191f6053a78bb7af69a99aae5b9d5a9783ffaaf0f843a82c0472e344726ca31b

General

Target

76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe
Size

120KB
MD5

76b7e3f0f938c907c53f48929977c4f0
SHA1

4e95cfeaabd7cde4d19f36bc4455f04cdee25859
SHA256

191f6053a78bb7af69a99aae5b9d5a9783ffaaf0f843a82c0472e344726ca31b
SHA512

03523e04beb5d616fcbd49166c5b9a72180af2bacd209d39ac99b571523d35386162c76202c93ead05d9f3babf38fd964ea9a887588907ef874f3d4cb097c72e
SSDEEP

1536:tGGoyZeUJ1REmoiHl7gRNq27ddDhJmRjfFp6jhQh8bA0zb69ZeqpZj2jMhuysesJ:tG8l1mmvFKnAjfFQLA0zbPq36jRNEa

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

xcyuk.exe76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xcyuk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

xcyuk.exe

pid process

1948 xcyuk.exe

pid	process
1948	xcyuk.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

xcyuk.exe76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /X"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /b"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /U"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /u"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /j"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /s"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /T"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /N"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /J"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /K"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /E"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /z"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /p"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /R"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /l"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /h"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /k"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /i"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /f"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /t"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /e"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /W"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /P"	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /B"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /M"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /Q"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /P"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /A"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /y"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /G"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /Z"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /D"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /O"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /n"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /C"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /v"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /Y"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /V"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /I"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /a"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /d"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /x"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /S"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /q"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /w"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /c"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /o"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /g"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /r"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /m"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /F"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /L"	xcyuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcyuk = "C:\\Users\\Admin\\xcyuk.exe /H"	xcyuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exexcyuk.exe

pid	process
2704	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe
2704	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe
1948	xcyuk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exexcyuk.exe

pid process

2704 76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe
1948 xcyuk.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe

description	pid	process	target process
PID 2704 wrote to memory of 1948	2704	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe	xcyuk.exe
PID 2704 wrote to memory of 1948	2704	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe	xcyuk.exe
PID 2704 wrote to memory of 1948	2704	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe	xcyuk.exe

C:\Users\Admin\AppData\Local\Temp\76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\xcyuk.exe
"C:\Users\Admin\xcyuk.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
1⤵
PID:3388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\xcyuk.exe
Filesize
120KB

MD5
dc3b4c6543857ddb1e11efc2d2c207fe

SHA1
e374d864b82cf9c88381728b1247d385fcca7bc0

SHA256
40a59cace17eca63c51abc753f53df4b9880ae856bdaf367a0ca59dee8750f9a

SHA512
f2ad6814b8606bf56f52f02d3ae4deec1515b15fdb27a3b85774c51229808943260e54928c3a9a30c22833503460e31f729fe2ba3a3a8df10a050b2e8e839fab

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads