Analysis
-
max time kernel
18s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 12:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
23 signatures
150 seconds
General
-
Target
013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe
-
Size
292KB
-
MD5
013fa06d9f9a9034dd6fdacf49802060
-
SHA1
c581bd0c0d661a2bf468598b31363dadd93066a3
-
SHA256
e9f2e9ba0c5c8958e550481e1f2f850204d7882f04bd7414c254775c26271877
-
SHA512
ae2fffc218c202052aff5bc7643fd92bd6dfac14c71169d05eefa82121d262ef854bf5aab5d7b87d21c58371f13bb0ac248ade75a67baada6767c08628c63ae1
-
SSDEEP
6144:FvEI2U+T6i5LirrllHy4HUcMQY6s5oG7vdzYbXe:lEIN+T5xYrllrU7QY6a9zYq
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Deletes itself 2 IoCs
pid Process 2804 explorer.exe 2804 explorer.exe -
Executes dropped EXE 8 IoCs
pid Process 2804 explorer.exe 2772 spoolsv.exe 2444 svchost.exe 1420 spoolsv.exe 2804 explorer.exe 2772 spoolsv.exe 2444 svchost.exe 1420 spoolsv.exe -
Loads dropped DLL 16 IoCs
pid Process 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 2804 explorer.exe 2804 explorer.exe 2772 spoolsv.exe 2772 spoolsv.exe 2444 svchost.exe 2444 svchost.exe 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 2804 explorer.exe 2804 explorer.exe 2772 spoolsv.exe 2772 spoolsv.exe 2444 svchost.exe 2444 svchost.exe -
resource yara_rule behavioral1/memory/2368-3-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-6-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-4-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-11-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-7-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-12-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-13-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-5-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-1-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-27-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-28-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-80-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2804-104-0x0000000003400000-0x000000000448E000-memory.dmp upx behavioral1/memory/2804-106-0x0000000003400000-0x000000000448E000-memory.dmp upx behavioral1/memory/2804-105-0x0000000003400000-0x000000000448E000-memory.dmp upx behavioral1/memory/2804-107-0x0000000003400000-0x000000000448E000-memory.dmp upx behavioral1/memory/2804-102-0x0000000003400000-0x000000000448E000-memory.dmp upx behavioral1/memory/2804-108-0x0000000003400000-0x000000000448E000-memory.dmp upx behavioral1/memory/2804-110-0x0000000003400000-0x000000000448E000-memory.dmp upx behavioral1/memory/2368-3-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-6-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-4-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-11-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-7-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-12-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-13-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-5-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-1-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-27-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-28-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2368-80-0x0000000002570000-0x00000000035FE000-memory.dmp upx behavioral1/memory/2804-104-0x0000000003400000-0x000000000448E000-memory.dmp upx behavioral1/memory/2804-106-0x0000000003400000-0x000000000448E000-memory.dmp upx behavioral1/memory/2804-105-0x0000000003400000-0x000000000448E000-memory.dmp upx behavioral1/memory/2804-107-0x0000000003400000-0x000000000448E000-memory.dmp upx behavioral1/memory/2804-102-0x0000000003400000-0x000000000448E000-memory.dmp upx behavioral1/memory/2804-108-0x0000000003400000-0x000000000448E000-memory.dmp upx behavioral1/memory/2804-110-0x0000000003400000-0x000000000448E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\H: explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\SYSTEM.INI 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\explorer.exe 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2804 explorer.exe 2444 svchost.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 2804 explorer.exe 2444 svchost.exe 2804 explorer.exe 2444 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe Token: SeDebugPrivilege 2804 explorer.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 2804 explorer.exe 2804 explorer.exe 2772 spoolsv.exe 2772 spoolsv.exe 2444 svchost.exe 2444 svchost.exe 1420 spoolsv.exe 1420 spoolsv.exe 2804 explorer.exe 2804 explorer.exe 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 2804 explorer.exe 2804 explorer.exe 2772 spoolsv.exe 2772 spoolsv.exe 2444 svchost.exe 2444 svchost.exe 1420 spoolsv.exe 1420 spoolsv.exe 2804 explorer.exe 2804 explorer.