e7b09d5333180f77fd3306871397cce1541ae3c4afb73f8731f915d718e04ea5

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\6c67fea9c60232a9e9ec02d2c20b0d60_neikianalytics.exe = "c:\\users\\admin\\appdata\\local\\temp\\6c67fea9c60232a9e9ec02d2c20b0d60_neikianalytics.exe:*:Enabled:SMPN"	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdfmgr = "c:\\windows\\wdfmgr.exe"	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe"	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wdfmgr\ImagePath = "c:\\windows\\wdfmgr.exe"	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wdfmgr = "c:\\windows\\wdfmgr.exe"	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\wdfmgr = "c:\\windows\\wdfmgr.exe"	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe"	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\s:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\m:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\k:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\j:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\e:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\y:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\x:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\u:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\l:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\i:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\z:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\w:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\r:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\p:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\o:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\v:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\q:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\n:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\h:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened (read-only)	\??\g:	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\regedit.exe	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\wdfmgr.exe	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\calc.exe	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\mui\rctfd.sys	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File created	\??\c:\windows\wdfmgr.exe	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\msrpc.exe	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File created	\??\c:\windows\Start Menu\Programs\Startup\AdobeLoader.scr	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File created	\??\c:\windows\lsassv.exe	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\lsassv.exe	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File created	\??\c:\windows\msrpc.exe	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File created	\??\c:\windows\calc.exe	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File created	\??\c:\windows\regedit2.exe	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\regedit2.exe	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
File created	\??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\AdobeLoader.scr	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\ThisEXE = "c:\\users\\admin\\appdata\\local\\temp\\6c67fea9c60232a9e9ec02d2c20b0d60_neikianalytics.exe"	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\VerProg = "157"	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1964	6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6c67fea9c60232a9e9ec02d2c20b0d60_NeikiAnalytics.exe"
1⤵
- Modifies firewall policy service
- Adds policy Run key to start application
- Sets service image path in registry
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

4

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery