Malware Analysis Report

2025-01-06 10:33

Sample ID 240601-eed69aha3v
Target 8c60f460950b78393884830f30990350_NeikiAnalytics.exe
SHA256 baeb79c0e0111a0ea27f4dfe6e387ef4e5816d14c6f30cded0b027d7504bcc48
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

baeb79c0e0111a0ea27f4dfe6e387ef4e5816d14c6f30cded0b027d7504bcc48

Threat Level: Known bad

The file 8c60f460950b78393884830f30990350_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Disables use of System Restore points

Modifies system executable filetype association

UPX packed file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:50

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:50

Reported

2024-06-01 03:53

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2868 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2868 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2868 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2868 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2868 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2868 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2868 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2868 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2868 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2868 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2868 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2868 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2868 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2868 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2868 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2868 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2868 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2868 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2868 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2868 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2868 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2868 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2868 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2868 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2868 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2868 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2868 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2868-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 8c60f460950b78393884830f30990350
SHA1 fb34db6b9fcf426c49bc3e4abbd699a161f00632
SHA256 baeb79c0e0111a0ea27f4dfe6e387ef4e5816d14c6f30cded0b027d7504bcc48
SHA512 ea935bb7383d430ecdaff3383c41c3b2c11e57808b745477978fdec211cfc3e31f2672d2dd5b384850ab4c499643caf8633fb7be59d96f4963e65d2efa03c097

memory/2868-105-0x00000000024C0000-0x00000000024EF000-memory.dmp

C:\Windows\xk.exe

MD5 ac08b2fbd621709d2b6b78cf346cb177
SHA1 9b30d5b7ed58deaaefea0d0bb158108ab040fa7e
SHA256 e6af55149b52eaf89a5b430e15caabe4aaf04a43971d438d63854361525895e5
SHA512 2d6a60042e182934400bff9c75818e88989c30840305c4d9e0fd758bff67cc7989e5ce914c253eedaaa2f0aeefbed19eb5e44ed08a4ac11b4c12e97ea30b87c9

memory/2384-112-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2384-114-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 91ee621d2b0eb7193e9ccd53de79dfd0
SHA1 fdf05ec248b8869e5db085822ddc4760f5648027
SHA256 dac496d396381ef4044e38601062aac9e19af6decdeaf1ec7913e7070be8dcb9
SHA512 c96aefbbb23bb3ce7ba0ec7b276cf75ba6686450bd50e1811c9474f8dfc9d2b8068f2ec63fe5793cb2610f8b1afacfb2eae9445069a363f11be74e14c86cbd93

memory/2732-122-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2732-125-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 74b8065116f52c6a172ed8a50e7b6801
SHA1 1bbb61a4199b4d0b5a40e4c5b90fa414cd25ab97
SHA256 6ff67a2af739bf2d45b6e38d7dca8d2915a46f157d17ca9623d08b6eb7f814ba
SHA512 8ea8828e6cd2dfe125c2a2a0b5cd064dcfee9008a3c43169eefb2f772bc15ebbecd4fa25464bf18f6405297c5a0d101bc3a8f41b0c2680875e2b01f551704667

memory/2760-136-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 7612aef729f63e6ccfb9a50a44178dc5
SHA1 b4860e9fad4d250d33f1f0ace7e49b7fa8c6f117
SHA256 c2990d4a7147beacb5d6f09d4e62895d152a826070a6297ff4bd46a2db83783a
SHA512 00e1af491c53b88cf9fb44ce58235931db7510d79a4eb06492ebca4d0fa039da42ad6d6e77ad6430ea20c4c76dd42a0b2fd3cbcfe70c20c4fa87354fb815b8dc

memory/1560-146-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 8a531446ae6f673336ee1fc45acc8cb1
SHA1 9be9de343cb77b36bf5699177f5ef7eb3a457d6e
SHA256 a4c495dfe4e641c5bb316709c053de4971345c101d2cfeda08cae1212c25279b
SHA512 e5aba1d8d442b517f24d6ef734ef63505dd32d5425a16f595fc1213b92192f554350c673ea828f5db3841d12a7b928ae351c50fde97122db1c85b04ee6ec6de3

memory/2280-154-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2280-164-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 5a83a6616b48bdd5599284b0ebb0ba74
SHA1 a63eb027202bfa3066ba73a8f3f5973d3a705fc1
SHA256 4b8075b1d9a07721b38ff1826427863f930a67a151f2d4d664076bb6dfe2d626
SHA512 eadc17231bc51cc2e319ae0a6e05fccc7c2850d8305acc31fa8be41b53b0ebaaa0f4d53f398ce358fac7fa4e2f9034926125c10e052c8cb86df5599c22e20075

memory/2868-165-0x00000000024C0000-0x00000000024EF000-memory.dmp

memory/2868-167-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1408-171-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 2d325a745e8a12e432eea748fe12aaba
SHA1 132a634801650a37bc95fc12d6a84bb456ccf021
SHA256 0174d5c784770b9951aeac43fcafea81a70b897e376bef7b5d133bbb0918df6a
SHA512 564304bf6aa8a25e8a76e17f99c8a7d18182bb963f67bf25a9c8ed1844fe6e27bad90d729ba959941014fad0f1484a77a43aeb1a9ec613a5e9d3bfe0aea361db

memory/2876-180-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2876-183-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2868-184-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:50

