b9bcd679d6616caf3dae698133f8508a99835c45c59af5566c44698cb34ee2ec

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Size

91KB
MD5

6abd70dc8195e9d5bcf544914dc587c0
SHA1

0d18c1227543feb6aa35c34a72eb307df9384e99
SHA256

b9bcd679d6616caf3dae698133f8508a99835c45c59af5566c44698cb34ee2ec
SHA512

8bdc1d93ce569e1e4987a64149c87d0adca237a40c0abc6b4e5b205d938ef538601b8fedb8be4339974e424ea34ca17baffa94ec2d167b0d4c6b34db34cfea7e
SSDEEP

1536:8AwEmBj3EXHn4x+9a4SAwEmBj3EXHn4x+9aBm:8GmF3onW+M4SGmF3onW+MBm

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
2728	xk.exe
1936	IExplorer.exe
772	WINLOGON.EXE
5584	CSRSS.EXE
5572	SERVICES.EXE
5768	LSASS.EXE
5336	SMSS.EXE
2000	xk.exe
4288	IExplorer.exe
2600	WINLOGON.EXE
5196	CSRSS.EXE
5128	SERVICES.EXE
3596	LSASS.EXE
4968	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\desktop.ini	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened for modification	F:\desktop.ini	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File created	F:\desktop.ini	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened for modification	C:\desktop.ini	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\L:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\B:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\H:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\J:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\M:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\O:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\U:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\W:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\E:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\N:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\P:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\V:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\X:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\R:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\T:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\xk.exe	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\xk.exe	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
2728	xk.exe
1936	IExplorer.exe
772	WINLOGON.EXE
5584	CSRSS.EXE
5572	SERVICES.EXE
5768	LSASS.EXE
5336	SMSS.EXE
2000	xk.exe
4288	IExplorer.exe
2600	WINLOGON.EXE
5196	CSRSS.EXE
5128	SERVICES.EXE
3596	LSASS.EXE
4968	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2728	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	91
PID 2620 wrote to memory of 2728	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	91
PID 2620 wrote to memory of 2728	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	91
PID 2620 wrote to memory of 1936	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	92
PID 2620 wrote to memory of 1936	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	92
PID 2620 wrote to memory of 1936	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	92
PID 2620 wrote to memory of 772	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	93
PID 2620 wrote to memory of 772	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	93
PID 2620 wrote to memory of 772	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	93
PID 2620 wrote to memory of 5584	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	94
PID 2620 wrote to memory of 5584	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	94
PID 2620 wrote to memory of 5584	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	94
PID 2620 wrote to memory of 5572	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	95
PID 2620 wrote to memory of 5572	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	95
PID 2620 wrote to memory of 5572	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	95
PID 2620 wrote to memory of 5768	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	96
PID 2620 wrote to memory of 5768	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	96
PID 2620 wrote to memory of 5768	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	96
PID 2620 wrote to memory of 5336	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	97
PID 2620 wrote to memory of 5336	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	97
PID 2620 wrote to memory of 5336	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	97
PID 2620 wrote to memory of 2000	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	104
PID 2620 wrote to memory of 2000	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	104
PID 2620 wrote to memory of 2000	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	104
PID 2620 wrote to memory of 4288	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	105
PID 2620 wrote to memory of 4288	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	105
PID 2620 wrote to memory of 4288	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	105
PID 2620 wrote to memory of 2600	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	106
PID 2620 wrote to memory of 2600	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	106
PID 2620 wrote to memory of 2600	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	106
PID 2620 wrote to memory of 5196	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	107
PID 2620 wrote to memory of 5196	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	107
PID 2620 wrote to memory of 5196	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	107
PID 2620 wrote to memory of 5128	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	109
PID 2620 wrote to memory of 5128	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	109
PID 2620 wrote to memory of 5128	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	109
PID 2620 wrote to memory of 3596	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	111
PID 2620 wrote to memory of 3596	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	111
PID 2620 wrote to memory of 3596	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	111
PID 2620 wrote to memory of 4968	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	112
PID 2620 wrote to memory of 4968	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	112
PID 2620 wrote to memory of 4968	2620	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe	112

