5d0d725eeaa03c38a446d0f85708f26a1a8a21729750b9a904c4b3e36f7fc90b

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Size

91KB
MD5

061ec50b6c9df17cd4d29c29d6150a90
SHA1

bc4d07c4d4c812b68f5c5045a798ada02176d7ce
SHA256

5d0d725eeaa03c38a446d0f85708f26a1a8a21729750b9a904c4b3e36f7fc90b
SHA512

5ec412b0164510006f69cc88a79b1f9274a1060c6c7896fa2e8efbcf3c16c69df5559cbfeebdb3c33ea2587586101886d66c0a796d8f1a411c86126bdaa447b0
SSDEEP

1536:8AwEmBj3EXHn4x+9ayAwEmBj3EXHn4x+9a6:8GmF3onW+MyGmF3onW+M6

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
1900	xk.exe
4404	IExplorer.exe
5080	WINLOGON.EXE
4144	CSRSS.EXE
5000	SERVICES.EXE
4792	LSASS.EXE
2580	SMSS.EXE
2160	xk.exe
4812	IExplorer.exe
1580	WINLOGON.EXE
1180	CSRSS.EXE
4452	SERVICES.EXE
3752	LSASS.EXE
3796	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File created	C:\desktop.ini	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened for modification	F:\desktop.ini	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File created	F:\desktop.ini	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\R:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\T:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\G:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\K:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\M:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\P:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\L:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\O:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\V:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\W:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\X:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\B:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\E:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\H:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\S:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\U:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\I:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\J:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened (read-only)	\??\N:	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
1900	xk.exe
4404	IExplorer.exe
5080	WINLOGON.EXE
4144	CSRSS.EXE
5000	SERVICES.EXE
4792	LSASS.EXE
2580	SMSS.EXE
2160	xk.exe
4812	IExplorer.exe
1580	WINLOGON.EXE
1180	CSRSS.EXE
4452	SERVICES.EXE
3752	LSASS.EXE
3796	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 1900	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	83
PID 5040 wrote to memory of 1900	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	83
PID 5040 wrote to memory of 1900	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	83
PID 5040 wrote to memory of 4404	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	84
PID 5040 wrote to memory of 4404	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	84
PID 5040 wrote to memory of 4404	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	84
PID 5040 wrote to memory of 5080	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	85
PID 5040 wrote to memory of 5080	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	85
PID 5040 wrote to memory of 5080	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	85
PID 5040 wrote to memory of 4144	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	86
PID 5040 wrote to memory of 4144	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	86
PID 5040 wrote to memory of 4144	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	86
PID 5040 wrote to memory of 5000	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	87
PID 5040 wrote to memory of 5000	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	87
PID 5040 wrote to memory of 5000	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	87
PID 5040 wrote to memory of 4792	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	88
PID 5040 wrote to memory of 4792	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	88
PID 5040 wrote to memory of 4792	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	88
PID 5040 wrote to memory of 2580	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	89
PID 5040 wrote to memory of 2580	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	89
PID 5040 wrote to memory of 2580	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	89
PID 5040 wrote to memory of 2160	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	90
PID 5040 wrote to memory of 2160	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	90
PID 5040 wrote to memory of 2160	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	90
PID 5040 wrote to memory of 4812	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	91
PID 5040 wrote to memory of 4812	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	91
PID 5040 wrote to memory of 4812	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	91
PID 5040 wrote to memory of 1580	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	92
PID 5040 wrote to memory of 1580	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	92
PID 5040 wrote to memory of 1580	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	92
PID 5040 wrote to memory of 1180	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	93
PID 5040 wrote to memory of 1180	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	93
PID 5040 wrote to memory of 1180	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	93
PID 5040 wrote to memory of 4452	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	94
PID 5040 wrote to memory of 4452	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	94
PID 5040 wrote to memory of 4452	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	94
PID 5040 wrote to memory of 3752	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	95
PID 5040 wrote to memory of 3752	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	95
PID 5040 wrote to memory of 3752	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	95
PID 5040 wrote to memory of 3796	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	96
PID 5040 wrote to memory of 3796	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	96
PID 5040 wrote to memory of 3796	5040	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe	96

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\061ec50b6c9df17cd4d29c29d6150a90_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5040
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1900
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4404
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5080
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4144
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5000
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4792
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2580
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2160
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4812
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1580
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1180
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4452
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3752
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
a35f42d13b9ad9f9625a37357343218a

SHA1
93b745e4d5f4ed2acc0faa9688b2684cfea5a0e3

SHA256
31743994279a181a6037104d29ce147a37ebe8f667ce05b4d2a34d5538274e9b

SHA512
fd3a0083410c2282d7dc028326041dbd2d551627c93dfcddf45990a3898ff5a1867d44c6f3144f39cc0ec76ac4c83aa0f862c4ffa4703caf1238f4a49f94f3a3

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
173e2f5e69da151aa945743b13b84ffc

SHA1
7efdc808fc06b7ff9515cd44b3d60d3dcbb8ca3c

SHA256
da0c2351417dc4cae1cd6bceacf88061121bd0236bf330a07a91f1d8356d03e4

SHA512
24f4727656ba8beeb79441c005413272e0bc8e6ef0515636084c2e4fd5877202b1198063a9d1613983261b8b83b8cb33fd98ebb9eacdffb91140410fce7cbfd7

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
264ebef98d343c9ca7c31982d361d35d

SHA1
151131a297977d85e3812e2e09c4112a55edc764

SHA256
833a525623784521f6ec99389d94897aeec42338b5f9e9c7be84c3c6be85ed81

SHA512
e93e1b517bda56f48e6b516126ebcffbe20e84125b8a5d54dc11a580706010a67ad3489fcfddb1ff3786bd4b9644df59d907dd35a17824deca97ac9e65a14a36

