0a8e8012c6e4d632b06494dc039465a057cdd756f897e5b093215e0b6031af5e

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Size

91KB
MD5

3a50ce1fdd93ae5fbc810c8d4cd9a3a0
SHA1

fb585d9b5a2e8cc49cd27995e26426f661201a31
SHA256

0a8e8012c6e4d632b06494dc039465a057cdd756f897e5b093215e0b6031af5e
SHA512

47da6bb1c7a4d3debf07b2c01f641dd1c56c0f43ffb68c0aceaa5d8c746bdf3d155e6df33df4e7f76f5cdc8d044566e5bd0ebb64a74727bff6fd7434ab205304
SSDEEP

1536:kRsjd3GR2Dxy387Lnouy8VT8Rsjd3GR2Dxy387Lnouy8VTY:kOgUXoutN8OgUXoutNY

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
1836	xk.exe
1304	IExplorer.exe
1456	WINLOGON.EXE
2692	CSRSS.EXE
1460	SERVICES.EXE
2936	LSASS.EXE
1708	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000b0000000146a2-8.dat	upx
behavioral1/memory/2916-105-0x00000000004C0000-0x00000000004EF000-memory.dmp	upx
behavioral1/files/0x00070000000147ea-108.dat	upx
behavioral1/memory/1836-114-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000014abe-113.dat	upx
behavioral1/memory/1304-123-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000014b31-124.dat	upx
behavioral1/memory/1456-136-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000014b70-137.dat	upx
behavioral1/memory/2692-146-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000014de9-147.dat	upx
behavioral1/memory/1460-154-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1460-158-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000014ef8-159.dat	upx
behavioral1/memory/2916-162-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2936-168-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2936-171-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015018-172.dat	upx
behavioral1/memory/2916-179-0x00000000004C0000-0x00000000004EF000-memory.dmp	upx
behavioral1/memory/1708-182-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2916-184-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
1836	xk.exe
1304	IExplorer.exe
1456	WINLOGON.EXE
2692	CSRSS.EXE
1460	SERVICES.EXE
2936	LSASS.EXE
1708	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1836	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	28
PID 2916 wrote to memory of 1836	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	28
PID 2916 wrote to memory of 1836	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	28
PID 2916 wrote to memory of 1836	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	28
PID 2916 wrote to memory of 1304	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	29
PID 2916 wrote to memory of 1304	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	29
PID 2916 wrote to memory of 1304	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	29
PID 2916 wrote to memory of 1304	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	29
PID 2916 wrote to memory of 1456	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	30
PID 2916 wrote to memory of 1456	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	30
PID 2916 wrote to memory of 1456	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	30
PID 2916 wrote to memory of 1456	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	30
PID 2916 wrote to memory of 2692	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	31
PID 2916 wrote to memory of 2692	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	31
PID 2916 wrote to memory of 2692	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	31
PID 2916 wrote to memory of 2692	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	31
PID 2916 wrote to memory of 1460	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	32
PID 2916 wrote to memory of 1460	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	32
PID 2916 wrote to memory of 1460	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	32
PID 2916 wrote to memory of 1460	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	32
PID 2916 wrote to memory of 2936	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	33
PID 2916 wrote to memory of 2936	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	33
PID 2916 wrote to memory of 2936	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	33
PID 2916 wrote to memory of 2936	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	33
PID 2916 wrote to memory of 1708	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	34
PID 2916 wrote to memory of 1708	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	34
PID 2916 wrote to memory of 1708	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	34
PID 2916 wrote to memory of 1708	2916	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2916
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1836
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1304
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1456
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2692
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1460
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2936
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
3a50ce1fdd93ae5fbc810c8d4cd9a3a0

SHA1
fb585d9b5a2e8cc49cd27995e26426f661201a31

SHA256
0a8e8012c6e4d632b06494dc039465a057cdd756f897e5b093215e0b6031af5e

SHA512
47da6bb1c7a4d3debf07b2c01f641dd1c56c0f43ffb68c0aceaa5d8c746bdf3d155e6df33df4e7f76f5cdc8d044566e5bd0ebb64a74727bff6fd7434ab205304

