31ddfe29a74d876dce7fd5827b8ffa35df4bc24888cb1ec8972e282587481cf0

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Size

91KB
MD5

5a108210269af0b88ca4eef1dc0fa910
SHA1

92de8c2d188a41254f5fac7be61e9e08339d10f6
SHA256

31ddfe29a74d876dce7fd5827b8ffa35df4bc24888cb1ec8972e282587481cf0
SHA512

1ef5bd036251fc2ca91343f95552f88baf5cf9c10fa0a5075c71b35b8bc75dcc645025c72e29af7692fcbe037ffef668551e896dc9eb10dd9b9a9387019869ad
SSDEEP

1536:QRsjdIZfaif4YrxCjjKnouy8VzTRsjdIZfaif4YrxCjjKnouy8VzK:QOyZy9wCjOouttTOyZy9wCjOouttK

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 13 IoCs

Processes:

xk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXExk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXE

pid	process
2392	xk.exe
1296	IExplorer.exe
464	WINLOGON.EXE
2008	CSRSS.EXE
1032	SERVICES.EXE
2000	LSASS.EXE
3044	xk.exe
2988	IExplorer.exe
2052	WINLOGON.EXE
2092	CSRSS.EXE
768	SERVICES.EXE
1144	LSASS.EXE
2228	SMSS.EXE

Loads dropped DLL 22 IoCs

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

pid	process
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2868-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\winlogon.exe	upx
C:\Windows\xk.exe	upx
behavioral1/memory/2392-116-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Windows\SysWOW64\IExplorer.exe	upx
behavioral1/memory/2868-117-0x00000000004A0000-0x00000000004CF000-memory.dmp	upx
behavioral1/memory/1296-127-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE	upx
behavioral1/memory/464-137-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE	upx
behavioral1/memory/464-141-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2008-151-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE	upx
behavioral1/memory/1032-162-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE	upx
behavioral1/memory/2868-170-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2000-185-0x0000000000400000-0x000000000042F000-memory.dmp	upx
C:\Windows\xk.exe	upx
behavioral1/memory/3044-232-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Windows\SysWOW64\IExplorer.exe	upx
behavioral1/memory/3044-238-0x0000000000400000-0x000000000042F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE	upx
behavioral1/memory/2052-256-0x0000000000400000-0x000000000042F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE	upx
behavioral1/memory/2052-262-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2988-249-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2092-273-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE	upx
behavioral1/memory/2228-304-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1144-292-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/768-284-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2868-454-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\desktop.ini	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File created	C:\desktop.ini	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened for modification	F:\desktop.ini	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File created	F:\desktop.ini	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

description	ioc	process
File opened (read-only)	\??\E:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\G:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\P:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\V:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\B:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\J:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\L:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\M:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\U:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\X:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\H:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\I:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\N:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\O:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\R:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\T:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\K:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\S:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened (read-only)	\??\W:	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

Drops file in System32 directory 20 IoCs

Processes:

OUTLOOK.EXE5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\shell.exe	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

Drops file in Windows directory 5 IoCs

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exeOUTLOOK.EXE

description	ioc	process
File opened for modification	C:\Windows\xk.exe	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

OUTLOOK.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE

Modifies registry class 64 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\ = "_PlaySoundRuleAction"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\ = "_Accounts"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DB-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\ = "Exceptions"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046}\ = "OlkSenderPhotoEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063081-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C8-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ = "UserProperties"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063072-0000-0000-C000-000000000046}\ = "_OutlookBarGroups"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

OUTLOOK.EXE

pid process

2116 OUTLOOK.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

pid process

2868 5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OUTLOOK.EXE

pid process

2116 OUTLOOK.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

OUTLOOK.EXE

pid process

2116 OUTLOOK.EXE
2116 OUTLOOK.EXE
2116 OUTLOOK.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

OUTLOOK.EXE

pid process

2116 OUTLOOK.EXE
2116 OUTLOOK.EXE

pid	process
2116	OUTLOOK.EXE

pid	process
2116	OUTLOOK.EXE

pid	process
2116	OUTLOOK.EXE
2116	OUTLOOK.EXE
2116	OUTLOOK.EXE

pid	process
2116	OUTLOOK.EXE
2116	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exexk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXExk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXEOUTLOOK.EXE

