Malware Analysis Report

2025-01-06 11:41

Sample ID 240603-e2syxscf26
Target 9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe
SHA256 264fa265d2024f09f0358bc902e390f9482aa6144671cad71ca22fac8666ef02
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

264fa265d2024f09f0358bc902e390f9482aa6144671cad71ca22fac8666ef02

Threat Level: Known bad

The file 9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Disables use of System Restore points

Disables RegEdit via registry modification

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies Control Panel

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:26

Reported

2024-06-03 04:29

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1612 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1612 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1612 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1612 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1612 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1612 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1612 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1612 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1612 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1612 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1612 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1612 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1612 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1612 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1612 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1612 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1612 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1612 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1612 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1612 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1612 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1612 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1612 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1612 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1612 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1612 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1612 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/1612-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 9b756ab85236b4cc29a55e1cab4bc9b0
SHA1 85377f2b99937033cc2a14eebdb4629cf09cf0d8
SHA256 264fa265d2024f09f0358bc902e390f9482aa6144671cad71ca22fac8666ef02
SHA512 e6cbac67fec6618a8bfe4eeecd7e567c88f818b19b7b5bc77a9ad1dec4a9c15ee43a2b04f25f7f7c959ac77506e41c241b447874fa4c23a02e6d516ab711dd13

C:\Windows\xk.exe

MD5 b092a185e8656a20724303853773c109
SHA1 d3d6e5ab39d09bee13e1a56c500c0dfdbfcf133b
SHA256 a8ee128ab321f40e3bd6feaea2ccb4a3191916abe2d02b436b9454ba6cb71ba7
SHA512 92b21d0a3445395f0a8ceb9299e0f86e9e43398888823844a693499feca8fc8886094b5e5ab4fe3c62cdbf17b6297dc4ad3bc2afdbb39dffb0dbb82836e02821

memory/1612-110-0x0000000001D20000-0x0000000001D4E000-memory.dmp

memory/2444-112-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1612-111-0x0000000001D20000-0x0000000001D4E000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 c5831aca7b6ae5a86d60fecc7d2c611b
SHA1 0f62ff58bf401fa4f032d7a58cef5c8406700f84
SHA256 0eb106181bd983f59e6b44feacb8c2b3f0ad0e2e96eb24063a90c4ee86811e01
SHA512 367398bb8793c6c72fc24192bd132a99add2de911f91e28f503d3b817b74535fb70cfa985c263f1f83b268651b407cd36a87f5874bf4d623026d5588c646eb4f

memory/2444-117-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2700-124-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1612-137-0x0000000001D20000-0x0000000001D4E000-memory.dmp

memory/1612-136-0x0000000001D20000-0x0000000001D4E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 736617189693c976f824036f4bb55b01
SHA1 90425fd70444cf63c97d9024d719450559bc0c36
SHA256 6c59f1a0643a4cf502f0a3937716fcaf1aaaa02b1ce6910ce453017f172d2e06
SHA512 4e4a65adce0e01a28780962fcadf043216a6ef82b6f909994842f96ca65728d7027a54955f64f91a1399eaa07ea21dfe1aa9312bf631668efdf3ce583b8b465b

memory/2700-130-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2156-140-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 6ec12f542b00c10f00a72d231a946369
SHA1 b4135b2368015f105e55e36e6022654c3a4667ff
SHA256 e3357f4fd0dcf53856e1dfc30f8758a1b63a2703221562ed57042e22b45aef0a
SHA512 d53e9fe1e5e6a18968652cc889c9a76fdbdbb2bbea2ca8c4e7a411ce97418c0794cc6966f17455875bdf6bd9eb98193a658d9a7ace4b630bb6b6c95d76fdc574

memory/1612-143-0x0000000001D20000-0x0000000001D4E000-memory.dmp

memory/1732-149-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1732-152-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 c2484e23c57e4a005bc1c940ed59a20a
SHA1 2cfaab35983ac41b7cdd44bb8afe2dd375d82898
SHA256 92a4821eafdce6fedde92d1bc7b0bc558b3f60e40764a5f09eb3cc327ed902cc
SHA512 128f53124c8b616232c45579ab069f4d686ac1f972f437da6ddc754c1f9ec6bf89126622d046b73ac8d75286464e1c39f27f5ba5417817a212ed812b45025aa1

memory/1600-160-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1600-163-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 3fb3cdbacf94cc018d23a2a2f3410d19
SHA1 97159fbf024ec0980b538c8c38037c241799d9cd
SHA256 0ad7a4baf2d5abdf39c327548d3f84a8039ae0952a1bfb8ddb793c1c546e47c5
SHA512 6c20ef3c22aaa838d4383883238a2e5a4ea0557c4b0adc70ea8ef22055810b11fedfeb1dbd929e941eb25e5b57c05f4810629b8d1451b9cbfb1aa74ea9858c0a

memory/336-173-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 ceb0c2feec842fe59f4f19f7347a72e8
SHA1 57938a96cbf5a04fd7f47afdbfd442e75ffc491e
SHA256 fb615b99cfdaa69c6655cd1906c187d6b1065572a795d1abf0b1384ac03b0896
SHA512 a3643cf9d073a69f1655df61dd09ec9286a1700eca56ede51781758d76017ea4260e70b980437a9e861685bbe5d06c0540150e4d839355b7509a802d6b38353a

memory/1612-176-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1612-187-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2148-186-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:26

