Malware Analysis Report

2025-01-06 11:18

Sample ID 240603-e6s5gsbe5s
Target 9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe
SHA256 362eb487f2b15f41229598b37db6a304a756ace60970cfb3b8f9e58d531b9b48
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

362eb487f2b15f41229598b37db6a304a756ace60970cfb3b8f9e58d531b9b48

Threat Level: Known bad

The file 9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Disables use of System Restore points

Loads dropped DLL

UPX packed file

Modifies system executable filetype association

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

System policy modification

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:33

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:33

Reported

2024-06-03 04:36

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2164 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2164 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2164 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2164 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2164 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2164 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2164 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2164 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2164 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2164 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2164 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2164 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2164 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2164 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2164 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2164 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2164 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2164 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2164 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2164 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2164 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2164 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2164 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2164 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2164 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2164 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2164 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2164-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 9bb1f8124fa679b710bd32b1d0633400
SHA1 27417fe38990574bd56167cb3a8c071bb5454d24
SHA256 362eb487f2b15f41229598b37db6a304a756ace60970cfb3b8f9e58d531b9b48
SHA512 2103253d06ed16b5fe4244a460dad4a971fbca68e2edbeebf49deef677529b050a2658e4e0f17de4156959229906d379ad3af7212b357b8c7bb0535f392df230

C:\Windows\xk.exe

MD5 1027c58de7c1e8cf0e719593a365a736
SHA1 e392ba25f37303107a26a66df7482e9d4d17012d
SHA256 448e37d9e1ef5f4cc577bf4f625cb9373229f0225e8c79f6f2256ca182f157f8
SHA512 e8209a74375788803781ca535d2f70717766b944d76c0d740dd282ba658097841890c7e66d6953ceb9e5431b602b7c088b4d85b086b0c493fa07e63304e10b4a

memory/2164-110-0x0000000001D30000-0x0000000001D5F000-memory.dmp

memory/1764-112-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2164-111-0x0000000001D30000-0x0000000001D5F000-memory.dmp

memory/1764-115-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 fcb9b0e89f30471e3d7232590246fc3d
SHA1 3ce7b7e5dcc24a86584b6b3eb775715e107c2259
SHA256 8ef6010fb1c41a4316bcf884c0696e0875b7d86be45328ac32188d0b4587a2c9
SHA512 082c3adbd1425fbc0597b51f5f09ecb128ae800d5fda86935033a2ef97513a012979c568948432bb31badab424bf71b18d153bbdf709363996470756a340f097

memory/2164-117-0x0000000001D30000-0x0000000001D5F000-memory.dmp

memory/2164-124-0x0000000001D30000-0x0000000001D5F000-memory.dmp

memory/312-127-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 bb3d494a0ab6e8d357cbdc9472c4b711
SHA1 4e552329d030c773bb0ec0dfb9eec0647bde84a1
SHA256 f8c2b1931ff748caec843cdb8691517c140300f3c62603928d2be1d1b11a3550
SHA512 3622c5dd4e8e3096b3ea82dab2149101ffb4857a217b99942106e3f4b0b840afa99d72df815c44159f8513c145fde0b0d0f85655177eea192648959f1892c501

memory/2164-137-0x0000000001D30000-0x0000000001D5F000-memory.dmp

memory/2000-138-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 41f73a1f791dab88cde5c6b431ad18cb
SHA1 9594d37c7d335e23ec916afe7fa3b40951b637a4
SHA256 fcb8548cc9cfface9b935e9dc7d0ae4a4433be5d8eda60991973b60f079b43b1
SHA512 bdbcbf75d6cb876b9314379d780da6f2f23b1db9a87a65eff3a7fa657be0c2c1ea57bf545500b0c6f97977ac3ea683207d6b2b428fc879f84ae285965f453e07

memory/2000-140-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2260-149-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2164-148-0x0000000001D30000-0x0000000001D5F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 e42eb536dcd04791bff28bbf799272b0
SHA1 86b80bf1b8ef1a466fbdf0fece76778e67ae4192
SHA256 7e69bd6d0bd73304f2070a41f326b3d4f045188c1640381d74f32e25aee984dc
SHA512 11c6d87c61e4fa372d74a723da50cb5804be052f6b617fc381fe4f854c11da0c0c1d0fb617be1216fd57110ffff6d6d41e3f56f4db9e73993baada9c216199ac

memory/1592-162-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2164-160-0x0000000001D30000-0x0000000001D5F000-memory.dmp

memory/1592-164-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2164-189-0x0000000000400000-0x000000000042F000-memory.dmp

memory/820-188-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2164-178-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1988-177-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2260-152-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:33

Reported

2024-06-03 04:36

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2720 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2720 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2720 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2720 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2720 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2720 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2720 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2720 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2720 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2720 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2720 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2720 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2720 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2720 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2720 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2720 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2720 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2720 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2720 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2720 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9bb1f8124fa679b710bd32b1d0633400_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2720-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 9bb1f8124fa679b710bd32b1d0633400
SHA1 27417fe38990574bd56167cb3a8c071bb5454d24
SHA256 362eb487f2b15f41229598b37db6a304a756ace60970cfb3b8f9e58d531b9b48
SHA512 2103253d06ed16b5fe4244a460dad4a971fbca68e2edbeebf49deef677529b050a2658e4e0f17de4156959229906d379ad3af7212b357b8c7bb0535f392df230

C:\Windows\xk.exe

MD5 7694425b6b50f1eccf9eb89bba5e9e9d
SHA1 62c0628b77b184ef44df6bcd4c3f31325f1d2fe3
SHA256 99feb66b31ed927bc43b9acc0b48d1a3f2386080dd2ebe14d0308d918da83812
SHA512 3dac886b39b81087ea4e57d2ff7ea35195cc353efaee686278c7731bcede8111fe6069f7a0007b38b5bc1d43d91c1c45e9131bbb3ae20e1b7e56213258e4c696

C:\Windows\SysWOW64\IExplorer.exe

MD5 f30cfc8c08ed3dfe230b83895d452429
SHA1 e11cd58f10705364204dd25293f3707af9280af7
SHA256 b58cd62a6567b58a8ba026f249a19dec2ddf1900ae3196026114c22a6aefec08
SHA512 5faa8489c992f8a162505d1d955a4cae558eea8b83e319aed0b1c95a2545ae5b13b2f2485f725a32c1caddf66734a035108294fcff2e2e1be8ab09b5f92def4b

memory/3736-113-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3020-117-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 80d579c6c0a1301aac4ccdee368e9ca8
SHA1 dc6e6e6840a4021b45fc0b233f65ba82abd45ade
SHA256 4203daf1908bb11816d82e894ba5581435542d584b4390400501b122b7dd1716
SHA512 154a2e7cec6946ab3aaed8fce7159978938354bfec69d9d50a0b4fd1015289ab5c624159679b223f4f3dc95af3bbf2e1c6951d678f2793ebbc09e04e36139433

memory/2628-124-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 b98ed484337583435bce3d1263b9bdf2
SHA1 964f6de1745d645db6d38e97e0a896aca228fb10
SHA256 6ee9342738c63f2a3ca630c4292b67310d1ab2b07ffe6062ca0273a118a47d17
SHA512 c64e5f281c09ebf4d90c305f615664f780a20763cff27c5e3b5f356b693e31c1a16aebd2df38887c3e9d0e54b53b821f8843a5345cb8ea1e0bf3191563e06d02

memory/1936-132-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 24bd8903e94031d12f7238667a71f3e7
SHA1 8c550bfb43f50ce6e6353325ff3e14185a014c9b
SHA256 09d4d230a4a627ddf2a16d5cebbf5f3d5779d961ff5f259f8bef8be919fbdd05
SHA512 f30dda33f3898a357a788249bf0b5d7df3850d09bb131c1e6c87968daeb4ff602e2dd494a5d9eb34dcd4204697a10a9a7922e0d50b4d700de1a1097f935f6b8d

memory/1044-135-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1044-139-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 315382508eaa5409f042156845422b45
SHA1 0942bd06b29f414e80568f03fdbecbbaf47678fa
SHA256 c555737ee81d34fa646409bb9a2695c588208ad91d2ba8f9df9157efe4ef9d86
SHA512 d49a0e7bbf74ebf52f567022e76343090b1b760067424ec8890b15272bd0862b5dcd9c5ef44928fb8b3505ae561da6c5fd82b4ce25e699b11dda2b9769838f94

memory/5096-146-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 9b58c666277912356afd439d05ff1942
SHA1 73dc2a14aadf00845a909be1ea3fe6fdb7d9cfd8
SHA256 2a5d72a9245217068d86a5315913d9ba571115e4d7d5db7b359c1b17fcf10ff8
SHA512 d93b484754c35694eeb2778f6db21b2e9b77da1e2592bd71137aea8c36fe76d4a4c631352bc775c56b4b492eaed7ba91019965cf3359dbe1b4334ae339d3926f

memory/5012-153-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2720-154-0x0000000000400000-0x000000000042F000-memory.dmp