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 2368 wrote to memory of 1108 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 19 PID 2368 wrote to memory of 1160 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 20 PID 2368 wrote to memory of 1256 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 21 PID 2368 wrote to memory of 1600 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 23 PID 2368 wrote to memory of 2804 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 28 PID 2368 wrote to memory of 2804 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 28 PID 2368 wrote to memory of 2804 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 28 PID 2368 wrote to memory of 2804 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 28 PID 2804 wrote to memory of 2772 2804 explorer.exe 29 PID 2804 wrote to memory of 2772 2804 explorer.exe 29 PID 2804 wrote to memory of 2772 2804 explorer.exe 29 PID 2804 wrote to memory of 2772 2804 explorer.exe 29 PID 2772 wrote to memory of 2444 2772 spoolsv.exe 30 PID 2772 wrote to memory of 2444 2772 spoolsv.exe 30 PID 2772 wrote to memory of 2444 2772 spoolsv.exe 30 PID 2772 wrote to memory of 2444 2772 spoolsv.exe 30 PID 2444 wrote to memory of 1420 2444 svchost.exe 31 PID 2444 wrote to memory of 1420 2444 svchost.exe 31 PID 2444 wrote to memory of 1420 2444 svchost.exe 31 PID 2444 wrote to memory of 1420 2444 svchost.exe 31 PID 2444 wrote to memory of 2620 2444 svchost.exe 32 PID 2444 wrote to memory of 2620 2444 svchost.exe 32 PID 2444 wrote to memory of 2620 2444 svchost.exe 32 PID 2444 wrote to memory of 2620 2444 svchost.exe 32 PID 2804 wrote to memory of 1108 2804 explorer.exe 19 PID 2804 wrote to memory of 1160 2804 explorer.exe 20 PID 2804 wrote to memory of 1256 2804 explorer.exe 21 PID 2804 wrote to memory of 2444 2804 explorer.exe 30 PID 2804 wrote to memory of 2444 2804 explorer.exe 30 PID 2368 wrote to memory of 1108 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 19 PID 2368 wrote to memory of 1160 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 20 PID 2368 wrote to memory of 1256 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 21 PID 2368 wrote to memory of 1600 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 23 PID 2368 wrote to memory of 2804 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 28 PID 2368 wrote to memory of 2804 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 28 PID 2368 wrote to memory of 2804 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 28 PID 2368 wrote to memory of 2804 2368 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe 28 PID 2804 wrote to memory of 2772 2804 explorer.exe 29 PID 2804 wrote to memory of 2772 2804 explorer.exe 29 PID 2804 wrote to memory of 2772 2804 explorer.exe 29 PID 2804 wrote to memory of 2772 2804 explorer.exe 29 PID 2772 wrote to memory of 2444 2772 spoolsv.exe 30 PID 2772 wrote to memory of 2444 2772 spoolsv.exe 30 PID 2772 wrote to memory of 2444 2772 spoolsv.exe 30 PID 2772 wrote to memory of 2444 2772 spoolsv.exe 30 PID 2444 wrote to memory of 1420 2444 svchost.exe 31 PID 2444 wrote to memory of 1420 2444 svchost.exe 31 PID 2444 wrote to memory of 1420 2444 svchost.exe 31 PID 2444 wrote to memory of 1420 2444 svchost.exe 31 PID 2444 wrote to memory of 2620 2444 svchost.exe 32 PID 2444 wrote to memory of 2620 2444 svchost.exe 32 PID 2444 wrote to memory of 2620 2444 svchost.exe 32 PID 2444 wrote to memory of 2620 2444 svchost.exe 32 PID 2804 wrote to memory of 1108 2804 explorer.exe 19 PID 2804 wrote to memory of 1160 2804 explorer.exe 20 PID 2804 wrote to memory of 1256 2804 explorer.exe 21 PID 2804 wrote to memory of 2444 2804 explorer.exe 30 PID 2804 wrote to memory of 2444 2804 explorer.exe 30 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\013fa06d9f9a9034dd6fdacf49802060_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2368 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Modifies Installed Components in the registry
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2804 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1420
-
-
C:\Windows\SysWOW64\at.exeat 12:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2620
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1600
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
292KB
MD5fb2c81b164697503eee3bd2dfe448f2c
SHA1d1dbd1ca55f5b959d428cb0817ac824a47fceb55
SHA256225f73556241cace89ec05fffc5ca25199ae3eb01618ca323f1aab548d4bc122
SHA5126d5b7a445cdf0699d0e799aeda6b45e67d5bcd195f6c654bf670db6c25650e207469ba7b1a9d709e6973fb0e762bb6ec8bb0bf6cba14f361678def9c72a09022
-
Filesize
257B
MD56d41c835c4a578084d21e7a3899568d7
SHA187f0d5ae59ecc5ddd5b1c463510869f6720713a8
SHA256c546fe4de620c68d5f83d34b839daa5047edec432bc7059d261ea985471e8b48
SHA5127656b53fc25032e5913a0ec2f7ac1cd0f46393be4c5134c6c3e20dca91fc84751ce9b6185dd62c51c7ff25be0508366ba38942cecb4cea3cae4b88f07a49d294
-
Filesize
292KB
MD551c0d60890a1f749e58f2f9ce861ded2
SHA1d8fdb1982091d71d5ac616e29bfeb749bacffa67
SHA2569bad790df72827834f7c51eae4e135eb02bb8e554183fd1b6a8acf4997dd2048
SHA5128c66cad59e706d0989c14229ac4e252acaf584b3aa08e018a32c55d46b958a5edfe81750ca5c2c822b037d31900e8cb4f14784580a2acd5cf9ac00fdf2d24ae2
-
Filesize
292KB
MD5868c8f0a092d41de60e455111d69e0ee
SHA14d25e9fa5f6d4ba2f640f46b047e6ade53c986c9
SHA25666aa3a0d1d19da29f90106cbb69c661779cc9ef22ce9373e827f79eccb2786ff
SHA51221c988de0c5d3a43edabba8580f9246f910f43bdfa011d199f503dfc192417ddacaa67edda5af7602fa673c064ed9e6bce0e2c5884b1c86da74d34f7de023735
-
Filesize
292KB
MD5324b67bbc6ade921d6d8b3efd3b21e48
SHA19a55d856a2364b9a3a76c6eed886a1226497f61a
SHA25649d09ee1baa7a91969c827e2be10dfd930080ad4b99ab7dff49bcf822caf0685
SHA512e2c48639b763d151341b96b649f9634482ec7a3857f5b4f2ccaea17c5c29b2cd042b9ed64b416f3a8687057ed37ce9a52f2185564626adf6f9be25081a528e61