Reported

2024-06-03 04:29

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3804 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3804 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3804 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3804 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3804 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3804 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3804 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3804 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3804 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3804 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3804 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3804 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3804 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3804 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3804 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3804 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3804 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3804 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3804 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3804 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3804 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9b756ab85236b4cc29a55e1cab4bc9b0_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/3804-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 9b756ab85236b4cc29a55e1cab4bc9b0
SHA1 85377f2b99937033cc2a14eebdb4629cf09cf0d8
SHA256 264fa265d2024f09f0358bc902e390f9482aa6144671cad71ca22fac8666ef02
SHA512 e6cbac67fec6618a8bfe4eeecd7e567c88f818b19b7b5bc77a9ad1dec4a9c15ee43a2b04f25f7f7c959ac77506e41c241b447874fa4c23a02e6d516ab711dd13

C:\Windows\xk.exe

MD5 d61b4248bf00bd3afd74b8b68ec956f7
SHA1 227f40cff167b090bd4c092692824c4408aba331
SHA256 d3a642c9f971efa47b3153acc8c592878c38f51f80e1c4eed9d1a69553357d28
SHA512 6bc7a68eb3a941d4092048958b5c98a14d464a55f69c0e3cfeff1bc934bf0f7e041ba8d60c18a692583e439d887b2aff12784b42c41a340bde336bc4bf9e03fb

memory/3700-108-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3700-113-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 1ae711fcffa954a7e1cfd1264cab762c
SHA1 f5b32660d2a27a95ca6f93a7de4a91a05da73ee2
SHA256 8e85ccc9aa1592bf668f492130e4b11e2aadbf39037b4a840bcc2f63f64d6462
SHA512 5bb537067364c1dc3f5130c6279133cdeec0a5eb343bfebb466fdb3f93eac730052ab14c4f4d1af1a7336d09ebdc34d3d45323fd19c27689ee62d2e282be7c67

memory/5008-116-0x0000000000400000-0x000000000042E000-memory.dmp

memory/5008-120-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 9b6e36640a4669c76dd39b743be6a792
SHA1 e0e3a1db432645d87f2db79b41e0740072eedb3b
SHA256 f89e72685dd9e4a36e7c3b0174eae0bbd26b874c77034e7c7f09c9570de50084
SHA512 7b43ac23227c96863c936f16eeb21e0fd14be7b12f9194093e4ff4b80d9c58081a98a415611e08b11752390bdadfceff2ea53f623ee521ebed3ed49f91e12d3a

memory/4984-129-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 e08b44ddaed3c105a7396426983f19eb
SHA1 335eff8ab8b2eacd088ce6d4c1c3194f1bb7a66f
SHA256 edf2a84b43f7e0d02143d16fa12796380a3dc2c3e4d5cd073bb2cd69332642f4
SHA512 43e3071ea936582abd861c3cb7ee6921485597933835244ae38cb6718c3a946e0f8524f23b4abcd28072118604e1e2a650a22cb40f36891a36dc8fbffdb1afb7

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 d4ee470c6af887db10dc2e93b092ab31
SHA1 87690b46c7eb6bced5aa593f373f9c4454ca4c66
SHA256 0913e042c9c409eb7fe42a3845fd97407ed4f76ad25a7a25650fe2071633bf87
SHA512 1ccf5b2074002abe2bb22b77977aeb3c1d6368ade4da07e505aff54e493c7cfe02f8d4622c63956943796739af71f0cfb3b7bfc4f84265167653a5662be4d2f8

memory/3168-136-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3612-141-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 dc1cb1a729703585cf932c37a4b99ae5
SHA1 e80b66df61c2c5ff84c69666d706a8bb1f8e104d
SHA256 c518b94e1be43dbcc947eb1733bcdd8312e41b6f4b3a5c7121fbbea1a9bafa39
SHA512 e176c8d40b58c1bc5550cf33a5970560bbe78dc629411c84c1454619945dd2cf0b253b2d8e5a37d32947baff560c747ad9ff36acd6e5a387d10837c9ea90ae7a

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 77af507a1c3ff2793d2533199b69c75a
SHA1 3599f5c8b9becffd4bc7a7dc14a67a01d57fb3b6
SHA256 b7859526108ddbc63d0a996e3df991dba303b2e6d390bfd368f5c9491cf7e391
SHA512 01d96ee9143607bcfc71f56f3d4c04cd9e520f5095f6bbcdeb5459f387b0a7b9353b5cfa95c96c1e31e70009b4dcb6d5ba6f3f79162cb345cbf8cbd137bdae56

memory/2164-148-0x0000000000400000-0x000000000042E000-memory.dmp

memory/436-155-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3804-157-0x0000000000400000-0x000000000042E000-memory.dmp