Malware Analysis Report

2025-06-16 07:28

Sample ID 240602-fhms8scc55
Target 3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe
SHA256 0a8e8012c6e4d632b06494dc039465a057cdd756f897e5b093215e0b6031af5e
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a8e8012c6e4d632b06494dc039465a057cdd756f897e5b093215e0b6031af5e

Threat Level: Known bad

The file 3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Disables use of System Restore points

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Control Panel

System policy modification

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 04:52

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 04:52

Reported

2024-06-02 04:55

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2916 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2916 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2916 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2916 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2916 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2916 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2916 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2916 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2916 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2916 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2916 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2916 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2916 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2916 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2916 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2916 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2916 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2916 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2916 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2916 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2916 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2916 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2916 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2916 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2916 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2916 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2916 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2916-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 3a50ce1fdd93ae5fbc810c8d4cd9a3a0
SHA1 fb585d9b5a2e8cc49cd27995e26426f661201a31
SHA256 0a8e8012c6e4d632b06494dc039465a057cdd756f897e5b093215e0b6031af5e
SHA512 47da6bb1c7a4d3debf07b2c01f641dd1c56c0f43ffb68c0aceaa5d8c746bdf3d155e6df33df4e7f76f5cdc8d044566e5bd0ebb64a74727bff6fd7434ab205304

memory/2916-105-0x00000000004C0000-0x00000000004EF000-memory.dmp

C:\Windows\xk.exe

MD5 62f14e3d36f386fc79409774697cc3de
SHA1 f6dc05839e06adbfe1bca9eb9a4128498b914f7d
SHA256 7e7b3b0a4305088def4dbdd64a6332d08992ee0e57dc114daf31671967bec329
SHA512 da7cdbf3b14a0ad1cab7d561f614048c06d6f76e589a72d2b5d947ba2c7e60ae631349cc22a8761e4efdc257305de4dbce27c733ccf4a9be33781d868f1c2002

memory/1836-114-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 462eceba04d5abe3e3eb3cbed64a44b7
SHA1 3f1121794d31f5d9d5973fffd979cfb61255c18a
SHA256 6a0d4688f97e484c16ae2ee0a6897060f2b1b526901f770b4613d9049960d562
SHA512 5d3f8735588129eace5825a8847ce9603acb55b40dbf16f4270ff14e173589a0d13c954f5e0d96040ba6bf5dbb23c72aef6ca969618c73ef02aa3cd7e9d48bc9

memory/1304-123-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 76ffdc51501cc923197b8b634c2f3885
SHA1 ce42b4155baef6a0338e63da8e0a1ee6e7f54687
SHA256 51d3728676bbec02c180bc7f0b59244e502e5c3861a19dc1acc4fce44bb48bb8
SHA512 2d706f0f6ea514f09a9341b62a39372f5159a98b263f128181c2a01a6785f407541701ca5db62ceee8851846390aa6b17ad5b8965ca336579eb383e82532b234

memory/2916-131-0x00000000004C0000-0x00000000004EF000-memory.dmp

memory/2916-132-0x00000000004C0000-0x00000000004EF000-memory.dmp

memory/1456-136-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 a9ddaa5472d025d27cd06f4679616932
SHA1 77451fc5b808dd80d50e26f32bf249cf3b20e1fc
SHA256 a893b8814b7c3a4c177fa3904702360c8d37c1d93c579a22f759726613a81c60
SHA512 c24f3f49dabfa397fbd75b53ff7941e828c4f85d8733d9b607c9b6f6121c5e066bd4d6de22d5834cb9874c497b471b720063abc8bfdb1a1b282bd3518b65b731

memory/2692-146-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 cd5eb20bbfadd19f1f0c92875a03d046
SHA1 8714b7aca4bfc1e00bd805ee9bd3acb0db7a0771
SHA256 49c9bb436b90bba9f3546cacff84880750a9f7fd07e58b6c8f919e1bea3f909b
SHA512 c83ec21dc67ff39b443f164f82294689170e2bd3f0ceaf5c89e39eaa831e3c6fde9b2f16d006c674bc1c79cab460c21241a92226cfdc3f92ccfbb7310f5381ff

memory/1460-154-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1460-158-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 24589ab8cb799bcc6b8c2e22e6b40cdd
SHA1 0d6f385b05b4de55f3bc2809773b2162884e73a6
SHA256 f0595ec8f0064f80f55c2018ddd9235ff55d8edc8e6c0856892e81ebd0a436da
SHA512 76d673ea62030241d0a7ab19b5052fa6bd8557fcc91fdbb229e7e1b99f4bd792d9312213f1e153784f483d47cd80491b3e9df45aa96d62f43976ffb9293cce27

memory/2916-162-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2916-166-0x00000000004C0000-0x00000000004EF000-memory.dmp

memory/2936-168-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2936-171-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 4f541498697e32f0d832f6d09ee8fcd2
SHA1 ae5407f048e931fa14a6682776c23839a95dc67b
SHA256 1e3a1f8efce01ecf904ab1a098912701584e3f1c0b8cdc650b8c896d39b064bd
SHA512 353a48dbbff29635fb51b43317eea1d0b5f9f2b06f8703646b8bdb69965cb3f15cabd901f3a02cfad945550949d6f07af6635da7e01f89b8c1941e7e538eb717

memory/2916-179-0x00000000004C0000-0x00000000004EF000-memory.dmp

memory/1708-182-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2916-184-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 04:52

