4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Size

91KB
MD5

256f14fa9fe7b9d368cd067ecded2de0
SHA1

ca3d237606bf17de27862dc027e001c92240097e
SHA256

4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748
SHA512

805aaabab98311d9d008ea3d07fc020eae4ae09683db0d785cc50f09c6a61d71023259f8a2b043fcc415c4b0a7385a2a9904ceed1516da76bfc07f06d4db4509
SSDEEP

768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3ImumB3gRYjXbUeHORIC40:uT3OA3+KQsxfS4nT3OA3+KQsxfS4u

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2832	xk.exe
1256	IExplorer.exe
832	WINLOGON.EXE
544	CSRSS.EXE
1540	SERVICES.EXE
1048	LSASS.EXE
1676	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
2832	xk.exe
1256	IExplorer.exe
832	WINLOGON.EXE
544	CSRSS.EXE
1540	SERVICES.EXE
1048	LSASS.EXE
1676	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2832	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	28
PID 2368 wrote to memory of 2832	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	28
PID 2368 wrote to memory of 2832	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	28
PID 2368 wrote to memory of 2832	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	28
PID 2368 wrote to memory of 1256	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	29
PID 2368 wrote to memory of 1256	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	29
PID 2368 wrote to memory of 1256	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	29
PID 2368 wrote to memory of 1256	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	29
PID 2368 wrote to memory of 832	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	30
PID 2368 wrote to memory of 832	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	30
PID 2368 wrote to memory of 832	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	30
PID 2368 wrote to memory of 832	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	30
PID 2368 wrote to memory of 544	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	31
PID 2368 wrote to memory of 544	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	31
PID 2368 wrote to memory of 544	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	31
PID 2368 wrote to memory of 544	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	31
PID 2368 wrote to memory of 1540	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	32
PID 2368 wrote to memory of 1540	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	32
PID 2368 wrote to memory of 1540	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	32
PID 2368 wrote to memory of 1540	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	32
PID 2368 wrote to memory of 1048	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	33
PID 2368 wrote to memory of 1048	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	33
PID 2368 wrote to memory of 1048	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	33
PID 2368 wrote to memory of 1048	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	33
PID 2368 wrote to memory of 1676	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	34
PID 2368 wrote to memory of 1676	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	34
PID 2368 wrote to memory of 1676	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	34
PID 2368 wrote to memory of 1676	2368	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2368
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2832
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:832
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:544
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1540
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1048
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
c3e106d202e3e73ad408fb96a2ad9ce0

SHA1
1baaa0de53f9de8ea7bfbb51fae4c23a0973fcc3

SHA256
6c507b79cafeb71158fc43fa22e9665ca2e5b3a44cfcb4f1cc4f6ab65843f16b

SHA512
c2e2082bfdfcd3c0a5432560479672fd44bea56e335fffabffdfc29da6e74fa341da04e1110d4cfff2d96b7aa0a182f2d3450c20b54d0d0a25648551dd4b0aec

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
256f14fa9fe7b9d368cd067ecded2de0

SHA1
ca3d237606bf17de27862dc027e001c92240097e

SHA256
4cb3ba825b1fd0b88d02af7ecb1a7cd6e367c6684baffa5d3c98f037d2e5f748

SHA512
805aaabab98311d9d008ea3d07fc020eae4ae09683db0d785cc50f09c6a61d71023259f8a2b043fcc415c4b0a7385a2a9904ceed1516da76bfc07f06d4db4509

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
743e430252b7b1aa6686b1d68fef5666

SHA1
bfe2568568ff02b8b8403511d68341dd3b31b1be

SHA256
2d42bc1ddf1a3c4e01aa524f69a27e253096af6314d83f967c5591f8b827c0aa

SHA512
18873ea7cd47f72364244f4160f4c6725702e249cad399f659cbfaf2fb17f01d8e3e03aa977f881dfbe907e063104791eaaa01262b056ab47d5a956ad0e4c521

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
1731da94d0fbff173257e12c638f3474

SHA1
a585501d33813a522818e9d33005ade01ae3287a

SHA256
3008a1d157429b5ccf57357c97e6114a97cd8dc37eb9fe35c7f084df641de437

SHA512
6f094e6deaad8bdf9321c059db3117fd72417596065e828236c5e5ed3b95106edd437d74077479c5f86bfab175d62dd5ad6a31cecf9bdd91f7e461b9278bc781

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
1efce74331a90a1bcc4452ba12d30587

SHA1
29c3d5822099cc7b52b4f4c6a0ee6d083b55210f

SHA256
66bd656ee4cd582bbefacec26a00e2702173bb65e4e948ec0c01cae7cf3e82bc

SHA512
db66c4118e9aa2e50684972db02469120c4ead51ecfb324e39ce0351b87369a3609db039bd4bed2750f498e37cc0ba1d4311f3f5595daf1eefac65353cc83200

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
be112b7b624190c753b77240ad404f15

SHA1
02441d911121abf361b20c7011915567ff4b20a1

SHA256
2c92fe3276145e27f80695fd2f45b8befcfb67738c3821a957ec5eaee7096f90

SHA512
bcbea3dd870d9490056d47be3ec1c6d8ca3519fd0395847ef15cbdc9617fa857e67660b21aac064e5aef700e77ee4e8e25649cb3cee724bb5db891a74d65554c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
a416548b8ec0a8a0ebe58f80b2cf2c23

SHA1
9308e84b0702c2b542fb3e263dd985c2cec078cb

SHA256
a946c01b87ec7fcd0e5beb7287a13bbc4eb2610ae552bf977af6494a9a10d2ce

SHA512
df7fa165a1f94de9947afe457feafee07e09cbb4b5d47c99d1488f7c61fc1f1407ea26d907e47a7ed5f901e2dd47c658800805b3bdf1cddab32f86818cff301d

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
e671e5c3a6ddca84a4a684affa0b640a

SHA1
f5bf044622d0f518023a5996eef9f4d029ab7ed1

SHA256
b93461c52896a414230a04dd9b9e521f27e23f80566a34b90dc735611da74119

SHA512
068115b2b78f0160c5db13a29ba8167dea4053746de4cce6ad1b92fda636803862696dd339e0166ee7a3a7539e77e992d30a0ed0a725e0fe5d911fa34f6c6f4c

Download Submit
memory/544-163-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/544-169-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/544-167-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/832-155-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/832-147-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/832-151-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-195-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-189-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1048-197-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1256-132-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1256-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1540-181-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1540-177-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1540-199-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1676-212-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1676-207-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2368-194-0x0000000002340000-0x000000000236C000-memory.dmp

Filesize
176KB

Download
memory/2368-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2368-134-0x0000000002340000-0x000000000236C000-memory.dmp

Filesize
176KB

Download
memory/2368-214-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2368-113-0x0000000002340000-0x000000000236C000-memory.dmp

Filesize
176KB

Download
memory/2368-115-0x0000000002340000-0x000000000236C000-memory.dmp

Filesize
176KB

Download
memory/2368-215-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2368-4-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2368-146-0x0000000002340000-0x000000000236C000-memory.dmp

Filesize
176KB

Download
memory/2368-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2368-161-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2368-193-0x0000000002340000-0x000000000236C000-memory.dmp

Filesize
176KB

Download
memory/2368-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2368-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2368-162-0x0000000002340000-0x000000000236C000-memory.dmp

Filesize
176KB

Download
memory/2832-120-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2832-125-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2832-116-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2832-117-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2832-118-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download