76886fc56486c6f7d908a29f63bdd1abad67d0ea6b440acd757ef3950fb301b6

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Size

204KB
MD5

7c497a15d00cc46f9ca2fd89426e2ce0
SHA1

2a02c3973f728924f0e4bef7a19ace72e0c1b467
SHA256

76886fc56486c6f7d908a29f63bdd1abad67d0ea6b440acd757ef3950fb301b6
SHA512

a275baf488852d54805c664424617e376ac48c34437f24693c59092416378182d7615857efaa17bb53e4a6416ceb4d6b6b786fd5fe84c39dc40a8d62673ee2e0
SSDEEP

3072:m/5F/E7tEf0E+p+tYlpJH7iXQNgggHlxDZiYLK5WpYMGmUXNQDaG0A8+:mhF4c5+wWJH7igNgjdFKsumUXG+i

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
1048	xk.exe
1900	IExplorer.exe
4080	WINLOGON.EXE
1432	CSRSS.EXE
3896	SERVICES.EXE
2920	LSASS.EXE
4428	SMSS.EXE
1096	xk.exe
3976	IExplorer.exe
4216	WINLOGON.EXE
2632	CSRSS.EXE
2140	SERVICES.EXE
384	LSASS.EXE
1256	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\desktop.ini	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened for modification	F:\desktop.ini	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File created	F:\desktop.ini	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened for modification	C:\desktop.ini	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\J:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\P:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\V:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\W:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\X:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\R:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\U:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\E:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\I:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\L:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\O:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\H:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\N:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened (read-only)	\??\T:	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
1048	xk.exe
1900	IExplorer.exe
4080	WINLOGON.EXE
1432	CSRSS.EXE
3896	SERVICES.EXE
2920	LSASS.EXE
4428	SMSS.EXE
1096	xk.exe
3976	IExplorer.exe
4216	WINLOGON.EXE
2632	CSRSS.EXE
2140	SERVICES.EXE
384	LSASS.EXE
1256	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 1048	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	90
PID 228 wrote to memory of 1048	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	90
PID 228 wrote to memory of 1048	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	90
PID 228 wrote to memory of 1900	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	91
PID 228 wrote to memory of 1900	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	91
PID 228 wrote to memory of 1900	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	91
PID 228 wrote to memory of 4080	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	92
PID 228 wrote to memory of 4080	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	92
PID 228 wrote to memory of 4080	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	92
PID 228 wrote to memory of 1432	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	93
PID 228 wrote to memory of 1432	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	93
PID 228 wrote to memory of 1432	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	93
PID 228 wrote to memory of 3896	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	94
PID 228 wrote to memory of 3896	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	94
PID 228 wrote to memory of 3896	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	94
PID 228 wrote to memory of 2920	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	95
PID 228 wrote to memory of 2920	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	95
PID 228 wrote to memory of 2920	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	95
PID 228 wrote to memory of 4428	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	96
PID 228 wrote to memory of 4428	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	96
PID 228 wrote to memory of 4428	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	96
PID 228 wrote to memory of 1096	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	102
PID 228 wrote to memory of 1096	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	102
PID 228 wrote to memory of 1096	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	102
PID 228 wrote to memory of 3976	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	103
PID 228 wrote to memory of 3976	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	103
PID 228 wrote to memory of 3976	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	103
PID 228 wrote to memory of 4216	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	104
PID 228 wrote to memory of 4216	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	104
PID 228 wrote to memory of 4216	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	104
PID 228 wrote to memory of 2632	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	105
PID 228 wrote to memory of 2632	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	105
PID 228 wrote to memory of 2632	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	105
PID 228 wrote to memory of 2140	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	106
PID 228 wrote to memory of 2140	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	106
PID 228 wrote to memory of 2140	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	106
PID 228 wrote to memory of 384	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	107
PID 228 wrote to memory of 384	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	107
PID 228 wrote to memory of 384	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	107
PID 228 wrote to memory of 1256	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	108
PID 228 wrote to memory of 1256	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	108
PID 228 wrote to memory of 1256	228	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe	108

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7c497a15d00cc46f9ca2fd89426e2ce0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:228
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1048
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1900
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4080
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1432
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3896
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2920
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4428
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1096
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3976
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4216
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2632
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2140
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:384
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
204KB

MD5
1db568b1aa44f58809d09f65dc10950d

SHA1
0ce2ae9e5aab71159fc8e19f7e910caca28954b9

SHA256
764c150e358ab42fe9942eb945002e9fe4bc68fb83bd16a461d7c2e0519c59b9

SHA512
afb210fed4dca1571e7da5db30ad944c865f11249bc9c9c7e0a47a66210a21d0eec1efbcf78d4593793b2618aab6d6de1a023e57109ab4e3573f208f73531fc1

