361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Size

90KB
MD5

a65b1aee813f395675a5ded1b9812290
SHA1

6c9016b365a87067190712376799a03ad01fa306
SHA256

361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c
SHA512

0356caa138ebefb2611693852ad8db54308cb1cf5ce656aed1396942c6da1cc2433c0adcae84d4e937018335a52da2794bccf44d63b1630bc869969f2782fc64
SSDEEP

1536:ERsjdf1aM67v32Z9x5nouy8VTkRsjdf1aM67v32Z9x5nouy8VT:EOaHv3YpoutNkOaHv3YpoutN

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
3000	xk.exe
2812	IExplorer.exe
2944	WINLOGON.EXE
1016	CSRSS.EXE
760	SERVICES.EXE
2480	LSASS.EXE
2780	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1504-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00070000000144e4-9.dat	upx
behavioral1/files/0x000900000001459f-107.dat	upx
behavioral1/memory/3000-111-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015659-114.dat	upx
behavioral1/memory/3000-116-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1504-117-0x0000000002580000-0x00000000025AF000-memory.dmp	upx
behavioral1/files/0x000600000001566b-126.dat	upx
behavioral1/memory/2812-129-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2944-140-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1504-135-0x0000000002580000-0x00000000025AF000-memory.dmp	upx
behavioral1/files/0x000600000001567f-141.dat	upx
behavioral1/memory/1016-154-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001568c-152.dat	upx
behavioral1/memory/760-163-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015be6-164.dat	upx
behavioral1/memory/1504-170-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2480-178-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015ca6-175.dat	upx
behavioral1/memory/2780-184-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2780-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1504-190-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
3000	xk.exe
2812	IExplorer.exe
2944	WINLOGON.EXE
1016	CSRSS.EXE
760	SERVICES.EXE
2480	LSASS.EXE
2780	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 3000	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	28
PID 1504 wrote to memory of 3000	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	28
PID 1504 wrote to memory of 3000	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	28
PID 1504 wrote to memory of 3000	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	28
PID 1504 wrote to memory of 2812	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	29
PID 1504 wrote to memory of 2812	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	29
PID 1504 wrote to memory of 2812	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	29
PID 1504 wrote to memory of 2812	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	29
PID 1504 wrote to memory of 2944	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	30
PID 1504 wrote to memory of 2944	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	30
PID 1504 wrote to memory of 2944	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	30
PID 1504 wrote to memory of 2944	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	30
PID 1504 wrote to memory of 1016	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	31
PID 1504 wrote to memory of 1016	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	31
PID 1504 wrote to memory of 1016	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	31
PID 1504 wrote to memory of 1016	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	31
PID 1504 wrote to memory of 760	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	32
PID 1504 wrote to memory of 760	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	32
PID 1504 wrote to memory of 760	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	32
PID 1504 wrote to memory of 760	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	32
PID 1504 wrote to memory of 2480	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	33
PID 1504 wrote to memory of 2480	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	33
PID 1504 wrote to memory of 2480	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	33
PID 1504 wrote to memory of 2480	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	33
PID 1504 wrote to memory of 2780	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	34
PID 1504 wrote to memory of 2780	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	34
PID 1504 wrote to memory of 2780	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	34
PID 1504 wrote to memory of 2780	1504	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1504
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3000
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2812
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2944
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1016
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:760
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2480
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\lsass.exe

Filesize
90KB

MD5
a65b1aee813f395675a5ded1b9812290

SHA1
6c9016b365a87067190712376799a03ad01fa306

SHA256
361af8baa3cf738bbe35a5ef1585beb0b6243928449dc3b5c619e0a05292f99c

SHA512
0356caa138ebefb2611693852ad8db54308cb1cf5ce656aed1396942c6da1cc2433c0adcae84d4e937018335a52da2794bccf44d63b1630bc869969f2782fc64

Download Submit
C:\Windows\xk.exe

Filesize
90KB

MD5
c8af050c745b1cea6704415aa72aeaea

SHA1
58f7913cca21fd60b8f2bdceb4365033cbbc1561

SHA256
54bb9f8522209d802008626360b564893177440483c065d938f41ed1e5b5c3ee

SHA512
8b1e025ee0f10d428e68f171af8bb7f5f15b8aa94edd8d07037ffb1b5b89740cf5f263f8859bfc914cdc68f9637dcbaf5c6c16cce72f32991438df45e09aa4ed

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
90KB

MD5
63162e9676e92cf3c9f29ef0126d8885

SHA1
e391fa18fe46629e46e29ae04e5efb4d2c56fdb6

SHA256
521731300480e7230801b3502235aa72012a7d75c95ba14fdde7d8f77c063a9a

SHA512
5608a0d70870c8c7547e61ddf6bdcad83ce646acd29fbe6878407440f73a3785559c612ab9488d0cb6ca78a1516be27e761ef85e264a7cbaf5be00baea1e4024

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
90KB

MD5
1084327c2aa87fe970afbc5f33ca6370

SHA1
4fd20401e9ef9e63dbd59db5726347ff75c2ce43

SHA256
0d8eabd139e31f2d189678ee20096d7aff2f656b37f0529c871ad52b51905a49

SHA512
3220ca479a1fa3785288acc18f0c71f8478360886bb4830c11e52141df2da08944bdf5ad0bf2a77bc985b07d79fd671e77a406951702f23ed4082b519d4817ce

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
90KB

MD5
d43bb51a6d947232651e7d01de9b8bf6

SHA1
41556bbb2c66150a4c1a9a7c2a418b50a127739c

SHA256
a082115d8c80a2ae3dc910389abf5165b1c116c335490c4a315eb39818db01a7

SHA512
b064a7385d594431e5e3b6457ddecb1d47b675c3f786b72bf667b5b0642e8969f35c4aadd6dcab2ed28ecb180839b8c54d06af748aa45019644ba87a327bf30a

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
90KB

MD5
8675e8c2defc0052da822d11468e3401

SHA1
407f307d2ddd3b55ebf56874e98b9ff3b2302967

SHA256
76e3cbb70fd6b8c0b00448a815244586979b3a705df977d6807bc20643f8dfd6

SHA512
67183a3c52d2ba05f202f9983ba44e3a68d50237c0aa42b3668773f6f0c23dda90d2cc1ecaac9b327d02e3df644e1ec3d2ec52e7ea948dc7a0ee7a2e61d56354

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
90KB

MD5
de4fa374eb1fa9d36c275c724edd598a

SHA1
31eedc4798526f7e3208a7e24f9456b3622e56ef

SHA256
d00e0493f8b35973b62efa6e7a49e065435272dd768d5268762f77e620e3cbe7

SHA512
babd86707cbd6e746eae93725375c639b4c4aeaadaa5609fe78223a323f19329d40e139ed41bbf6a2df8a2a62017bcf6fd3995f778a5b566ec20a3c14c506978

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
90KB

MD5
9884eb288f864d9f9d6518fa801e7106

SHA1
b78a9868704e619a7bd27bf400305a12b6825ec6

SHA256
4d31d38fe5be59ecc6ac72dd6cb4379636f1cc47ae00e032e6164ff93a9cf441

SHA512
7b7652cfc418c1434ccc05bf94def5da4b8539e8423fbb85a840c00ce8d4231df99d1cc820090c44c5075bb37cb5859c06bd907f4c8f4394cfd019dc2dbd6bac

Download Submit
memory/760-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1016-154-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-110-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1504-109-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1504-136-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1504-135-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1504-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-148-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1504-172-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1504-117-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1504-170-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-178-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download