-0x000000000404E000-memory.dmpFilesize
16.6MB
-
memory/1784-6-0x0000000002FC0000-0x000000000404E000-memory.dmpFilesize
16.6MB
-
memory/1784-28-0x0000000002FC0000-0x000000000404E000-memory.dmpFilesize
16.6MB
-
memory/1784-8-0x0000000002FC0000-0x000000000404E000-memory.dmpFilesize
16.6MB
-
memory/1784-41-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/1784-23-0x0000000002FC0000-0x000000000404E000-memory.dmpFilesize
16.6MB
-
memory/1784-4-0x0000000002FC0000-0x000000000404E000-memory.dmpFilesize
16.6MB
-
memory/1784-1-0x0000000002FC0000-0x000000000404E000-memory.dmpFilesize
16.6MB
-
memory/2472-48-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-66-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-58-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-59-0x0000000002FA0000-0x0000000002FA2000-memory.dmpFilesize
8KB
-
memory/2472-57-0x0000000002FA0000-0x0000000002FA2000-memory.dmpFilesize
8KB
-
memory/2472-54-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-45-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-47-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-56-0x0000000002FC0000-0x0000000002FC1000-memory.dmpFilesize
4KB
-
memory/2472-51-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-53-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-52-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-50-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-61-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-60-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-62-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-65-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-49-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-68-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-69-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-70-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-72-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-73-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-76-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-77-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-79-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-81-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-82-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-83-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-86-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-113-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB
-
memory/2472-117-0x0000000002FA0000-0x0000000002FA2000-memory.dmpFilesize
8KB
-
memory/2472-40-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2472-141-0x0000000000400000-0x00000000004C2000-memory.dmpFilesize
776KB
-
memory/2472-142-0x0000000004F10000-0x0000000005F9E000-memory.dmpFilesize
16.6MB