Malware Analysis Report

2024-11-16 13:16

Sample ID 240520-jcas9sad51
Target d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe
SHA256 4911224219921b359aff5e4a17efd0ea02039e501a80461aafbab0fa0d2fc3f4
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4911224219921b359aff5e4a17efd0ea02039e501a80461aafbab0fa0d2fc3f4

Threat Level: Known bad

The file d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Sality

Modifies visibility of file extensions in Explorer

Modifies firewall policy service

UAC bypass

Deletes itself

Loads dropped DLL

Windows security modification

UPX packed file

Executes dropped EXE

Checks whether UAC is enabled

Enumerates connected drives

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 07:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 07:30

Reported

2024-05-20 07:33

Platform

win7-20240220-en

Max time kernel

21s

Max time network

119s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2908 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2908 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2908 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2908 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2908 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2908 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2908 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2908 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2908 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2908 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2528 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\Dwm.exe
PID 2528 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhost.exe
PID 2528 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

Network

N/A

Files

memory/2908-0-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2908-7-0x0000000002510000-0x000000000359E000-memory.dmp

memory/2908-10-0x0000000002510000-0x000000000359E000-memory.dmp

memory/2908-8-0x0000000002510000-0x000000000359E000-memory.dmp

memory/2908-11-0x0000000002510000-0x000000000359E000-memory.dmp

memory/2908-13-0x0000000002510000-0x000000000359E000-memory.dmp

memory/2908-6-0x0000000002510000-0x000000000359E000-memory.dmp

memory/2908-14-0x0000000002510000-0x000000000359E000-memory.dmp

memory/2908-12-0x0000000002510000-0x000000000359E000-memory.dmp

memory/2908-9-0x0000000002510000-0x000000000359E000-memory.dmp

memory/2908-15-0x0000000002510000-0x000000000359E000-memory.dmp

memory/2908-28-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2908-16-0x0000000002510000-0x000000000359E000-memory.dmp

memory/2908-30-0x0000000000390000-0x0000000000392000-memory.dmp

memory/2908-29-0x0000000000390000-0x0000000000392000-memory.dmp

memory/2908-26-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2908-25-0x0000000000390000-0x0000000000392000-memory.dmp

memory/1040-17-0x0000000001DA0000-0x0000000001DA2000-memory.dmp

memory/2908-32-0x0000000002510000-0x000000000359E000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

MD5 d26dc22db6445c1ce36114677a5e7240
SHA1 97a7668972f7fc8c33eef6ea828b597203470085
SHA256 4911224219921b359aff5e4a17efd0ea02039e501a80461aafbab0fa0d2fc3f4
SHA512 b21747d8d0ab194429d03118e824b061bb7619eabd45e5f687cf715b2bdb836de550019d1447cf6ac84d3e7060c5153b8d976317199f45e2280329a4313846a1

memory/2528-57-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2908-58-0x0000000000400000-0x00000000004C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0F76207C_Rar\rundll32.exe

MD5 2eb5d76180ce7b3241b281fa79ab3483
SHA1 06293dea80e39c7eb7ee2bdb00d60b58d932fa8a
SHA256 e1b9beb4617a720d55afaec364941bb18ea2c456a8b06b30a736f0cbb5c297e8
SHA512 35f553c76fc67afb88a6a090fcbad6af3e2faae154c9c84bd869714194012525a2d42b76dad855805f107a37c351f0de08fd9a03d8ddc1dd400d64640d81b90b

memory/2908-59-0x0000000002510000-0x000000000359E000-memory.dmp

memory/2908-53-0x0000000000390000-0x0000000000392000-memory.dmp

memory/2908-35-0x0000000002510000-0x000000000359E000-memory.dmp

memory/2908-40-0x000000000A810000-0x000000000A8D2000-memory.dmp

memory/2528-70-0x0000000003950000-0x00000000049DE000-memory.dmp

memory/2528-65-0x0000000003950000-0x00000000049DE000-memory.dmp

memory/2528-80-0x0000000003950000-0x00000000049DE000-memory.dmp

memory/2528-82-0x0000000003950000-0x00000000049DE000-memory.dmp

memory/2528-85-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2528-84-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2528-69-0x0000000003950000-0x00000000049DE000-memory.dmp

memory/2528-67-0x0000000003950000-0x00000000049DE000-memory.dmp

memory/2528-79-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2528-83-0x0000000003950000-0x00000000049DE000-memory.dmp

memory/2528-63-0x0000000003950000-0x00000000049DE000-memory.dmp

memory/2528-81-0x0000000003950000-0x00000000049DE000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 1f925108cdf22315fefcf03ee4394a6c
SHA1 b3adfc2201507c5f681fca530433e0c159b6c606
SHA256 faf5eb18f5287a948510993c45a3da0853d44ff737317793bec265bab45c3ed2
SHA512 4086ac7050d4289ab2d9d5713bc67605d8fd42dd2e6bbddc8303162886c461c5c5f519984c1040331af4d347892f2db3d89ef979fd1ee866e44fbd67deda85c4

memory/2528-68-0x0000000003950000-0x00000000049DE000-memory.dmp

memory/2528-66-0x0000000003950000-0x00000000049DE000-memory.dmp

memory/2528-88-0x0000000003950000-0x00000000049DE000-memory.dmp

memory/2528-90-0x0000000003950000-0x00000000049DE000-memory.dmp

memory/2528-138-0x0000000003950000-0x00000000049DE000-memory.dmp

memory/2528-150-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2528-193-0x0000000003950000-0x00000000039DD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 07:30

Reported

2024-05-20 07:33

Platform

win10v2004-20240508-en

Max time kernel

31s

Max time network

111s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1784 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1784 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 1784 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 1784 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1784 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 1784 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1784 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1784 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1784 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1784 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1784 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1784 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1784 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1784 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1784 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1784 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1784 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 1784 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 1784 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2472 wrote to memory of 792 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2472 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2472 wrote to memory of 64 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\dwm.exe
PID 2472 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\sihost.exe
PID 2472 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2472 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhostw.exe
PID 2472 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2472 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\DllHost.exe
PID 2472 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2472 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2472 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2472 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2472 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 792 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2472 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2472 wrote to memory of 64 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\dwm.exe
PID 2472 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\sihost.exe
PID 2472 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2472 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhostw.exe
PID 2472 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2472 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\DllHost.exe
PID 2472 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2472 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2472 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2472 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2472 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\d26dc22db6445c1ce36114677a5e7240_NeikiAnalytics.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/1784-0-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1784-1-0x0000000002FC0000-0x000000000404E000-memory.dmp

memory/1784-4-0x0000000002FC0000-0x000000000404E000-memory.dmp

memory/1784-8-0x0000000002FC0000-0x000000000404E000-memory.dmp

memory/1784-6-0x0000000002FC0000-0x000000000404E000-memory.dmp

memory/1784-5-0x0000000002FC0000-0x000000000404E000-memory.dmp

memory/1784-13-0x0000000000990000-0x0000000000991000-memory.dmp

memory/1784-17-0x0000000000980000-0x0000000000982000-memory.dmp

memory/1784-18-0x0000000000980000-0x0000000000982000-memory.dmp

memory/1784-9-0x0000000002FC0000-0x000000000404E000-memory.dmp

memory/1784-15-0x0000000002FC0000-0x000000000404E000-memory.dmp

memory/1784-7-0x0000000002FC0000-0x000000000404E000-memory.dmp

memory/1784-12-0x0000000000980000-0x0000000000982000-memory.dmp

memory/1784-16-0x0000000002FC0000-0x000000000404E000-memory.dmp

memory/1784-22-0x0000000002FC0000-0x000000000404E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

MD5 d26dc22db6445c1ce36114677a5e7240
SHA1 97a7668972f7fc8c33eef6ea828b597203470085
SHA256 4911224219921b359aff5e4a17efd0ea02039e501a80461aafbab0fa0d2fc3f4
SHA512 b21747d8d0ab194429d03118e824b061bb7619eabd45e5f687cf715b2bdb836de550019d1447cf6ac84d3e7060c5153b8d976317199f45e2280329a4313846a1

memory/1784-28-0x0000000002FC0000-0x000000000404E000-memory.dmp

memory/2472-40-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1784-41-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1784-23-0x0000000002FC0000-0x000000000404E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E575CF5_Rar\rundll32.exe

MD5 2eb5d76180ce7b3241b281fa79ab3483
SHA1 06293dea80e39c7eb7ee2bdb00d60b58d932fa8a
SHA256 e1b9beb4617a720d55afaec364941bb18ea2c456a8b06b30a736f0cbb5c297e8
SHA512 35f553c76fc67afb88a6a090fcbad6af3e2faae154c9c84bd869714194012525a2d42b76dad855805f107a37c351f0de08fd9a03d8ddc1dd400d64640d81b90b

C:\Windows\SYSTEM.INI

MD5 b93583d8c0c4f7dc12411dcb3fed74d2
SHA1 288ab2690cc700f5fbea748babe330cd875915b7
SHA256 279b6c214341b486fa8c3b95cfb8b1cc7dbe78b8c1ffe1037d779deec2794881
SHA512 31b6232f37a57846b2ca10c7d3a0f0dd7b3cbdae593e2565adf26f2fe89cdd62d09dc9b2d35914ab49164aa46ec5f0e98e0f023a0ec2d0eadde0d8a0455bca9c

memory/2472-45-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-49-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-58-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-59-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

memory/2472-57-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

memory/2472-54-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-48-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-47-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-56-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

memory/2472-51-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-53-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-52-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-50-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-61-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-60-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-62-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-65-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-66-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-68-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-69-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-70-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-72-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-73-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-76-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-77-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-79-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-81-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-82-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-83-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-86-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-113-0x0000000004F10000-0x0000000005F9E000-memory.dmp

memory/2472-117-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

C:\rgxytq.pif

MD5 17493c3d025be90ea3d12f00c58997b2
SHA1 1cd690eda5b805d5dbc224f510be7bf4e3de5892
SHA256 7b6d701ebac3ae2a50236ce26afa99c714f343cee833f596a8e5e8563c7706f9
SHA512 242f5ac4c110d29442d3970ed698456e5b583b07461d43ba50030ce6097e2969ed8947ca225a49d83c2362c0d31d9bce9413ea39bcad7161d00d8d20c2573191

memory/2472-141-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2472-142-0x0000000004F10000-0x0000000005F9E000-memory.dmp