Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 00:02
Static task
static1
Behavioral task
behavioral1
Sample
28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
-
Size
205KB
-
MD5
28357c37e444030d84a1b4516ddc32d0
-
SHA1
5467b9cd50846d306ac8206b51e6b9841386db14
-
SHA256
cf5b0b153fa2e108c83665ea9c13a5d0f44e73e97d59190fef243b2bdc85cdab
-
SHA512
39203541af816de57577387bc36463fd5dcc1c5bac3020d3bc6c0d733503f910d3b7e3adc33d5562b1becfeb5d236a309662905c1beebd6ecab1bbf80a3e64ed
-
SSDEEP
3072:E/5F/E7tEf0i+p+tYlpJH7iXQNgggHlxDZiYLK5WpY9vSGmF3onW+MBm:EhF4cH+wWJH7igNgjdFKsAvHmF3onW+x
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 14 IoCs
pid Process 3232 xk.exe 2388 IExplorer.exe 456 WINLOGON.EXE 3596 CSRSS.EXE 4552 SERVICES.EXE 4200 LSASS.EXE 4340 SMSS.EXE 4300 xk.exe 1280 IExplorer.exe 1988 WINLOGON.EXE 3416 CSRSS.EXE 2488 SERVICES.EXE 636 LSASS.EXE 3428 SMSS.EXE -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\desktop.ini 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File created C:\desktop.ini 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened for modification F:\desktop.ini 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File created F:\desktop.ini 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\J: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\O: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\P: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\Q: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\S: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\T: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\Z: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\K: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\L: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\V: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\W: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\E: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\G: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\H: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\M: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\N: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\R: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\U: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\B: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\X: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened (read-only) \??\Y: 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\shell.exe 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Mig2.scr 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\IExplorer.exe 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe File created C:\Windows\xk.exe 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe -
Modifies Control Panel 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 3232 xk.exe 2388 IExplorer.exe 456 WINLOGON.EXE 3596 CSRSS.EXE 4552 SERVICES.EXE 4200 LSASS.EXE 4340 SMSS.EXE 4300 xk.exe 1280 IExplorer.exe 1988 WINLOGON.EXE 3416 CSRSS.EXE 2488 SERVICES.EXE 636 LSASS.EXE 3428 SMSS.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4836 wrote to memory of 3232 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 90 PID 4836 wrote to memory of 3232 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 90 PID 4836 wrote to memory of 3232 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 90 PID 4836 wrote to memory of 2388 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 91 PID 4836 wrote to memory of 2388 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 91 PID 4836 wrote to memory of 2388 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 91 PID 4836 wrote to memory of 456 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 92 PID 4836 wrote to memory of 456 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 92 PID 4836 wrote to memory of 456 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 92 PID 4836 wrote to memory of 3596 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 93 PID 4836 wrote to memory of 3596 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 93 PID 4836 wrote to memory of 3596 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 93 PID 4836 wrote to memory of 4552 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 94 PID 4836 wrote to memory of 4552 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 94 PID 4836 wrote to memory of 4552 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 94 PID 4836 wrote to memory of 4200 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 95 PID 4836 wrote to memory of 4200 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 95 PID 4836 wrote to memory of 4200 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 95 PID 4836 wrote to memory of 4340 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 96 PID 4836 wrote to memory of 4340 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 96 PID 4836 wrote to memory of 4340 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 96 PID 4836 wrote to memory of 4300 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 97 PID 4836 wrote to memory of 4300 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 97 PID 4836 wrote to memory of 4300 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 97 PID 4836 wrote to memory of 1280 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 98 PID 4836 wrote to memory of 1280 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 98 PID 4836 wrote to memory of 1280 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 98 PID 4836 wrote to memory of 1988 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 105 PID 4836 wrote to memory of 1988 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 105 PID 4836 wrote to memory of 1988 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 105 PID 4836 wrote to memory of 3416 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 106 PID 4836 wrote to memory of 3416 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 106 PID 4836 wrote to memory of 3416 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 106 PID 4836 wrote to memory of 2488 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 107 PID 4836 wrote to memory of 2488 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 107 PID 4836 wrote to memory of 2488 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 107 PID 4836 wrote to memory of 636 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 108 PID 4836 wrote to memory of 636 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 108 PID 4836 wrote to memory of 636 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 108 PID 4836 wrote to memory of 3428 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 109 PID 4836 wrote to memory of 3428 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 109 PID 4836 wrote to memory of 3428 4836 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe 109 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\28357c37e444030d84a1b4516ddc32d0_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4836 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3232
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2388
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:456
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3596
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4552
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4200
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4340
-
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4300
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1280
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1988
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3416
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2488
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:636
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:740
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD57db46e55a034aa94da8f268c94091df8
SHA13326e96b932af0f35518bcc185d57596f72ccbc4
SHA256d0be2dc5996df74b70ab314ec96e269680d3fd8b65992f8017430067166a3f1b
SHA5125496de64f0c98b609dcbf86ee47cb3d2f345ac3e0e8a5740df0e84c728d0de48c920d1f90034ae281141e2ac1f12dc5a02a02b23ea3e10259774c2b59587afe6
-
Filesize
205KB
MD50dd5a71e2bfb6769959a87da5ccec38e
SHA1cf3eba71540e6b11d433c819f04a8827db18eef3
SHA2569e672c97626d0418eeac4f0d91ca5d34f6a144c6581f74f4529e9111249166f3
SHA5124d9cc0fd34fd411f6c6b9fc13942afd4bbcb6e23b785760fed522a0a6d437aad8c1a3b4371c61b438b872c32c62c0eb77cfeef3b89fe6df098e292fc8406beeb
-
Filesize
205KB
MD50352bfdcaaad4b73dc8fd8aca5a1708d
SHA1d52f0576b637923585f518f82e3706b82b4d74e0