pid	process
2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
2392	xk.exe
1296	IExplorer.exe
464	WINLOGON.EXE
2008	CSRSS.EXE
1032	SERVICES.EXE
2000	LSASS.EXE
3044	xk.exe
2988	IExplorer.exe
2052	WINLOGON.EXE
2092	CSRSS.EXE
768	SERVICES.EXE
1144	LSASS.EXE
2228	SMSS.EXE
2116	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

description	pid	process	target process
PID 2868 wrote to memory of 2392	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	xk.exe
PID 2868 wrote to memory of 2392	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	xk.exe
PID 2868 wrote to memory of 2392	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	xk.exe
PID 2868 wrote to memory of 2392	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	xk.exe
PID 2868 wrote to memory of 1296	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	IExplorer.exe
PID 2868 wrote to memory of 1296	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	IExplorer.exe
PID 2868 wrote to memory of 1296	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	IExplorer.exe
PID 2868 wrote to memory of 1296	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	IExplorer.exe
PID 2868 wrote to memory of 464	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	WINLOGON.EXE
PID 2868 wrote to memory of 464	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	WINLOGON.EXE
PID 2868 wrote to memory of 464	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	WINLOGON.EXE
PID 2868 wrote to memory of 464	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	WINLOGON.EXE
PID 2868 wrote to memory of 2008	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	CSRSS.EXE
PID 2868 wrote to memory of 2008	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	CSRSS.EXE
PID 2868 wrote to memory of 2008	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	CSRSS.EXE
PID 2868 wrote to memory of 2008	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	CSRSS.EXE
PID 2868 wrote to memory of 1032	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	SERVICES.EXE
PID 2868 wrote to memory of 1032	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	SERVICES.EXE
PID 2868 wrote to memory of 1032	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	SERVICES.EXE
PID 2868 wrote to memory of 1032	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	SERVICES.EXE
PID 2868 wrote to memory of 2000	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	LSASS.EXE
PID 2868 wrote to memory of 2000	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	LSASS.EXE
PID 2868 wrote to memory of 2000	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	LSASS.EXE
PID 2868 wrote to memory of 2000	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	LSASS.EXE
PID 2868 wrote to memory of 3044	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	xk.exe
PID 2868 wrote to memory of 3044	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	xk.exe
PID 2868 wrote to memory of 3044	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	xk.exe
PID 2868 wrote to memory of 3044	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	xk.exe
PID 2868 wrote to memory of 2988	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	IExplorer.exe
PID 2868 wrote to memory of 2988	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	IExplorer.exe
PID 2868 wrote to memory of 2988	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	IExplorer.exe
PID 2868 wrote to memory of 2988	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	IExplorer.exe
PID 2868 wrote to memory of 2052	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	WINLOGON.EXE
PID 2868 wrote to memory of 2052	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	WINLOGON.EXE
PID 2868 wrote to memory of 2052	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	WINLOGON.EXE
PID 2868 wrote to memory of 2052	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	WINLOGON.EXE
PID 2868 wrote to memory of 2092	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	CSRSS.EXE
PID 2868 wrote to memory of 2092	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	CSRSS.EXE
PID 2868 wrote to memory of 2092	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	CSRSS.EXE
PID 2868 wrote to memory of 2092	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	CSRSS.EXE
PID 2868 wrote to memory of 768	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	SERVICES.EXE
PID 2868 wrote to memory of 768	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	SERVICES.EXE
PID 2868 wrote to memory of 768	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	SERVICES.EXE
PID 2868 wrote to memory of 768	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	SERVICES.EXE
PID 2868 wrote to memory of 1144	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	LSASS.EXE
PID 2868 wrote to memory of 1144	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	LSASS.EXE
PID 2868 wrote to memory of 1144	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	LSASS.EXE
PID 2868 wrote to memory of 1144	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	LSASS.EXE
PID 2868 wrote to memory of 2228	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	SMSS.EXE
PID 2868 wrote to memory of 2228	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	SMSS.EXE
PID 2868 wrote to memory of 2228	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	SMSS.EXE
PID 2868 wrote to memory of 2228	2868	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe	SMSS.EXE