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6abd70dc8195e9d5bcf544914dc587c0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2620
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2728
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1936
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:772
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5584
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5572
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5768
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5336
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2000
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4288
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2600
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5196
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5128
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3596
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:5276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
acad89de594cfad3c56916c9cc44e870

SHA1
8ac0ce31e8575bc8a9fa44d731695fcb718d59bb

SHA256
d8b2c18cfec421a9222540a347a0849682bd866753e59d8fcab21cf22e955199

SHA512
195370fede70ffcba6d79cfcbd26fae8e0fb8674143824b9d37a6f41ed6cfc9de5bd41342ecd3e11f1acde8f5a02911a3b44dd1815f56f7ebb9642688926f1e4

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
49e261dcea7d350074e52c9fa5a3c3d1

SHA1
0874879af994b861e5ad871c182e46fd3a315302

SHA256
e7c1906d85a2dc275920e78a2660d773f8ed8bb301e21c82ef3fd4f6d9b5bc6d

SHA512
96c4f41aed17d89e5ec2a9c5fa7586e48fcf5bbcb68908aac1fb99e013f7f88e1d59e6cd054b9261b2880f2865c8024900c4a6cfdc4fe75c7d606224cd839737

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
64a36a54795a8b9799080279ad043651

SHA1
beec7f5d944742e9f6cfa2cf840bb2f44c6e710d

SHA256
7de4da8e881821d1337f7346f60585f5be4cecce9dfe363db0eebd22f0d58922

SHA512
479bbe0aeb21047b878cd787135371a686b63fd2294313afe820dbb9be691beb8e3bdd2e721ec4f6e9dc28938d719a669a164ee201c9535923a1ee62b8b736e2

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
b7abead74879d959f5a3931091cb154e

SHA1
a1b69fab002763ff7e2e15eb0ba5cb1f39bf2af8

SHA256
d18eb1e55331791a968e97c75b32b5e227083eecbf8df51e27832d0b93bdc8b5

SHA512
ac052af5585f2f8d3fd17ede47120e943d089343175d56fda95a2f61e3b5cecea11dbed1d88cbcc31e97552f40c3e48430b1d308948493eae97e3ce9a925a6be

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
2a7814234cecea6020830636a43a6d95

SHA1
7ff424839af870ccd986da0d57f707929bdc51e8

SHA256
da0abe11a127270bbb2062fb54afda751985aa1eb09326ac5930cbc4e3f4d048

SHA512
8456ca43d99119ced0516a2089878105ffe30afd37fba35b7666bdaff0a8b23a5ff30d8d1e04c8fc92a8c959bb175a7ddfb2cbc4e3910e3f1e52d4bbb319dc17

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
e47834c9bcb271c3b320f2db0afa4067

SHA1
9264c878e00cb54b864d45aa589a4b1c56ddea9a

SHA256
dead30ca5c71a978abd1bbc3d70b2fc80863af016f3d4fc24a66b62d0a535d3f

SHA512
762719da4bacba3ea01d184fea08ba3c038b1cdffc87e3caa802efe9da3bcec13ebaa8464bc54e667ec523f9f9d89c59b5ce6047976c3b8a87bed420d0de3a14

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
acc27219a405c73730ad42b9bf95300d

SHA1
990b23570e0f44a88bb2d4fcd24afef9bcc9398a

SHA256
a95e6651c9e86cbe9a51126705a538394c2a64fae0cf9df9a18a78be611f1476

SHA512
ca281fb1a8c1227b87bbe7f7db3c0a7bf710c69de3d4dce5638a7b2bdfe57a7b3c54f7a4597ebb7dbe063e18c7f4ff4dfe237864e3aa916420fe490d5f28b101

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
82c8cdfe6095c062ea9cf6343517a903

SHA1
2393b9e021bf1cb3b93a0b70f7de2e78a93a74d4

SHA256
e40e33c7daf38f27176dce43229ab9e040d2660a52a6fca46a2dfd77a6f6d8c5

SHA512
7d2218c2dd4a3a6eb2eea989b56ae46bea2680b4ec633102d593bc713c5bf2651d619ba490a3408d6c6db5aacec99be05703fd884b3effff905a83916e0d64fc