SHA256ccff5c987c54548734c5ce1588a304739f97b55b8dc5a65f5dbe86554156ba97
SHA512a24acb5b47ad87bb9b0435f118d2e5be00697e07e987476a6e2206680ec4ea22047cb31f8c7e4cdac87dd520ec9f87d4afa984d42efc0706fd2d7bb82cbac083
-
Filesize
205KB
MD5ec02eda20ad10bd3cdc9484ea1db5486
SHA1c2c09198e963db8e33d2d944d3c7f88025a084d3
SHA256b2ae011a8f8681d8b1d737d36b170be0ca2a847a277863cf3c46068a84c7eb9e
SHA512dfbb34fa432c3ccf758c4a13de5184afcfb46253634b2bfef0d02e26c5db9b264f1a04a506491fc62af71218865f5945b3176683bfffaf8f6df6d3805157848d
-
Filesize
205KB
MD57cceff7c8eb77c3f256690bb5d2c3c5c
SHA185fdbb451aa39455a39d4a9c8bfe090ca8a522e2
SHA2562ad92c4fa8458b99aab0f63e55d8bd6eaaa14ca57916db07ac0872341a4467bd
SHA51274870a120fdc93ea2f5ecc33e00f3df7d804accc19d6190a60cd42f457ac00dbb726bbdd451016a21ecd082ca627d9d68e0501478a3b666069e0f02510f7d69e
-
Filesize
205KB
MD54e551c18b9066ca283ebef24dd8bc795
SHA1d8aecff10b29de40e0399271a0a5278d4e1d524b
SHA2567efa6fcb7a4a1a541a07e48551295db82a152a5272c507482379265e3881273c
SHA51284aa54f226375246e1959b845302a457ae18134bb6c198fb35db8fc8808e6a72f0222891e4153a4392620eb72437cd0508fb7ce4cfb09cdb99e3365b124a4c78
-
Filesize
205KB
MD5173ce42f9ae35e5004e537e1d4237fa1
SHA19e9a53f8de816efedc4e7887193c4f5aaf0f643e
SHA256abaffe70d964b25d8a063e052fe0d21d18c834d76e2ef28af89693850598a5c2
SHA5129076a729fbcae4b23ba0d56eae144a3a47e4b56eb42855ea07c7784a7007bc8d0b1bd35ca4dd0ba4c8257f9b7eb30602466d1e39d3734dd8a3688ed81ba8e018
-
Filesize
205KB
MD51adc0d907ef7cecf3d1e9eee415c41d0
SHA1e22d4ca55e1d79916353452b61bae67dbe6c8e66
SHA256f9c19dc1ba51d06fc5e254d47c0e9e3284d240ea1aeea3148f8766a58d7dce94
SHA5124f5de9060c564b73ba3bb80f92b5dd4262e8a7e0ade9db9ea7da9389674993a08a4bf688ff02989f53dca9b5c6792f3133e8195b344ae1b9cf2930e56a6da24a
-
Filesize
205KB
MD5ed1472df5f85bde1ae7fe9c547971e73
SHA16a77765cec6e49b314f928d311f9d9c13ebbf0f8
SHA256b52f305523e3ebfb6d2c6a7b8f0102c5d1ff9b6d0676aef8da907b61374fc594
SHA51266db5f6b5c3742592f001cc1decd85e8655561632836aa947362a0cff967d872aef2d499411aba65e42837970fb6c3ab006b27606240ff76417d1e840f80ef21
-
Filesize
205KB
MD5c256461bb481733cf26ba21af04113a6
SHA178d107773e4563d6ac782881657766ceeacecaa0
SHA256d64fa666537b21da38fe335114823e8b5521a9ad7f335a733b61f06c404c4d3c
SHA512953c653d80b04fa1b3da81c45d6781423b9e23183031d7445f19e70858a82bed64bf1560ba90c450637520fda724068bf8bf67ae4f76be9e89b638b62907ec9f
-
Filesize
205KB
MD513453c4074a23bdf45847bafed5186c6
SHA14e0156631bd5c0bfb5062e79e6de14f1d33dc1f0
SHA2569f8013b87799f75f230b10b9f5ffd941db42b2dcc2da471af192219e87cd834a
SHA512e6d41246c6d6c5cd32ca9ffc44b19e7bfae1b71d53c9ed012165f3ad4ab5fb19697e35bc188c233af7014b6b5d61bf67380f268d63dd59608b305eb614bdc354
-
Filesize
205KB
MD5f355ca87eb8d256556ee0727278be4f7
SHA19c30801a00b096e7d65c2acdd0e7b5a0ede8a337
SHA2568d63b06862bf56d38b859d55d7e3dd8481c0c280728d6d8169d73e773445aafa
SHA5123847d22678229d1d1d0309de5bc09f2907ba288dc18ceabd54ac2c68ca83eb05476f54dee2b3644f676055c854d4214ca01564d2b275fda0abdec8aba957198b
-
Filesize
205KB
MD528357c37e444030d84a1b4516ddc32d0
SHA15467b9cd50846d306ac8206b51e6b9841386db14
SHA256cf5b0b153fa2e108c83665ea9c13a5d0f44e73e97d59190fef243b2bdc85cdab
SHA51239203541af816de57577387bc36463fd5dcc1c5bac3020d3bc6c0d733503f910d3b7e3adc33d5562b1becfeb5d236a309662905c1beebd6ecab1bbf80a3e64ed
-
Filesize
205KB
MD5a2200536d9abb3463203968094083d9d
SHA110cf146d4a9db4da36b69cac4d20f3a69aea5706
SHA256b15a1972428646fc376145b142bf020cd7f6d082ce84a36de392a7a33ddf4e38
SHA512eb40fb1793b6cebe37d15f12cd2f97e825504c0f68224bb8d64c214391eb19ec70a44b17c8f2a4c2a025a8b567e707aa55109a9da288fab148a7dab8a3e92503
-
Filesize
205KB
MD52fd1f1e75ca7c4a834bde0ae765138f1
SHA19319a8f0e1ec8766fb0e8f6d47a9596d1276d592
SHA2560d86392f26aabe7a141c45700d2f141f89fd5542781808d0f129de45d9037189
SHA51238e82882fa5b9080392eb71f013905382e849ea2c2ba09cc8b95a91b1d980aa86dbe22241abf3843a3d6e709939a2d29613516c29b1779a061b241db90e9451f
-
Filesize
640B
MD55d142e7978321fde49abd9a068b64d97
SHA170020fcf7f3d6dafb6c8cd7a55395196a487bef4
SHA256fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061
SHA5122351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9
-
Filesize
217B
MD5c00d8433fe598abff197e690231531e0
SHA14f6b87a4327ff5343e9e87275d505b9f145a7e42
SHA25652fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e
SHA512a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1