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a108210269af0b88ca4eef1dc0fa910_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2868

C:\Windows\xk.exe
C:\Windows\xk.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\SysWOW64\IExplorer.exe
C:\Windows\system32\IExplorer.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:464

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Windows\xk.exe
C:\Windows\xk.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Windows\SysWOW64\IExplorer.exe
C:\Windows\system32\IExplorer.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2052

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:768

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2116

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
Filesize
91KB

MD5
307772b9c12844054c6101ac3c2ad3bf

SHA1
da9dc4e1a4825e8a9dfeb4c1a9f76155ce2a29ed

SHA256
cacec679698917f96a46f1841f61dcfcc3268a6e41158ba128ffa43cb9ef1f04

SHA512
80b2276b12435781e7ceaf54d5e61a1a8ba758f665a9385925b4bd6c69a77769e7a2f199ec1d8e4d45339c2be7174333325740353762be2b973d6dda22433f4d

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
Filesize
91KB

MD5
eeae5e99edf489c7e5d69c51323f11a1

SHA1
f11f485868054f0456b7a2f028e4f6bd14dda3b0

SHA256
5804327c9061ba9bbc80ddeea64d47a117b4c5ea199597dbf37c5d42dbd39dce

SHA512
18f181b592fb23a2a7ffefad64fd3d085da6a5080acee2ca69b85acecdad0f08fd9dd0c6095dc7ffea352ff0de06c7b151531c41db7ef7778deee794cbde5e47

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe
Filesize
91KB

MD5
5a108210269af0b88ca4eef1dc0fa910

SHA1
92de8c2d188a41254f5fac7be61e9e08339d10f6

SHA256
31ddfe29a74d876dce7fd5827b8ffa35df4bc24888cb1ec8972e282587481cf0

SHA512
1ef5bd036251fc2ca91343f95552f88baf5cf9c10fa0a5075c71b35b8bc75dcc645025c72e29af7692fcbe037ffef668551e896dc9eb10dd9b9a9387019869ad

Download Submit
C:\Windows\xk.exe
Filesize
91KB

MD5
b1a94bc82791b50e1c20179f618b30cd

SHA1
0447138682305c533aa4f0c1a49cca9301a4228e

SHA256
e68b1414f5f13143d105f51d26faabf5dac24dd320179679f767639d118e74ef

SHA512
22792a89197009edcbca68168d22e0f3ac60231907fd0efbb7c03e9db09a159fa8df75bb5a14fbedae708de1d58848820ae921daae9076858ab61e5df819dfce

Download Submit
C:\Windows\xk.exe
Filesize
91KB

MD5
4129077edb84220020bf7f5c2e81761b

SHA1
74ff5979228095481b320700d4cb3e285e7de0b3

SHA256
9b63369155235759267ca05d2fbcf317fdd89b7cba01366c31317a0fa4a58150

SHA512
4ff7fe80f6ecf19e596dc138253c0b8c024334b06e46d514a39bfd119bf28fd873006deb17783705c96b4a62ae4fce531731a138f410f9ce8011adab50e415cf

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
Filesize
91KB

MD5
6f0c0f97d5cc78fa6ddd6b2ed9265db0

SHA1
cabaa6de357c1fbdc02d683ba97940de3504f819

SHA256
69fbac70a285d6a43f10326bcb9ce53f0a68b8f91e11a6daa23645ec7824b94a

SHA512
ee2aaa06298ae14d7135054e5cfb92a83a0ceae6db1295195e538409d8b9963a2668e0742b0ca351340ce18fcacf1793fa149f3eec9ecc307a0c78ff2b574e09

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
Filesize
91KB

MD5
f7507a1662c35cbfa588f5bf7ad8ad75

SHA1
717d990092d900dd8fd17b9cf26fda10ac6f71a3

SHA256
145481de639d6dae2497a73ede03999702413a000a041c529845f1b9b4b6b788

SHA512
03a785fd46243f9ebd6d1d7837c7c2eb0020e23a0fcce54ccbfc137422dba2c74ab21f6d7417f4b5684df7c7850d0ca72e317b00bb0f318f95b619381f817c91

