b38b1d374004cf53cfe474064496194d8bdf06e41ec1a24c239d925d7e4a4ee3

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 06:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Size

352KB
MD5

bb7baf2071fe8a67a85388ba47d3b200
SHA1

00e3aa64bf85cb8ad285b4f9f5913e00254bea3d
SHA256

b38b1d374004cf53cfe474064496194d8bdf06e41ec1a24c239d925d7e4a4ee3
SHA512

6ab6cc3d4c219ab00ff45fb7ac89da4e21b1bb5c82dc667763cae652d53a9320355095b1f41e3561d559b02ee96550a2587eccf1186598eb871770321a1e78e3
SSDEEP

6144:vIGEnprZkRs38t54c6rzNdfsIGEnprZkRs38t54c6rzNdf/:vxEnAR934YxEnAR934L

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	SMSS.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WlNLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WlNLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe

Executes dropped EXE 5 IoCs

pid	Process
2268	WlNLOGON.EXE
2620	Shell.exe
2732	CSRSS.EXE
1484	SERVICES.EXE
328	SMSS.EXE

Loads dropped DLL 8 IoCs

pid	Process
1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 62 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1720-2-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0007000000016d21-12.dat	upx
behavioral1/memory/1720-94-0x0000000003650000-0x00000000036FA000-memory.dmp	upx
behavioral1/memory/2268-95-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2620-109-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x000600000001737b-123.dat	upx
behavioral1/files/0x000600000001737e-136.dat	upx
behavioral1/memory/328-162-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/1484-160-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/1720-159-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2732-158-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/328-156-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2620-154-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2268-151-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2732-120-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0006000000016f7e-116.dat	upx
behavioral1/files/0x0006000000016d85-105.dat	upx
behavioral1/files/0x0006000000016d31-92.dat	upx

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	Shell.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Desktop.ini	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File created	C:\Windows\Desktop.ini	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	SMSS.EXE
File created	C:\Windows\SysWOW64\shell.exe	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Telematika.scr	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\OEMINFO.ini	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WlNLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\OEMLOGO.BMP	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\OEMINFO.ini	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Telematika.scr	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\OEMLOGO.BMP	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File created	C:\Windows\msvbvm60.dll	WlNLOGON.EXE
File opened for modification	C:\Windows\msvbvm60.dll	SERVICES.EXE
File created	C:\Windows\msvbvm60.dll	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\msvbvm60.dll	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\WlNLOGON.EXE	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File created	C:\Windows\WlNLOGON.EXE	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File created	C:\Windows\120.0.0.1.htm	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\msvbvm60.dll	CSRSS.EXE
File created	C:\Windows\msvbvm60.dll	SERVICES.EXE
File opened for modification	C:\Windows\msvbvm60.dll	SMSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	WlNLOGON.EXE
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	CSRSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	SMSS.EXE
File opened for modification	C:\Windows\Desktop.ini	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File created	C:\Windows\Desktop.ini	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
File opened for modification	C:\Windows\120.0.0.1.htm	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 42 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Awan"	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Awan"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Bengi"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Awan"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Bengi"	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Bengi"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Bengi"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Awan"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Awan"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Bengi"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Awan"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Bengi"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	WlNLOGON.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	SMSS.EXE

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	SMSS.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
328	SMSS.EXE
328	SMSS.EXE
328	SMSS.EXE
328	SMSS.EXE
328	SMSS.EXE
328	SMSS.EXE
328	SMSS.EXE
328	SMSS.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
2268	WlNLOGON.EXE
2620	Shell.exe
2732	CSRSS.EXE
1484	SERVICES.EXE
328	SMSS.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2268	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2268	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2268	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2268	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2620	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	29
PID 1720 wrote to memory of 2620	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	29
PID 1720 wrote to memory of 2620	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	29
PID 1720 wrote to memory of 2620	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	29
PID 1720 wrote to memory of 2732	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	30
PID 1720 wrote to memory of 2732	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	30
PID 1720 wrote to memory of 2732	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	30
PID 1720 wrote to memory of 2732	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	30
PID 1720 wrote to memory of 1484	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	31
PID 1720 wrote to memory of 1484	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	31
PID 1720 wrote to memory of 1484	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	31
PID 1720 wrote to memory of 1484	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	31
PID 1720 wrote to memory of 328	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	32
PID 1720 wrote to memory of 328	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	32
PID 1720 wrote to memory of 328	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	32
PID 1720 wrote to memory of 328	1720	bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe	32

C:\Users\Admin\AppData\Local\Temp\bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bb7baf2071fe8a67a85388ba47d3b200_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Drivers directory
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\WlNLOGON.EXE
  C:\Windows\WlNLOGON.EXE
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2268
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2620
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2732
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1484
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
352KB

MD5
3904da3472e1f156de2a1cd2fb269e89

SHA1
1edb32c9d22207aa6e3026a86edda4faf5e96f71

SHA256
89d847d1ddcca70510fe844be9177416d9e60e195d4e765f59400591fab1fc29

SHA512
cdd391d203aa9a7b470994389d934e098ed142b4db2bfb6c75db8e1e988c19f1e35201c7f982cc02f50a2a5346d102e05c26b1b2cef5bc7c69e056adfe0d9de9

