Malware Analysis Report

2025-01-06 10:32

Sample ID 240601-dxw94sgb51
Target 8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe
SHA256 0a1a2517d5253902840ae21d0e5c77e72fa4138590e84a8e966561a9475f9253
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a1a2517d5253902840ae21d0e5c77e72fa4138590e84a8e966561a9475f9253

Threat Level: Known bad

The file 8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Disables use of System Restore points

Modifies system executable filetype association

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

System policy modification

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:23

Reported

2024-06-01 03:26

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3364 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3364 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3364 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3364 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3364 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3364 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3364 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3364 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3364 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3364 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3364 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3364 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3364 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3364 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3364 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3364 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3364 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3364 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3364 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3364 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/3364-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 8bac2c0dcd2fd87ef8d9170fe4effe70
SHA1 4d098d2fdc60db19967630aaf09515204845da0d
SHA256 0a1a2517d5253902840ae21d0e5c77e72fa4138590e84a8e966561a9475f9253
SHA512 044545507c87c6aea0c95a041d339b44e07f9585b8ef7acc2be00d4ff83d06cbf8a5151a3b015ec66945c57003b2344225922ced760f5cbd184ac365f9075bc0

C:\Windows\xk.exe

MD5 a4b61e12d8eaaa0dc79aad9a5c5d0504
SHA1 dc1b004b7ec2dddf51c3f0bd1fe44a3fbc687967
SHA256 4246740ad6db95ca684c22862bfc3025be5b3c20e757e95b81ec0ef77d334f3b
SHA512 6df1207b9254b891842309ac91fd362d7182a16414dc9193ce3e5b143a6fffe1bdf09dad0581a6662900403e4064ab19f7096faae7033f9d848b1bf07eaecbf8

C:\Windows\SysWOW64\IExplorer.exe

MD5 67efda232f165ae6805486405bf5a2c7
SHA1 b7ae66c6d7cdb6599156f8862a6749f8ddbe0a8f
SHA256 4a9421bd8eb84cfd7219f909878b47033d9f39a4bffa4c9045293e1d851b0ff0
SHA512 47a225db769e73b6f0fd87fc4000691bcba50b4349e0e165e2cfb4be43d9e705f5bd3f5042344595a4d5283f024b77b048a0e991c1a02d46341ff4fbc537368f

memory/2572-110-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3788-116-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 3a21b1d27361db3d9b97d95fd468c2b5
SHA1 3387aefaef302faf5889220a8fdcd97c78c8d28a
SHA256 520d2ba063d872d2f5e84466ebaab221ca61e05b88a96dcf129db401af4f2f72
SHA512 cd30e24d194a8fa06fa650dcd1713a1b0bab1f1b19761a9308df7bb1955543e878e45e230ab0764c1b742ca9df6986779044553cc4fe9bee1c4b67ccfb28b127

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 0b5378171b2a225add0d702d3aadaab2
SHA1 970da2aa746de2a2fd0bac1bf480f9ca7b23ca19
SHA256 b325f30a5b1b08f694209db99510704354386bd9124f710eb34ea324ce17a731
SHA512 c4616e892885623cd1b71110fa46079bef059927f3e87da62edba396eda846417ead11efb105eebecf021f9d046219ae34f374a0ac3f23c66f719d2482817701

memory/4572-122-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 79e2536f9dc1232353f251295143ddb8
SHA1 42abd897a93412c3d5ecdea39c298147b2d48a64
SHA256 5b7b8c57e79ed02da036a4dee79e88dc08a46be26fc2849f207d0f3e2f60a0ce
SHA512 d8dcc1663c1bc85ee296439cdc8f7fc36fb9a1ceadcfa95e62868b16aaa78e78d438859ae538ee4bdecd090b82b65a719d02c2a60e6bedaa99e65eb879e7d1e9

memory/4608-129-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4584-133-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4584-136-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 44583a0560a8c7d539dc1049f1a130c2
SHA1 8560852907f057ffa9bebf27cfe54bfc3b7ba681
SHA256 66843d8a6cbd1f8bf8678ab3fc689e14fc09eadfa7155f8befd4905e2c017f93
SHA512 27ba132a0f6cb75ac0e52d23f9826acd462d97dca2b2ba89a6db689702effd28415c25d01d93b6753b52772e6a780deeade76a5f3b76bf7a1f65199080f73255

memory/1108-140-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1108-144-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 91a872fafc75900161d07e587b6f60b0
SHA1 66b37d0dfb78718355f933fb32e994a9c4b1f926
SHA256 9d7ca36502faab4ee942134470bf8a64ec78c4fde168f0e5121117e53f8e1811
SHA512 b3b790bb872bf612e17ee6c49306e127872c11aef39666e4bc397845b3dafea69c5b1249c5587b58189116a7ff9ad309a38bdc75dc334461a60fbfc359eccb21

memory/3592-148-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3592-152-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3364-154-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:23