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
62f14e3d36f386fc79409774697cc3de

SHA1
f6dc05839e06adbfe1bca9eb9a4128498b914f7d

SHA256
7e7b3b0a4305088def4dbdd64a6332d08992ee0e57dc114daf31671967bec329

SHA512
da7cdbf3b14a0ad1cab7d561f614048c06d6f76e589a72d2b5d947ba2c7e60ae631349cc22a8761e4efdc257305de4dbce27c733ccf4a9be33781d868f1c2002

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
a9ddaa5472d025d27cd06f4679616932

SHA1
77451fc5b808dd80d50e26f32bf249cf3b20e1fc

SHA256
a893b8814b7c3a4c177fa3904702360c8d37c1d93c579a22f759726613a81c60

SHA512
c24f3f49dabfa397fbd75b53ff7941e828c4f85d8733d9b607c9b6f6121c5e066bd4d6de22d5834cb9874c497b471b720063abc8bfdb1a1b282bd3518b65b731

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
24589ab8cb799bcc6b8c2e22e6b40cdd

SHA1
0d6f385b05b4de55f3bc2809773b2162884e73a6

SHA256
f0595ec8f0064f80f55c2018ddd9235ff55d8edc8e6c0856892e81ebd0a436da

SHA512
76d673ea62030241d0a7ab19b5052fa6bd8557fcc91fdbb229e7e1b99f4bd792d9312213f1e153784f483d47cd80491b3e9df45aa96d62f43976ffb9293cce27

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
cd5eb20bbfadd19f1f0c92875a03d046

SHA1
8714b7aca4bfc1e00bd805ee9bd3acb0db7a0771

SHA256
49c9bb436b90bba9f3546cacff84880750a9f7fd07e58b6c8f919e1bea3f909b

SHA512
c83ec21dc67ff39b443f164f82294689170e2bd3f0ceaf5c89e39eaa831e3c6fde9b2f16d006c674bc1c79cab460c21241a92226cfdc3f92ccfbb7310f5381ff

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
4f541498697e32f0d832f6d09ee8fcd2

SHA1
ae5407f048e931fa14a6682776c23839a95dc67b

SHA256
1e3a1f8efce01ecf904ab1a098912701584e3f1c0b8cdc650b8c896d39b064bd

SHA512
353a48dbbff29635fb51b43317eea1d0b5f9f2b06f8703646b8bdb69965cb3f15cabd901f3a02cfad945550949d6f07af6635da7e01f89b8c1941e7e538eb717

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
76ffdc51501cc923197b8b634c2f3885

SHA1
ce42b4155baef6a0338e63da8e0a1ee6e7f54687

SHA256
51d3728676bbec02c180bc7f0b59244e502e5c3861a19dc1acc4fce44bb48bb8

SHA512
2d706f0f6ea514f09a9341b62a39372f5159a98b263f128181c2a01a6785f407541701ca5db62ceee8851846390aa6b17ad5b8965ca336579eb383e82532b234

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
462eceba04d5abe3e3eb3cbed64a44b7

SHA1
3f1121794d31f5d9d5973fffd979cfb61255c18a

SHA256
6a0d4688f97e484c16ae2ee0a6897060f2b1b526901f770b4613d9049960d562

SHA512
5d3f8735588129eace5825a8847ce9603acb55b40dbf16f4270ff14e173589a0d13c954f5e0d96040ba6bf5dbb23c72aef6ca969618c73ef02aa3cd7e9d48bc9

Download Submit
memory/1304-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-154-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1836-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-132-0x00000000004C0000-0x00000000004EF000-memory.dmp

Filesize
188KB

Download
memory/2916-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-166-0x00000000004C0000-0x00000000004EF000-memory.dmp

Filesize
188KB

Download
memory/2916-131-0x00000000004C0000-0x00000000004EF000-memory.dmp

Filesize
188KB

Download
memory/2916-179-0x00000000004C0000-0x00000000004EF000-memory.dmp

Filesize
188KB

Download
memory/2916-105-0x00000000004C0000-0x00000000004EF000-memory.dmp

Filesize
188KB

Download
memory/2916-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download