Malware Analysis Report

2025-01-06 10:58

Sample ID 240601-fkc2tabc32
Target 8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe
SHA256 32c49551e197f9761ab99574e8d34f365c32fbb901b267905d825760898031c9
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32c49551e197f9761ab99574e8d34f365c32fbb901b267905d825760898031c9

Threat Level: Known bad

The file 8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Disables use of System Restore points

Loads dropped DLL

Modifies system executable filetype association

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:55

Reported

2024-06-01 04:58

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1692 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1692 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1692 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1692 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1692 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1692 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1692 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1692 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1692 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1692 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1692 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1692 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1692 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1692 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1692 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1692 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1692 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1692 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1692 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1692 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1692 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1692 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1692 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1692 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1692 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1692 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1692 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/1692-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 8e49e2f10a63be7080faef510a3a3130
SHA1 7a08cbf96d1bf277b4e5dca9e4fb682af8256f53
SHA256 32c49551e197f9761ab99574e8d34f365c32fbb901b267905d825760898031c9
SHA512 3dbb5a15fdfc5a5428c6abad71dae778e5cf0e234489b00df6296858eb3020681cab24ff7e4d4018c8aaf82f225164af60c6e73b540f3e93c33410eddda8971f

C:\Windows\xk.exe

MD5 d2a70df3c869b4cb0294e9f1fc258dd0
SHA1 366794aa44ca25337daef032bf14e2e8cc09f60d
SHA256 128075bdbf23f1813c11c980911a79b5c5bf5b31797aa5f3a0e63b1321145aa0
SHA512 a4c5abf7b69f282ae507f2e86079ad875a7dd292de01af9f1e2cf2f6d5138ffd4e529c0185e3511cbd1e20a3305ffca06d23704844318b98d81e9533032438cd

memory/1692-111-0x00000000030B0000-0x00000000030DE000-memory.dmp

memory/1692-110-0x00000000030B0000-0x00000000030DE000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 3c41eaefb97e7e783a5fff072aa5a2fc
SHA1 f4b3e0a56920d9047e1fcde61b43a033fbd3800f
SHA256 e065bdbbaf6461c36dae3a11aef91a7c5f6fedc1113406f8b76a68c28b5f5330
SHA512 66370ed7b1dbb6f518a53113353209cf99a7397924761bc43326257ef0c06ade37dd6099843be3612e5eb4dfb534d673289178987f9bafbb8d5ff50d1876e432

memory/1692-116-0x00000000030B0000-0x00000000030DE000-memory.dmp

memory/2668-115-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2712-128-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2712-126-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1692-125-0x00000000030B0000-0x00000000030DE000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 a52443e73ec41faf550faffb31df547e
SHA1 d059721a92ff93f49984b40c588e0cf8c950387e
SHA256 4176a4875c37cd2db72a9b796081788722b85eb5c254af68eca46bfca69e87d3
SHA512 47268bdb3349de5860f9d101b514a46419ba9e4b8412478343a4dec9b90ccd7273198269e8cf337a53f6952ecd104fff4fe0c5302360d40ff510b6dedb07d88f

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 f765f079c2878b0110b58bc0c18ca5c7
SHA1 e9da31dc3a8ca1b0c02bf119ccd2b2cd81ab510c
SHA256 5a275eb9702b3016a72c863ed8f948cf970f10b07d372642367edc5870e5c58d
SHA512 87b883024ae8fea5e560fddf2a200774895c2dd1d93f14bbf79815800cd8b2c626caa249f2e7978ee1367d865fb43aacd0f63ea7ba29e60553a28489134f0017

memory/2156-141-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1692-148-0x00000000030B0000-0x00000000030DE000-memory.dmp

memory/1692-147-0x00000000030B0000-0x00000000030DE000-memory.dmp

memory/1724-149-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 98dbe8a60e160dc6fee179af45d91cc0
SHA1 cd47a897c8195c425d533da8a550bc0f27b1a9e8
SHA256 7b05e74800cdaaf63bfe366db336e7ac59b98c0b22bda4df91583acbe7ac855f
SHA512 04782fb2eada28e5885d9e52d69b78a45cda645ef4b0850a6f1c3cc1abe0fbbdf66b7cc8e11726c89829f72569e2b1e48512c023d508adce3c389d02114ef0ca

memory/1724-153-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1600-163-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 53258423edec2d50fef1c7c1f05ad384
SHA1 9e76479aa33dbc5f6d8bbee7312d502c3c413cfc
SHA256 29ef7023a4e947a78728e8373179cc0f802cb66c32964a22b773d583eb6df156
SHA512 0c70380a21030e1f8fb2567cf83cecad7e6ab9c253b3a15777646124e1e644a7a76dc34a8fe1b8fe930c364107ac81f915b702a4a05d2e710f4feb34e6eddb4f

memory/1428-174-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 cc3a80c03ff0dd33469d5a4b9d7a0eeb
SHA1 4df7cd0401f37dd787491b933fcd78c82b5ae46c
SHA256 043f0273e3f41818e91f7ed4215f7026a4ce18cd8456c6896e542d67ab74e55a
SHA512 f3e690b747fca470d0cb2415ef5da48db9188763d0f8b6ef2d6268c51d3c3382c7d2fcf49853b709961e3657c1b843f0c91b8508c2c64d47b3e7d991b9ade939

memory/1692-182-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1692-188-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2148-187-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:55

