Malware Analysis Report

2025-01-06 09:50

Sample ID 240601-f4ckdsbd2z
Target 8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe
SHA256 9ccd62dcf31aba76bedade8b90685fd028f56899e5607821c123572882fd2495
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ccd62dcf31aba76bedade8b90685fd028f56899e5607821c123572882fd2495

Threat Level: Known bad

The file 8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Disables use of System Restore points

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System policy modification

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:25

Reported

2024-06-01 05:27

Platform

win7-20240215-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1512 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1512 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1512 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1512 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1512 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1512 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1512 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1512 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1512 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1512 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1512 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1512 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1512 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1512 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1512 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1512 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1512 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1512 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1512 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1512 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1512 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1512 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1512 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1512 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1512 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1512 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1512 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/1512-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 8f1cb7f2980c46214d2f3172da1a16d0
SHA1 b3030c8a2442f19dc5ff9acc0afefdc65d15683e
SHA256 9ccd62dcf31aba76bedade8b90685fd028f56899e5607821c123572882fd2495
SHA512 a3e23d8012b7c393a09fe8537574010b953d67608f630443feccf8c9c2663ea165c2b66438a96096f3dd14e786a801459d814bf4943c8a6dc79ee4d5fb1bf0ea

C:\Windows\xk.exe

MD5 2068042837162e96642f0da6f0c6a163
SHA1 e8d731a075e92be75246589bdf5223203a468e42
SHA256 da60b811f483771aea168fdc8906258a26e8ca6c5edc78367e147ed06fc35d23
SHA512 51554b1e7a253f400815f3ab8d2e73fc3dfacffbafb74a8e11233b540c66e7d0c7e7f344db2e67d835eba0373861187dad252a63989aa69025849c1fa79ff80c

memory/2128-111-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1512-110-0x0000000002470000-0x000000000249E000-memory.dmp

memory/1512-109-0x0000000002470000-0x000000000249E000-memory.dmp

memory/2128-114-0x0000000000400000-0x000000000042E000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 89db19578d8e49b0ea507be19a689fbe
SHA1 7823eeae8dc5b122ed1b473bf226794dc3f31d32
SHA256 df9670f1d9aaef216ee82729c1d226a533de4644c496d17cd611c809c36996ed
SHA512 02f042c325134ba0c488221c3599f10cd2b5ca8a9dd5c09ce5f550c3459b9314acae2d6accb9a4796198c8be580b61cffae49d29fc6ef30a93f408791e49ee8c

memory/1512-116-0x0000000002470000-0x000000000249E000-memory.dmp

memory/3064-125-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 f5d21d61fd7d7589ee031c1c0bff36d1
SHA1 dd39cf5048359adca60151f2cfd846e2481b4785
SHA256 218376508d46055025e258c3f3c63870d7353c0ffa91ea6ec231acfe699e25c9
SHA512 f53438ea97cbd4c7524feaf8cdec538536f75666db18bfe1d662bbf97a8ca2e4da0625dc9745bc4ee5edbc9cc1ec2401418aecf2b29d0904ae718ff83437b722

memory/3044-135-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3044-137-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 86acb8b5d5a611a96fb3546604f7963e
SHA1 a5139ad73f689868333d2cdd92d2f9325de5dbea
SHA256 e9f9ee30c442ba58e3545c85000bb6e932a1eb4952fcddfe76cda8da4b040471
SHA512 2c30b9d6866d289f5db8ffd0b1a9d0f0e33174f6e508c7dbbf485ac9afd6073784baaa691fb84823e746230fcbcb6294479f1465cde27d9b3f45b2285d159f70

memory/1512-145-0x0000000002470000-0x000000000249E000-memory.dmp

memory/1512-146-0x0000000002470000-0x000000000249E000-memory.dmp

memory/2844-149-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 c392ea9c29a3e42dd67bcef48105e9cc
SHA1 802bb4c48b7e8ef1c8b2cb015ae528c1ef6fd3cd
SHA256 0d0fc467fdbdb8fe751eabd54bb94ae166a32c35a421260b401ba0954463ad58
SHA512 a91aea37ed5c458cabadd61caad2b447d1ae26b8b70a6ede3f47eb11e0aff06686fd0ed709330dae535398b5e8f7c41ecfbe1a5efacf68e2c52d4964387a4e21

memory/1584-159-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 ec30af7c9311b071e21bb3d9c7d855e2
SHA1 041f59ae5508a89bafc2b24e6926c445954d9c60
SHA256 c59b39b3ed413bc11e50c08cd5f6fa471c0b98c455221ece44d8147e95313599
SHA512 b1c30af089ebd8094493cfac7779128e14671b47e24ce07a186f3a2fbd4ac453130ad1e1dcb8552ae911f116a642eb60ab4e66f243660e9bc8d4be32d426b157

memory/2864-168-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1512-166-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2864-171-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 57bc4982e131a3d27009fa8e9574aed9
SHA1 cbf5729bccc80fcf18064cc139704f2d3d0459e1
SHA256 b72675a1774954edf79f2637db4362af96292eca6d68405f69ee6a638da20aca
SHA512 40e7e46f0ab4a6f3acf6850b45418a6702a983ee333fa5201f809829c9660c7b835935b73c005655aac7ca67860f1fe649a9864f53b2f39f3bad4cbf2b53127e

memory/1512-179-0x0000000002470000-0x000000000249E000-memory.dmp

memory/2732-184-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1512-185-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:25