Reported

2024-06-02 04:55

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1876 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1876 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1876 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1876 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1876 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1876 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1876 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1876 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1876 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1876 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1876 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1876 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1876 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1876 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1876 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1876 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1876 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1876 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1876 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1876 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3a50ce1fdd93ae5fbc810c8d4cd9a3a0_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1876-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 3a50ce1fdd93ae5fbc810c8d4cd9a3a0
SHA1 fb585d9b5a2e8cc49cd27995e26426f661201a31
SHA256 0a8e8012c6e4d632b06494dc039465a057cdd756f897e5b093215e0b6031af5e
SHA512 47da6bb1c7a4d3debf07b2c01f641dd1c56c0f43ffb68c0aceaa5d8c746bdf3d155e6df33df4e7f76f5cdc8d044566e5bd0ebb64a74727bff6fd7434ab205304

C:\Windows\xk.exe

MD5 11c8cf00cc6d34df64de25f243e05cf9
SHA1 47342afdff27141076e6a16c40ccc0ca5c5772ad
SHA256 c29fa4b513ce2ef187c7bec838ba2dc8678db52311d141f08a33de4f36db81b8
SHA512 60460831a49d47eb1a3b2fb0feec6d8c7fb64e3605fd4fb4ae95cf62e83a45abc1a19d10543dc9a73365e7df770ac211d3207bb80cc2a0e08f75d695e322512a

memory/3236-110-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 f74f320a3725486b5c0cd4614d5ae051
SHA1 ea44e4d1dd7e254503a9a42a63785008b4e0aa83
SHA256 91825ec8be26632bfe4cb6df6f4224197287e9f1ff6cd82f43191f0c17b35d1b
SHA512 7b568d44c5d6bfdb22ca6229327949e7350fbf9145d54eae5cd59639c6349bef0e29374344c6593b8d27d20bc8ff188301086ec1149d3c2766f32e225139c5b4

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 3808c3844d320ec50a56adb6e67e9ede
SHA1 fcb155aa7073bee4a97647229f32934e4b2f3e22
SHA256 38751d1d824bd358415b48c9ff05460af1f3d99e4c0a262a1821be6bdc5b5320
SHA512 7d1276698f7f6042d021b76ade4958dd8674eb420642b6bd2d3c4d42947ee358ecb039f957d19b6c9433c958c407515a6b62faa616458da6a8e0a35694d0cff6

memory/2180-119-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 ead4d56928da857c4e55a46285c5cf0b
SHA1 ceb97a740ef00c40ca8407dc2a15e04057ba7ddb
SHA256 6eb99272c28180702e1574cb79628fd134e016f509ca9ad2c2e4e1fe5477afbd
SHA512 6ece385d43b4476a5dd02e3f5b48439feeb29b00cc1c1282e3263ee25fdfc6337b37b44c405adf908f94e52deabc0045110de388e9b3dbbee2873c2aa12678a8

memory/4004-125-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3784-128-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 983d85a9e89d7cbd66643439a861bd3f
SHA1 8b3ca7001ef9244de237446ee9de5727aaddf303
SHA256 926b32eb07e8d0db81a73234bb4fbbdeabc00889869d6ba983e771ed5a62552a
SHA512 6d856323fa610a3f3688b36f9ac96cc45a4906a18d86a87187c0b0d86d873da3ee3e8d680ddbf8f629a2c8ee4983a01d7c9d5d30a37118408d843e2a0669288d

memory/3784-131-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 582a0cf5b74c9d8622025f111a5047af
SHA1 eda8777db43474d30453fcceea7ec20520f74196
SHA256 44deae5d655ee541994f1392ee7fda8c4f7311aa70496539721050e640f01e7c
SHA512 6c7c767f35a7d948d03519ef9829bac02d01e4259e6ad2562e6e47baa9307683341ea76c28803da6104290309117ea689cc9daa77f5d48585dec55875dcc5302

memory/744-140-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 50e68c4f1e86b3ae124b2b3604739161
SHA1 b9af47750dec697cb523938a665e2f6cb2cb0b5d
SHA256 28df5797b72e765f30bedae855fbcd0f77e1cd343d5c8e6e774608062437f26e
SHA512 f816bd1ce2bdc08483843de580880f3e2a5937540e7c1c1cbf2ed4dabe4e38a7f712b21253b8ddc75fb0165dac4d09be6ea6d5fabfd8b3c82369323aa679101a

memory/4348-144-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1788-151-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1876-153-0x0000000000400000-0x000000000042F000-memory.dmp