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
f4e36987bbb9daefda6623abcf18accb

SHA1
c67b52909b03a0b6d917e05599b5671442f6b060

SHA256
11458fc8c466cc7e24610fdde0b702b5e08846db8b46c1a769b31c2a07dfc0a5

SHA512
53987fb5513ca4f339f291c4ec52a228ab1e0b5350d2b5d7578ece6d79a1d8f4317319d88a0f47c9ab4d4b5f86ecf1026015b8176054ef68585841a5776a4d8a

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
0dac12959bfa701da7a059bd4b7a29c2

SHA1
50191b8292dabf8aaf2ee304526efd1c7c3104ed

SHA256
4fa5f6233d695602a0b33d2b69c39ba05b33b7c986aa9f2cd9b9f6878e6ed9fb

SHA512
2a1881018d482b8ad6b8bc4e3bf42f0c533a8560d403b3be066d45dc5a69af621bd66b3f14ba6511c790264eb4dadae5838460b984bfd3f02cc2988395962688

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
6b01cd1d189117d4f705a672d8011524

SHA1
3926849c435a1a366efcc223d9a98560f86bce53

SHA256
200a5b738800ef27407eff92e0b1f27ba318c85aca107896a637bdf5922c6cb1

SHA512
343e22bad2ea58b4749f70ed9c4792f40d58f983e9524a43dbb6e2121a1ca01ec76da444f4c2176edc1c4d52c0011ca282d75822216cdad113bf37e3f74eac8b

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
d86ce5dabd4aa9e360c50bd2c0ab0c0d

SHA1
973d2b15afd125a0755e7bd5e7f50d5edfff1188

SHA256
33666092db490e6960c61772fd697429ab816e526b829ee04dfed96be6e9d669

SHA512
1d2febb6971cce904f5b723977f07b309e822f4390d08ca81d8a4ebe0524c97ad6b0bb40362cd7da9b5f38a79064c6c0c8b1d6abe34a41c09a2a7dd31c3bfefa

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
846df8d3b05ffcd5aec4f3acf778f14b

SHA1
ab01a48f1aabdf253e27efba86a8165680d30c29

SHA256
1c0a70f44b4cf9fccffda3a77c190fa06c89d2cab18f6e4ddbfb53ed79854a01

SHA512
127ce7efa843268579ea69510f678385ab7da8d8bec924f3d1432de51ce773b4065652ea8373c43f711e031f6609ed0c57dd85630beffdc397fa609a09060fd3

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
061ec50b6c9df17cd4d29c29d6150a90

SHA1
bc4d07c4d4c812b68f5c5045a798ada02176d7ce

SHA256
5d0d725eeaa03c38a446d0f85708f26a1a8a21729750b9a904c4b3e36f7fc90b

SHA512
5ec412b0164510006f69cc88a79b1f9274a1060c6c7896fa2e8efbcf3c16c69df5559cbfeebdb3c33ea2587586101886d66c0a796d8f1a411c86126bdaa447b0

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
32161fb71e510926c3409b626c862778

SHA1
6ac27b12a5e3900acfbea213196b28f158e76be0

SHA256
2d94e97c9eeab9161eff6b41ae2f0bdf6428412ae1ec00dcfc84e50606370a37

SHA512
6795b847f16363789673c58fcd90734ce1e807efe8d1e37cb4c3f5f749b86b08b2a0c7f89fe1177b11116a0e9a32d7067fe2d7570d934eb07a6c792e2c194fe2

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
533aa7ab802e819d8d7a36ccd1c6a691

SHA1
f836aa26863bcb053925f759d57829febc21b673

SHA256
01028aaffe34d3341bb4627db4ef2edd719abc272714e3c2ab0fe78e0901d64e

SHA512
8552358b0e8dee2a77774bd590b3850cbad694e662bdf593426897f873339906071c4b8dcb6ad6341cefa0a3fe7a67693038a2304f910fb23ca491e53ff4f40d

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
f74e4c2ee907a7f3703db84f7fb71dfd

SHA1
4b8dcec61ccda549bb7bad6729b20aaa83f3b2a4

SHA256
95c7ff86c3c79f562a695d6db51bb698f6433eb59f03b96d8be86b91f107fad4

SHA512
030268cf3bc0bdb206aa1b88fa9deff18aa5c90af03ee241b0a0c10c2c1fb18010f6e420e0cd5d2a6a762914598bc7bbc15f4f39c6c3e47ecac332301bd97252

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
9ecb32d630a7219fdaac348ffb95c2ad

SHA1
2ac2476bf959a06186b3a0752c91c758b8f45288

SHA256
fa2ebab34a0e8e93ac84aae2d46f7ba128350d044fe97cce3feaa1c393bd4f4e

SHA512
fe87473627ac710cfa5fc872f67b8ccd5b7d4f59865cc3b700b766837141c97270dde861f2b225cfacde59d7103f8f73df5f31f3f9f0c716a72adc85396ed6c2

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
1ccbde9a39ed065c77ef817e5eebbe09

SHA1
233385fecd1f9b1cdf615a597776358dbc133a76

SHA256
5a056597cde5c9949d822b06059542edd4507a514b4d698db7a37bc9ac89b720

SHA512
1f30bebdf0b6be8822f6952a6cb4049760603975f3ec9dbaf73f2193e30c41eda8f0797f122dc3802eebce7608b44060e8f771a5bc5c82bfd1309f72dc0d114a

Download Submit
memory/1180-223-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1580-216-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1900-110-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2160-205-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2580-152-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3752-237-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3752-231-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3796-248-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3796-238-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4144-131-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4404-123-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4452-230-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4792-146-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4812-209-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5000-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5040-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5040-212-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5040-268-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5040-270-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5080-121-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5080-128-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download