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
Filesize
91KB

MD5
71c4c71e2f2905bfcc9eac2bc62cdf18

SHA1
25cd4175bdbdcd457a9cb0d2d9fa9d30178f0ada

SHA256
f81536ee2ba6db3e31cae07788eb2c9f00edf477c922791ad93e95423b6d77fd

SHA512
fef9ca90ee2ef3c8c5788bb1653c6236d7bfc546ea0a26fa5406a20b0545385a6bdc978517102c5ba0c8b4bf32c09dfc8fe32ee07a28511a93d6ba1617af9c1a

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
Filesize
91KB

MD5
4a707ddfedaede1b4a781ccac502a284

SHA1
37ec31d5eb1baebfa55cc73db66ed711de27c56d

SHA256
29d542cdadfc9d360f87d6789dacbb5faa26fffe351dc840f06342c0eb8d19d2

SHA512
c2d6abb4708f5852d78da89992ee0d2e00b28e330671893786666f5775b092e316f81f0acaeb8f79e4d32fdcb497a3f7cca54f9ee8b9e6118a455cea2d1abd11

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
Filesize
91KB

MD5
1a6fb603c3d9d93cda1e4492ea30a7cd

SHA1
70538a358bf4fa0ce76bf09c7ec54664135bd27c

SHA256
bdc72d5dae1162859d5163f3b7227518c7610c55ffdf2bc9d51ac1c69c86dba3

SHA512
0ba0ad8a7a744707db22ab11884168872dde5997cb4c8bf17a0be274c2400f4ccb13fd19db5aa3455ace4812b2f895c8a89a67aaa5b1581bee87a94dadc63791

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
Filesize
91KB

MD5
72373122fc8dad132e04278357127855

SHA1
3e950759a1e56a41ce0e2af97f2e6798df2158ab

SHA256
2219b2ce0ea546e1b9a1b5c3d31a5a76e1e1ba44f7a72f5e92b1ad1bd6892543

SHA512
b303060316f17f9aadb648715718c855634c530e5cfbeb90322804313dbb9454dd62e1f60200b517556189620b25abf4e4bd79e16cbe53c906859634abbcc3f8

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
Filesize
91KB

MD5
d6c263e31a1f64522527675ed5e0b112

SHA1
080eea87b17178082f5f81411ae120e0474aa193

SHA256
71269e2b0c797e8bbf6e28b93532c4057f2747472a2d7e13218cd4e91d88da24

SHA512
60eb8c2bc5ca4272e45a6a28de1c3d146c417772509673911b1ab2221a8fa8d40a245a4d2310b8defdca1987b3f95f8783693a4ed8ac9de03358f03e620d0338

Download Submit
\Windows\SysWOW64\IExplorer.exe
Filesize
91KB

MD5
c5411e0bff11edc954b03af16a44849e

SHA1
e69bef81823408daf1f79e3fd7a9a7aa30bdaef1

SHA256
40d38294c27b7bede7e0963e575b4b7949eaeb7ded2c321c382c1deeeab17984

SHA512
e0ce634c2f50603aa4cbaacb7f6ae408ce0b3bf823c337e21d8f9f9aff9f7117dbefc8ad2bc5241f8755b7bf5cf8a4ba1a7b49fdb6f92c973cd8edd12451b4b5

Download Submit
\Windows\SysWOW64\IExplorer.exe
Filesize
91KB

MD5
97e1a255c928b9b7eb7226ed2004ac11

SHA1
6a3bc28faaf7463f22587fc6e8b70663faf61b34

SHA256
be38f965a10f724f3e5fd8e85ded34eaa9cbcd1ad0516a6f6733907084cc8caa

SHA512
2e9bc8ac80084961d09a38e811fa422f0f082a846da586be17c4a5526410fe2842419146a329bd730c484fc6af51d1a63c31a671efefcbe366a83fed7764c1f7

Download Submit
memory/464-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1032-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2092-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-329-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2228-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2392-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-255-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/2868-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-117-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/2868-130-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/2868-456-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/2868-231-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/2868-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-110-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/2868-111-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/2868-300-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/2868-159-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/2868-170-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-136-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/2988-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads