dafbfc898ee0edd426c32e480b4c931474af04d15b29fec44dc07c3dcff5b234

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
Size

416KB
MD5

7ca0c037794d176ac91c690bab22787b
SHA1

1572f8c284cd27a9ed2d28640d7dddbc3fe1537a
SHA256

dafbfc898ee0edd426c32e480b4c931474af04d15b29fec44dc07c3dcff5b234
SHA512

de09ebdbdcea493332afec7cda07beb2488dab7458ca7aaefda34817eda01ab731bb037eaff26dcddea0e3a8a2a74939d9a5c860b53d842012812bfde6bb6097
SSDEEP

6144:tyH7xOc6H5c6HcT66vlm+jjIYb1lftjtNSx59xq84rDbRXB/UAn8CQxenvyLa:taPb1ptfKn4vb1BMANce6+

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe:*:enabled:@shell32.dll,-1"	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

pid	Process
3528	svchost.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
4004	svchost.exe

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3528	2868	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	83
PID 2868 wrote to memory of 3528	2868	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	83
PID 2868 wrote to memory of 3528	2868	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	83
PID 3528 wrote to memory of 624	3528	svchost.exe	84
PID 3528 wrote to memory of 624	3528	svchost.exe	84
PID 3528 wrote to memory of 624	3528	svchost.exe	84
PID 624 wrote to memory of 616	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	5
PID 624 wrote to memory of 616	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	5
PID 624 wrote to memory of 616	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	5
PID 624 wrote to memory of 616	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	5
PID 624 wrote to memory of 616	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	5
PID 624 wrote to memory of 616	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	5
PID 624 wrote to memory of 672	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	7
PID 624 wrote to memory of 672	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	7
PID 624 wrote to memory of 672	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	7
PID 624 wrote to memory of 672	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	7
PID 624 wrote to memory of 672	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	7
PID 624 wrote to memory of 672	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	7
PID 624 wrote to memory of 780	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	8
PID 624 wrote to memory of 780	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	8
PID 624 wrote to memory of 780	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	8
PID 624 wrote to memory of 780	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	8
PID 624 wrote to memory of 780	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	8
PID 624 wrote to memory of 780	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	8
PID 624 wrote to memory of 788	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	9
PID 624 wrote to memory of 788	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	9
PID 624 wrote to memory of 788	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	9
PID 624 wrote to memory of 788	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	9
PID 624 wrote to memory of 788	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	9
PID 624 wrote to memory of 788	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	9
PID 624 wrote to memory of 796	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	10
PID 624 wrote to memory of 796	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	10
PID 624 wrote to memory of 796	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	10
PID 624 wrote to memory of 796	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	10
PID 624 wrote to memory of 796	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	10
PID 624 wrote to memory of 796	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	10
PID 624 wrote to memory of 904	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	11
PID 624 wrote to memory of 904	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	11
PID 624 wrote to memory of 904	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	11
PID 624 wrote to memory of 904	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	11
PID 624 wrote to memory of 904	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	11
PID 624 wrote to memory of 904	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	11
PID 624 wrote to memory of 952	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	12
PID 624 wrote to memory of 952	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	12
PID 624 wrote to memory of 952	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	12
PID 624 wrote to memory of 952	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	12
PID 624 wrote to memory of 952	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	12
PID 624 wrote to memory of 952	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	12
PID 624 wrote to memory of 316	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	13
PID 624 wrote to memory of 316	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	13
PID 624 wrote to memory of 316	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	13
PID 624 wrote to memory of 316	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	13
PID 624 wrote to memory of 316	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	13
PID 624 wrote to memory of 316	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	13
PID 624 wrote to memory of 392	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	14
PID 624 wrote to memory of 392	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	14
PID 624 wrote to memory of 392	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	14
PID 624 wrote to memory of 392	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	14
PID 624 wrote to memory of 392	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	14
PID 624 wrote to memory of 392	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	14
PID 624 wrote to memory of 920	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	15
PID 624 wrote to memory of 920	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	15
PID 624 wrote to memory of 920	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	15
PID 624 wrote to memory of 920	624	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	15

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:788
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3120
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3864
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3960
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4020
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3128
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4168
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4240
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:668
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:812
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2912
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:2896
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1204
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2764
- C:\Windows\system32\MusNotification.exe
  C:\Windows\system32\MusNotification.exe
  2⤵
  PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1484
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1780

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2736

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3452

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Users\Admin\AppData\Local\Temp\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe"
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3468

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:380

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe

Filesize
381KB

MD5
e31dbc427ca414308d39a84a4883d987

SHA1
57997f63e96843c07e53a72f7836680f19a878e5

SHA256
d006702a028664bb619fe191d1358acd44976a85c36b6dea9cfe824be45793b8

SHA512
841bb09c207d1de53f837faa1cec75919bb34fccf39ec7a52fa20b5832d4ab4b40a7c62bee5202e08076eec4535d931b57d06e4677175ac9685b9d6f575fb521

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
ff948cfa9e42bc40cd308ecef233f087

SHA1
c3272caf5613c96dc56a306e84fba4062a2d928e

SHA256
3638dc9b5a971f313387af6c212d07afa764dd8bdcec72e58b758e6954dc0847

SHA512
12e47a2c575de7ae6b0db827944ba3bb68fcbbbe59d9bc33f13e7d84a08f18f84ac98ee50d531ef1ec82e25eeb15f55bbb941f8ce4f61f24105037319c83d4df

Download Submit
memory/624-19-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/624-9-0x0000000001000000-0x0000000001063000-memory.dmp

Filesize
396KB

Download
memory/624-14-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/624-15-0x0000000076F92000-0x0000000076F93000-memory.dmp

Filesize
4KB

Download
memory/624-16-0x0000000076F93000-0x0000000076F94000-memory.dmp

Filesize
4KB

Download
memory/624-17-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/624-21-0x0000000001000000-0x0000000001063000-memory.dmp

Filesize
396KB

Download
memory/2868-3-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3528-11-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4004-18-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4004-22-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4004-28-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4004-31-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download