Reported

2024-06-01 05:27

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2492 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2492 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2492 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2492 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2492 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2492 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2492 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2492 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2492 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2492 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2492 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2492 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2492 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2492 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2492 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2492 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2492 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2492 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2492 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2492 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8f1cb7f2980c46214d2f3172da1a16d0_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2492-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 8f1cb7f2980c46214d2f3172da1a16d0
SHA1 b3030c8a2442f19dc5ff9acc0afefdc65d15683e
SHA256 9ccd62dcf31aba76bedade8b90685fd028f56899e5607821c123572882fd2495
SHA512 a3e23d8012b7c393a09fe8537574010b953d67608f630443feccf8c9c2663ea165c2b66438a96096f3dd14e786a801459d814bf4943c8a6dc79ee4d5fb1bf0ea

C:\Windows\xk.exe

MD5 a1b282358e3c1880d9565e590d009008
SHA1 133ac7d4cfd9b40a670631d088c7e7dfd4c22f8e
SHA256 c4a400069a06358f5a07bdd1615d9e65f9938610e09a95b8dd2a708b377c9a0e
SHA512 b0a21bd7a0d3ff626cbd5227c9ed726602a3bbb6961454d6677ce5003ed0082f14dbf7c97944bc48dbe9b136cd8819a4bfb03b86a41890ed7e1052288ed2d795

C:\Windows\SysWOW64\IExplorer.exe

MD5 cba844e9112536a5eedfeb5d6fe94e40
SHA1 cbd8e92d126022e5267b6b1971dc4044985371a1
SHA256 b8d802842ed5171beb3f2355d1e38546c6af546d4e1ae9187a2f6e9bfbb562f5
SHA512 7c5baa51eeb644b90e13e41c687617f532edfef9707aab7334125c3d94f251be6d523166c9a93dcdfff81003e1b3b2fb852ebf0294fa09d9082200f9b1959ba6

memory/3296-114-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1320-119-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 5e4c1489bd1619ab95ad84bf62abb96c
SHA1 5383b0e32e944ee30ad45fe7ce651348a15e76cb
SHA256 1f4810a551565347cac40a59556df2d81c9d932aa6215c8801186f4fa87dc678
SHA512 9a8998431dbd148dfe26a32ad5cca0881cc53eaccf82a03bee676644b305496ef660363cf8d5f9f5dd7d3b019915eb457abae5b586e386635a72c53533c2102d

memory/764-127-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

MD5 73d43cb7fff3c77ed2d3beb00ef92a21
SHA1 274879aac156d172ebfd7502c95dd52995eca9bd
SHA256 f5b41a21d9dac4d9483f17c8425688f2136f61e3beee8b1cef08788c14edc0c7
SHA512 cbeb5ec40edb1f18c549d7702920c33a555bd3f2e657f5b831352fd0726b6ef3a6c09a4349b96986536f5716c47e8904adc3dc1af95969024f59e1eb26493112

memory/3548-128-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3548-133-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 cf7fa859a38977bec73f3d0a5336a1a8
SHA1 d95f7d80f737170b3ee7846148c787a258ae6e3e
SHA256 9223b46c1cb09dd2a0818d4b1f1f0ccd8dfa1e1bf7f03961e397d747fe9df7fd
SHA512 0a97ca9add1dd5abf71c17712563cbe04e0e97fe37d173fc5c58e757a7b4a3c47ed62a05958115e5dc7c75cf9e74a8192629fe5dc8a324c5e758b8cc65d1b731

memory/3260-141-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 7408f34ddd27a5cf46d71761cf275261
SHA1 f7493af684c3de58a8162ab505b23c496a98be65
SHA256 19aecac8b140efb9128f3be0a70053492b36ffa77f5009667816fe5c74c5749e
SHA512 43c0d7aa2d7d50a11881409b39fb71f588b82d45cf9e256a173da8121da8faefe29d4bfc5d70fcbc6d078d6afb686447a16a9c69038b3614f102cab436bd8823

memory/1608-146-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 9362d256c1ae1ab70b9a2571af3ccffd
SHA1 2f6e3054b37df4c05b2fadfd4e044373d24269ce
SHA256 ffdecafa2288b1da6aced98a6e0d40192009b27e6b5447fa272cb6e48a8b11b6
SHA512 fd57211240c2c578ee9c07d820e977caa05a171edee2d4016370472204c117db71a38dd46be09085d0fd80e633ca7819afe80b82612f060ed0bb46fa7fe8a487

memory/1592-153-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-155-0x0000000000400000-0x000000000042E000-memory.dmp