Reported

2024-06-01 03:53

Platform

win10v2004-20240426-en

Max time kernel

91s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3772 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3772 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3772 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3772 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3772 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3772 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3772 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3772 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3772 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3772 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3772 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3772 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3772 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3772 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3772 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3772 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3772 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3772 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3772 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3772 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3772 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/3772-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 8c60f460950b78393884830f30990350
SHA1 fb34db6b9fcf426c49bc3e4abbd699a161f00632
SHA256 baeb79c0e0111a0ea27f4dfe6e387ef4e5816d14c6f30cded0b027d7504bcc48
SHA512 ea935bb7383d430ecdaff3383c41c3b2c11e57808b745477978fdec211cfc3e31f2672d2dd5b384850ab4c499643caf8633fb7be59d96f4963e65d2efa03c097

C:\Windows\xk.exe

MD5 3726d2a54962bf005f43583dfe07d7e3
SHA1 432725f549f2032a4ee8190a58500d18d27cc5ba
SHA256 9de156c671ec5588ba9287834a7437326fe890343931c3a8b993c267cfbb1cb6
SHA512 262d0cc9065ba265acea7909ca44462aca562dce606e4755308713e14f7412d97a80fa83c0d5da2a0e9067631def8a2d71cd55211e12cb8933a7a69648efefa1

C:\Windows\SysWOW64\IExplorer.exe

MD5 cd1fc4bce681e6f73ad5d77f0889b86f
SHA1 c653d18b24c21b5d499b36181ec1bcac0c845a50
SHA256 b3a5d3924c5ec07ec56927093f05383dc066e8061d726b00a339abc8f66e8ed7
SHA512 0666d6986bd4ddae0b0af69ae539dfe1ddf617386eee4c85f2b42a1542e4a4764d25bb77df17355f15d2bed3ad6f9f081b10790de82636cf3638b7c517ad3a11

memory/4904-114-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4600-115-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

MD5 28fa284569f6dba1259ddf772a34c2a1
SHA1 7c0fcd5c5812f6af17b6229d0fd247066cc1110f
SHA256 0482ca2aaf55182bbe1fd84ca4b9ad1723dcd4445e196c70527bf0fd5757ce4d
SHA512 54b2ceb9a4e77632499d20624c20abf551081dd7dd949c90436333a1f12a6b795a432b288de99f7229c31f6c746a64d27080d7fee261134e853667ca70e141aa

memory/4600-119-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1564-126-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 35a6611fbb46759efc8c2397cea9483f
SHA1 73c2b5944c5c9d62f4bde1356e6aa26b7bf2533e
SHA256 c92740592752e0c21d489b74b178afe461eeb51a8759f145b14b57b63d405862
SHA512 df9596d281402e6cda60babc839a1d5e8c3d034593b2e616391caaeb67ba5084ce4662fd62992f52ef29a5ec8445f73fcbdec991480def8cbc341e4086d6e8bb

memory/4340-133-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 78649cb018d807f6d854b221fc3eb144
SHA1 920eca0ee66e6e41c63e2d16176c440fdf0abb99
SHA256 598d82492503173077e85d8f54e7a43c82122119ea69282f06cd0aaf99946d78
SHA512 be7ae94f1cee6acc70446dc082e36a520d78f9eeb92b776af26101e735e2dd890b047190a3a0e2a9e1a6d7094c04bb7c17df50780c5888a5a9b8226c92d11429

memory/1760-138-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1760-140-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 c9e31a1354576b9c47ccfe6e077106dd
SHA1 2f4ffa6fcf1ec3b9900fcbeb73372d5f6a5a1f79
SHA256 8d2c43dd1e3c97818531b3ec4b6862eac2f32985a4a079c460f3108d270f8ce9
SHA512 3471e2983f623d7092deb898767a316dd9bbff2f5a31f70db7a29345eb6f8267cbb3c0a6d78de28105caffe782194aeba43bbc95d0602a62b295b665d003c9be

memory/3280-147-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 3b0aebe993e45323a8ccb46ef331a9d2
SHA1 72072d718153ea07775a1a70518887c2c02b6834
SHA256 29f03b6d203139b31598e7f01abf5d8212e2ce3fc08728a8dd1e7debd97ac1a8
SHA512 4a352f82b9c41f03ab939a645a7bf1e4b1f631d61e916de63cf7a02d0ad0626d0a0e3d7f6b5c718f2093e2bc6ea96609357b8cae85d9b331240f2e7f37f26ec3

memory/3792-154-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3772-156-0x0000000000400000-0x000000000042F000-memory.dmp