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
e134684c392355996e92d9b65759a6e1

SHA1
98259e312b841d9741cb7674b711bc05d05f6ac6

SHA256
083ece23eae8db19465b1db9976245b451fb86afee4378fe315b043c3f1ec1fd

SHA512
27395a966116d29423780cab70e2092bd7bffd9e3a8b2091386ea68dcabb7a66b60e57c238573034db9640fac384c2adc69448a3115b2bbae5507a387dc66577

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
88255fb13e37248e4a9933829fa71040

SHA1
ce4cb7da1a41cf91e03f84cfc5e7133c025d00ab

SHA256
2f189af19ab25416b46d3b7a7457859cf7d3c20bfaf7b97e16159e10c91263a5

SHA512
7b02607b3f201fec2f962a5191245e90a8bd19dc0241c4f63a6f554ea709206f419a83c14e9a5c26fa783be5ab71628eb719a1aacd5b278e9adabbfed938de59

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
234d3d565efb0668a9cc11c766712576

SHA1
588985839893a473cfb2b2e416bcff1dafbe154b

SHA256
e05129c78beee39349afe9c02ce9fb71e2dbf9f6c44f3a584266074d63f83e6f

SHA512
c61d665cddd03f3b4811a29a459a3da50129eff0bccff95710f63d2b9b9ef0cb4a1410c4c3f0bdc5a3ddba3e5e44b29bb8fbc3b8264511ee8dda38bf3ed8be26

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
55f5de24c3249ae560a1eb9e15b075c6

SHA1
5a578e711dce932095afc3e115c9f001689b7dfe

SHA256
9d22b8c7d75039a12174c37e8e282f6f2c69a76b243d98b085e651a2d2252305

SHA512
aea7c9931949f1172250f558386dbb7b75f6ed355e4d538c01243cd7e3d63f64b84e8dd8bbe5ff31e78923a435f3c1fdcba93afa5ea7c923e26210c078af289b

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
6abd70dc8195e9d5bcf544914dc587c0

SHA1
0d18c1227543feb6aa35c34a72eb307df9384e99

SHA256
b9bcd679d6616caf3dae698133f8508a99835c45c59af5566c44698cb34ee2ec

SHA512
8bdc1d93ce569e1e4987a64149c87d0adca237a40c0abc6b4e5b205d938ef538601b8fedb8be4339974e424ea34ca17baffa94ec2d167b0d4c6b34db34cfea7e

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
ce3267933145e7251c0f82172d6969e6

SHA1
3ba6773c270f33fc30b31b99e4fa6c656318463b

SHA256
2620458a46ace9a27d41fbd27e6b3620edc8a7751b47eb1780604efce20ed9fb

SHA512
4bca9f13b8b4b2de9e1f9117d3806cdc33b9af1a6369be87216d02291aae992ab4d0ab88e83d101a85bfb2d46aef092f2fba13249f9665de35de4a2d60f1c692

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
31dd75b2fecf73314228422772ccfa41

SHA1
9be0f88307672dfe2078d43aa74a786f35d6bef7

SHA256
a0c1be4885d5672d383edbff8afebc2126bb43b067f502c0d8831afdbffa9a84

SHA512
d7b3b3749ca9eaeba6b88bc20c8334857e5690172aef54e724432ee8c7aca32e2cc71a77cc5e91fd8df8229279fee782e36a38c359c60b6a677516c5f483b655

Download Submit
C:\XK\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
C:\desktop.ini

Filesize
217B

MD5
c00d8433fe598abff197e690231531e0

SHA1
4f6b87a4327ff5343e9e87275d505b9f145a7e42

SHA256
52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

SHA512
a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

Download Submit
memory/772-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1936-59-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2000-231-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2600-244-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2620-282-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2620-296-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2620-117-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2620-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2728-49-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2728-56-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3596-292-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4288-232-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4288-237-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4968-295-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5128-260-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5196-249-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5572-79-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5584-72-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5768-85-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download