Reported

2024-06-01 04:58

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1576 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1576 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1576 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1576 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1576 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1576 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1576 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1576 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1576 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1576 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1576 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1576 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1576 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1576 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1576 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1576 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1576 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1576 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1576 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1576 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e49e2f10a63be7080faef510a3a3130_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1576-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 8e49e2f10a63be7080faef510a3a3130
SHA1 7a08cbf96d1bf277b4e5dca9e4fb682af8256f53
SHA256 32c49551e197f9761ab99574e8d34f365c32fbb901b267905d825760898031c9
SHA512 3dbb5a15fdfc5a5428c6abad71dae778e5cf0e234489b00df6296858eb3020681cab24ff7e4d4018c8aaf82f225164af60c6e73b540f3e93c33410eddda8971f

C:\Windows\xk.exe

MD5 afe9418d23e2e08bca1e61c997a4a2c0
SHA1 a2ca87a8b6d077ac26259777883e7e4e63a858f9
SHA256 94a33dda867d777a87d675438342d222abf03a1fa0f89c5e4075f3f56f018299
SHA512 21ea56863f2ec0af10345911828aeaa55035593a02220c615530eb4d44de21776d0f68be5480f3935b29a6b8ec8d26cd46e7962d31b41a10f303d940c785ea4b

memory/4676-108-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4676-112-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 08a43b436fad42d9a001d55998916b40
SHA1 8f4966feec98d36c9a5844f11d540c23201d9c48
SHA256 f237c4d046594995a7eb3cc28248a48672e2b4bfb0c5cd6306f767f0253cc3bf
SHA512 8b748ab5bca949cd81233097d11bd17710f1f8f49b65ba4ecd3083bfb0c509daca99b4fccf9a508586db23102a497027810003de05f011d4abf0a574da952489

memory/1032-119-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 7b4bde68170ea80b0a2b0d75f89b0850
SHA1 03ccccf9f9742ad3324b268431cd33c52f721db6
SHA256 fceee86ef8b2b59ef3cc9fd27e7ad6ff92769e1ddd7007978f8427f285a75895
SHA512 68671c62659f8671844dff68020f3c4643c4fe4377415cad829184ee188c5df051f1c342d9f2ae3edb91a4d4a8e3326ffde2fb3ec0de806fa55672ec04a4f644

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 f93b9f5fc75b90e6e7c06d886f0eff88
SHA1 384a2dfdf838a9b4d10e80374e2d4d740657662f
SHA256 1f7e0969a4cd1e1ac37712e3845abd7fd895ac61c5fe9c381d7544d87465340e
SHA512 5c6edfc64d3b0071c6e4f54ddaa1a886fde308a931561de5644e6b610e3cbcf7e63d871bd348238b4d71cb651aff2075cf0876b81093d7d190c517a9d80fc35a

memory/4204-128-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4712-135-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 7fc1db2ba81c9887f1f38fcdda8490e1
SHA1 2c683195a2672e614eee5281aba456bd79bad46e
SHA256 602877f0423d16236c99c98c5123119c285faa2626153beb0cdc0cdc4e871f7d
SHA512 48b8ce4569f0ae7c7a927c28169a463c75e285c79410b0cd6e1b28e140da0f2aafaa5cfa805c57adab33632ec781a80a888c5c6afc7758a5575768ccf6349e48

memory/3592-139-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 abb5825f8762d1679fb70df43572f2e1
SHA1 7fe04d0deb113e442c952b27182f4d6ec4fb03f3
SHA256 636736ec0593b184720a8b222b5fa5ee772f826e775fa7a3da7bc9f965d94d8c
SHA512 3540ffc639ec4a31653b0f8d8784d7b029575cf7a5317db38d944a138daf011bcfa667827bbd4d9ad7a94d17fb1a1d1a27c768b4e2061ee4bbd376b141698898

memory/2924-145-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 7752828f96d420dface7d0f900f8d99b
SHA1 028ea1542c766a862888ee3724a18323f1588d90
SHA256 4fd6834c415a4683dcef9be33e491c9f5ed1133f775335227a2084ef37aedb73
SHA512 75d6673d57d57e2b4f46eaa093fae63a070381cffc7bab811eec5705c10e7d86c59261098805b4cfab4047032bb2a21c725fa46416ab8bdf521108e0212128fb

memory/3096-152-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1576-154-0x0000000000400000-0x000000000042E000-memory.dmp