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
352KB

MD5
24bd1dcaaf53e8720a7f91af5eb8022b

SHA1
b31c9f4b8c1d36e30e2057c83c954d4eee448063

SHA256
471bfd905043463a4cedbc6eb43ed610b1717f869455f27d07bbadb0dc454098

SHA512
3f3a1e268165a2e3dacaf1e873ac0d598b277fb4a18fcb21aff380fb0075f680a754f88be0b37d5707de441f39dca5ee8fa635aa8308ec890d5119127981a9e4

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
352KB

MD5
bb7baf2071fe8a67a85388ba47d3b200

SHA1
00e3aa64bf85cb8ad285b4f9f5913e00254bea3d

SHA256
b38b1d374004cf53cfe474064496194d8bdf06e41ec1a24c239d925d7e4a4ee3

SHA512
6ab6cc3d4c219ab00ff45fb7ac89da4e21b1bb5c82dc667763cae652d53a9320355095b1f41e3561d559b02ee96550a2587eccf1186598eb871770321a1e78e3

Download Submit
C:\Windows\Desktop.ini

Filesize
65B

MD5
990a0bd866566534e37192439277e040

SHA1
90abfe04350a375df3beddd411256143e606461b

SHA256
ee3aaf1bcc2539bdddb6f25f4d0902cd023d83d902196d1bf2fcd37a73469038

SHA512
e598c68ae8f1a62cbc870fb7cf2c634ba24d1f1bfa62428a23aac7c914b3a775fa06564b6e084eaf9215086da433a80e49f2cbe81ca990414df3e57716dea4b7

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\OEMINFO.ini

Filesize
462B

MD5
45d327d7d806625d696945dea064d7a2

SHA1
81a36b2a66c8dcce870a82409c6f772cc06addf0

SHA256
e022ef7261dfe3e79b78e4bff605ae3f0480cd54d80b7c3358bd9091a0f0f04a

SHA512
8b78bb4fa2c05d509cf171525b0ba7bf735a8890854f0ef16b29c9456ff547ccd86423068f61c21b8f35a0797ee44f9a8697861c34f133c6c26dfcf99e8f849c

Download Submit
C:\Windows\SysWOW64\OEMLOGO.BMP

Filesize
40KB

MD5
4de286f5923036648db750d58ba496e8

SHA1
0252d5d6c7a3b7dfa71fca4b30a53522fd7c6f67

SHA256
eb79555170611879e79b4cdba59bdf679e63df9d7927d01354e5cf859274c58c

SHA512
069daaa01a04add11a9e5fc0988b5d42e6ad50011fa148df41ffb3a905ffc170ab65ba66f4ad921306503d8792dd192c173c532232fc7ef146c09aa76ddf548f

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
352KB

MD5
ac6abf1a878c13c9bcba7f557f319b5d

SHA1
e9c79963b6beb7ac55f96db42feff58b0f399a80

SHA256
cd3c13e3b571829dfcd05cfb27f029b672f60603fd6e0bf40abe5433f72eede5

SHA512
0bafde7f1c61f11a0ee02412ee020933033605f7110ac29bee28d5478f13a27d523af3ec21b74a2eca1b42735deba463784068db76a61fd98628177779dc6fac

Download Submit
C:\Windows\WlNLOGON.EXE

Filesize
352KB

MD5
dde5681ac3510e41c8e118d20f4dd861

SHA1
46defadc26339747c4733c81a822912355ff4de8

SHA256
f1cfbd591a0172ed42937907696277a0e06dfc07183807553bcba901d8e482ba

SHA512
ec11d14d33b3f58a3c50bc19d7d5a4ad5c0122cd4ecd03b95213c439f21b78073a5ee8667ecbaed016ff65e341e2d20ecc3ca85465ef53320544fcb9dc2e2d81

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
352KB

MD5
c0dc1777a397024fff3455d16fdb6665

SHA1
d38a2341a3c2f6cd8a0a5f3188680d46c5a4fa6a

SHA256
db6245a8a84ffd2c404c3427941c4031ad1cc4c48c6cd2d7d4cee5735351da12

SHA512
f3977f6d507c959c10797a6c3705bc68d02528f01b2cdcff083e603429dca9e74d81b2ae17c8877503c1ea2cfe5971ef2625dd317b77f90e58fa2d81edea6c9d

Download Submit
memory/328-156-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/328-162-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1484-160-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1720-106-0x0000000003650000-0x00000000036FA000-memory.dmp

Filesize
680KB

Download
memory/1720-159-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1720-94-0x0000000003650000-0x00000000036FA000-memory.dmp

Filesize
680KB

Download
memory/1720-98-0x0000000003650000-0x00000000036FA000-memory.dmp

Filesize
680KB

Download
memory/1720-2-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1720-119-0x0000000003650000-0x00000000036FA000-memory.dmp

Filesize
680KB

Download
memory/1720-128-0x0000000003650000-0x00000000036FA000-memory.dmp

Filesize
680KB

Download
memory/1720-140-0x0000000003650000-0x00000000036FA000-memory.dmp

Filesize
680KB

Download
memory/2268-150-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2268-95-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2268-151-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2620-109-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2620-154-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2732-120-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2732-158-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download