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
204KB

MD5
23a33997970ed1e9452333a4edc7cb69

SHA1
5462dd9f07ee461a9a9844c9b18e09f6a8cc7474

SHA256
7e56d3e05004b187e478d093f5647235bc9a72f5dcd130e4bb138df9b6036476

SHA512
6ae7e5710f0489c7a7ddafb91a167484f3c8049af54f041144df8d9dbe0c2c9a4e6ee7e67f7d2727b0d3891f011463c410f53e24d35418d1ce130b718438de34

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
204KB

MD5
aae3f308a6ce6a09cd61c7e3ffa18ce3

SHA1
386b238c46f09e2e5c8bd1d5d83914dd60f7b3a0

SHA256
cd047517bd41c81a8ddbce1ac327da4e855eaeec25915d25fa184a60f2dff738

SHA512
339ff5c6ec178a2a54ce4cc2100bf3a6f16ddedf2abe446b37f47a3af135f9e6479a12313ba13ea1e3ad7a2a7155b7bb52ae422720d6dd89e970ce9b3162c086

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
204KB

MD5
5b692778cf3fc5f163a1d4bbbe020d82

SHA1
02202d48404d7491ad6f98ff4457185ead165d72

SHA256
e15c57f99a8833d949175c52b3b80257d9b16c14f9f4b6fd90e9f83172ae855f

SHA512
c9e6bc7844110fad32f8ac4f7c3b9cdbafb264025bba2fce1dcdf13703292ab4f290c2365c5be092b3dd8f6d4525f8117377820ccf43859dfcf83668d9d96098

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
204KB

MD5
d1640672de97f0f585922d9efbabadc7

SHA1
026e41e13c18619836d7ea913fe7ad07826e542e

SHA256
fdfd79aff8cbd97947a469422ef519b34c06ec91b0efdd6d32f29dc72da51924

SHA512
b9c99726a90cefc9a7b78e3f459fbf5e935d11a6f9e7d70ad7a971b593444c396fe067a5c55324b8dd9ecf52337062d03ff64ab1065d0594973c2bc7a0ef9a43

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
204KB

MD5
7c497a15d00cc46f9ca2fd89426e2ce0

SHA1
2a02c3973f728924f0e4bef7a19ace72e0c1b467

SHA256
76886fc56486c6f7d908a29f63bdd1abad67d0ea6b440acd757ef3950fb301b6

SHA512
a275baf488852d54805c664424617e376ac48c34437f24693c59092416378182d7615857efaa17bb53e4a6416ceb4d6b6b786fd5fe84c39dc40a8d62673ee2e0

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
204KB

MD5
eba5ce669e784052fd4ab1693ae0dbef

SHA1
ebfa9501f9f8a6a18cea102056f3aa99dd766524

SHA256
2439b99c51754b74920f436e122c117011913484d4859a7cc9838ff571d37465

SHA512
2530f3edae1ed5da06d1890787b5107f98fbd917c4140c768f77de7bd6f1cb7a3ad61251d1ec359e965201f7e446cec7be9ba9ff0b6a72ada4e99334779bccf4

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
204KB

MD5
ad222271f2392842848fa01049f62190

SHA1
da3f431d61d4c3cc551dfd7f61b135a03dc4e209

SHA256
0b2fe71e13381a07e734a4a0cf594ec1a59511a1fbe523fff4bd4d8d88466e41

SHA512
eefc2dd33c4ae6940fa05565d35fe7c9eadaa678b2378c3fd0acc050a4f490d1f3a417d581dc30867fa8b69c717770b62efc42d73fb138d67d05da3cd2e5dcc1

Download Submit
C:\Windows\xk.exe

Filesize
204KB

MD5
33bdd92ab73863d7b7194e8de90a1856

SHA1
0d8c4e9236514f6366929afa9315de64e968d371

SHA256
38f9cb3e674215c932b674f4d7b8ffbe1541752c07089bb4a75ab39bcdb1cc2e

SHA512
747926b4173e1630e48d166ebd241c9693f6249a1eb2e23c81ab5a26216569415c1334624cfd9819398ccdc91e7e2e2c6031238af667ec42b301d9173df7665e

Download Submit
C:\XK\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
C:\desktop.ini

Filesize
217B

MD5
c00d8433fe598abff197e690231531e0

SHA1
4f6b87a4327ff5343e9e87275d505b9f145a7e42

SHA256
52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

SHA512
a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

Download Submit
memory/228-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-198-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/384-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/384-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1048-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1048-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1256-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1432-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1432-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3896-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3896-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-218-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-178-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download