Reported

2024-06-01 03:26

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2020 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2020 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2020 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2020 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2020 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2020 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2020 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2020 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2020 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2020 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2020 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2020 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2020 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2020 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2020 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2020 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2020 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2020 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2020 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2020 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2020 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2020 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2020 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2020 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2020 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2020 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2020 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8bac2c0dcd2fd87ef8d9170fe4effe70_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2020-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 8bac2c0dcd2fd87ef8d9170fe4effe70
SHA1 4d098d2fdc60db19967630aaf09515204845da0d
SHA256 0a1a2517d5253902840ae21d0e5c77e72fa4138590e84a8e966561a9475f9253
SHA512 044545507c87c6aea0c95a041d339b44e07f9585b8ef7acc2be00d4ff83d06cbf8a5151a3b015ec66945c57003b2344225922ced760f5cbd184ac365f9075bc0

memory/1580-112-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\xk.exe

MD5 e6d87e6e393893554c605a1c3128e27a
SHA1 7fae97bd865615e18578ed677abfbc2d8d6ac67e
SHA256 331c51ce4f7590efcd9dd6d4cf0278442c1181407b7d07ef328cad5f4bb0eaf8
SHA512 825f499bed3ab2102cea9d636bf8e8c38490058eb8e33d350662d9c3bb0f983b7f1b013cc21a61942c1fbcdf0a676077b48b851f7cfc8217d7dbcf818634041b

memory/2020-110-0x0000000002490000-0x00000000024BE000-memory.dmp

memory/2020-109-0x0000000002490000-0x00000000024BE000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 39943e41a41778f5026c6e03020c3251
SHA1 f4a754012f33e7582b661b058a5d219723974af4
SHA256 3746029aff2168b55dab669964f4430cd1a4afd2d4cec5fdca715b1d11ac67c4
SHA512 ddb087b06c01f520c8ca383b2e38edf653750e2f7b29896c4d18fa7fa61f929ed50e70163b0a692f6393a803906c1c46775ab7e8c672a5aa569e6d2775db17ba

memory/1580-116-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1636-127-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2020-135-0x0000000002490000-0x00000000024BE000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 8ada7857a8b4c9b6874116ad85d5df94
SHA1 906b6812575133a27027a05def739b3ad1e5e391
SHA256 e292ddd37a401590ed31aecbab096d32df32afd789fb7d01cb08ac7e89089eaf
SHA512 d1339af778e4312a41945df427870b4572725226c36696ff619dc0269c476609491e30c1099ec0cec04b8939b890c12209ddddc83c1323d01c87c8a0a6395c80

memory/2712-138-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 b399c5baee9dbc860e1a220adaec4af0
SHA1 d774cd85ad67e9ce541285fa118ab353a4856a54
SHA256 d98102c6daf27273a254a8999bb7767f7844dcff4378d6281aa94480b88e6c4e
SHA512 468cde9529785232519e723f52e34dd52ce050aea91c653bb230f144813823740340174d09f5b7efdb1bbadbc51085ef1f3d03f964534070053d752b1b45c68c

memory/2020-149-0x0000000002490000-0x00000000024BE000-memory.dmp

memory/2196-148-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2196-151-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 1870e054ec63f30aea779145c3c1ceb8
SHA1 0e169bd3282f79adff211753d67e88f746dd6bf4
SHA256 a5d459194bda60e2847cb8e444cd14562e04bde61085606f8b2e743099b131f6
SHA512 c2ec943ec2fc2998bc86397412df1915da7463e2f335ce9d3c8bbb1ae786503e25af68719a314e5809d72b8772bbd904311285d8b80d9229cd388b9fa5475c6a

memory/2020-159-0x0000000002490000-0x00000000024BE000-memory.dmp

memory/316-162-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 1baf6e0cd6c4ce6c7dbf222347c93073
SHA1 96a1ac4279eb92335712847c4c0326d647f0906c
SHA256 b7ea2b8e45b109a69cc9ce442a31f930f21e73b19518b14b2e4621523562af55
SHA512 6fa608643acc22d1b2256526bc094f07c472c655ccfbe00ef692d4c6b452a41a8cc97b7b1166847d1368ba172203b380c895ca024587036e37f967fdda7f3fd5

memory/1992-172-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 7dfdd6bce7a1ea76f07379a82d065cb7
SHA1 3f48c6bf2e8790a2103d344bbacb2bb8a8e62ecb
SHA256 039b2efed0186917f48aff704c850d95023e515891b76bc286671b1174e4f846
SHA512 4f4af4f4f7a53d45837b494117f2b202231ba38ff6b30e162f280394a9304fd53e89aec08b9d72e3427113d2c37a5543e31c7e8001bb2b0dfccaf711947f4e8a

memory/2020-175-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1680-184-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2020-186-0x0000000000400000-0x000000000042E000-memory.dmp