Malware Analysis Report

2025-01-06 10:58

Sample ID 240603-felf1adb96
Target 9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe
SHA256 1c78b3514d323a79af6dec7a1e733a69d341e1387ffcc187938047190cd8907b
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c78b3514d323a79af6dec7a1e733a69d341e1387ffcc187938047190cd8907b

Threat Level: Known bad

The file 9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Disables use of System Restore points

UPX packed file

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies Control Panel

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:47

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:47

Reported

2024-06-03 04:49

Platform

win7-20240419-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2368 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2368 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2368 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2368 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2368 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2368 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2368 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2368 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2368 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2368 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2368 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2368 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2368 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2368 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2368 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2368 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2368 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2368 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2368 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2368 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2368 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2368 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2368 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2368 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2368 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2368 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2368 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2368-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 9c08b003806a22fc5d4944a969ed7220
SHA1 012520eed5e150bd0146338da96cc65b80dde183
SHA256 1c78b3514d323a79af6dec7a1e733a69d341e1387ffcc187938047190cd8907b
SHA512 996758ac32c42177e2903255b5ead4849f5b58481f8b1e708ecaa243de248b2bb7a1b1faa7dbd9e0282fc2ce80bf648d72207a413cee5da7a527ac0aed598499

C:\Windows\xk.exe

MD5 58f6c23f54915dd5268c431873ead1f2
SHA1 d481f6df29fa8f811dc9d450560d61689599a412
SHA256 4a5dd2cbd2d42a2bf5c0703ad3c546f23e126bef9c4c466eea8dd286d8cfaf46
SHA512 da31076dd02e0076b2a29a2ce0f6503c071115e6479290951d912168227ddb2c836fc323e478d52aaeb8e19c124bcbbb2c91004056d6295f5dec196170e0960e

memory/2816-110-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2368-109-0x0000000002580000-0x00000000025AF000-memory.dmp

memory/2816-115-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 4a0a95d43e2b5df684dd65f634a415de
SHA1 d61ab1f47ec2a6e9cb79aa91c27ce9dde8db5046
SHA256 f17d81393886b3ad5a7afba98b9527b65debca49a1cab472e1239d3461554472
SHA512 afdc3955a827bfd65c1efc48b7304362a35d522b078cba53235da36fa247779c2e964d42e8c6e61a02f000d56f67870ab28d1b82ecbf55a2dcd8ed48b92edacd

memory/2896-124-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 e8bc3b200521d4c77a404f9ac5c8f5e6
SHA1 3ddbf00e24f567cbb51858ed5c18de4407726799
SHA256 6b97fea36b531299a0d5bcb118ef6d11264f5f4dfc59a6845d2c93eec2679a1c
SHA512 fec10002671fff2f1d142c508915057f381ac865617da86842816c7678cd7b8a3ba9a3abe8250740c38357c91537165efc426f16fb35970e8a6549f5a0804ff5

memory/2368-131-0x0000000002580000-0x00000000025AF000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 c5db6db75d0d24f673cb59b4dbffca16
SHA1 0d71dd55d0a6ae931d09c87e70b36008a22012a1
SHA256 a5eeb28f4ab13379ef6805649c0fc7aff488f5a06d0985f2933a706736c6a594
SHA512 7b40c3bac3a4461340d7f2cd1a5949ae98318c3f70e9c0d939e1f2178e7835aad3b7c6703671fae2780a2587668fb6d7deceb134cb8e4b3253d34040a0fbcb10

memory/1620-136-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1824-145-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2368-144-0x0000000002580000-0x00000000025AF000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 6d3129ad5f15f315a369ee10de55ebe9
SHA1 72013c69a7d2c8f734ef278cd8aa3f2fbe89b2ae
SHA256 fb081d8f0caf66fdd1c9c23745f19eb1a579b1ddaa8b110a582e1c15776f2261
SHA512 4194e57e76f2a38ceed3cf9a728f936c8301f9ebc1c3308ae326df0055e216877da3e08129180baadb62baacc9be647975b5b9111a7c9db2262b9ff3d1e56ba4

memory/2368-152-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1824-151-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1540-161-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 06ceb34a96430d435514d377a479e6a1
SHA1 d0f71c917bbcacab006aecdb6859585d242d0521
SHA256 8202a13e649bc3ac4660ffe38621ddbc28ac54d476958e710cfa7f9014c647bb
SHA512 0c033fff12073c71854bc116e3678af2e220e5f074c12cc189178e34340debe2a6a7fe81c75f14d330f75696a7dc48a6968bdc6949105d2ae8102a225c3b3435

memory/2776-174-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 860d5b0ac59382e124e271f9add71401
SHA1 1f0a555f7398ad322dcc716c361c5bf913c90596
SHA256 a445dbcd344dec08b6ec4dc9dd72cc79d7c28c15213c7736a032b461bef14e26
SHA512 0ce62f2babe981263428cf018886d9094b58310dcad6d1c570c02665d086244a090e7775b71026e371c82669adf25b16bf406a599456b0644218284c6ea9c4aa

memory/1412-183-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2368-184-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:47

Reported

2024-06-03 04:49

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3616 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3616 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3616 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\xk.exe
PID 3616 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3616 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3616 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3616 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3616 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3616 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3616 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3616 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3616 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3616 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3616 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3616 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3616 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3616 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3616 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3616 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3616 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3616 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9c08b003806a22fc5d4944a969ed7220_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3616-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 9c08b003806a22fc5d4944a969ed7220
SHA1 012520eed5e150bd0146338da96cc65b80dde183
SHA256 1c78b3514d323a79af6dec7a1e733a69d341e1387ffcc187938047190cd8907b
SHA512 996758ac32c42177e2903255b5ead4849f5b58481f8b1e708ecaa243de248b2bb7a1b1faa7dbd9e0282fc2ce80bf648d72207a413cee5da7a527ac0aed598499

C:\Windows\xk.exe

MD5 f792e5160d9e0a9ff20636ac2d7d69c9
SHA1 77f5c81d831911cb50bd66d64c5fca9a08284094
SHA256 bb4a4c612c69fbe252a6d7bb66d806b2dc6b0d711ef712aca4fd8eb3fb6935af
SHA512 dbe5765ddce77c8247dc4d00d3701bd1906dd67b34961a073f0a364ad8712cfc9ce640fcc332cc1fc5c5c958c6e523b7a8c5381dafb41856f6a01f57d7077646

memory/3452-108-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 a4c231a445574cb054261d425c7b2e0f
SHA1 e928b446a5ece50d8eb3609bb4554ee50ad49bf5
SHA256 e57e8a3c3f4388bb30ad1a43ac9eba89f0f540d57bc7df0531e4bf5395ee0df1
SHA512 0bc5905edf4e96d7a00d12cf98632fc3c009b3a351af079d1ad830ee823a7a9d9161ab9f3f876bb06675c49d66599bc52fbea7e34523f0f1282e268f864e1ffc

memory/3452-114-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2480-120-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

MD5 b9169f68c7469661f0465a3729586ffa
SHA1 ea59d8f33e9f56ec6d897341c2821eae453a50dd
SHA256 4185095e5354a835788ceb99bdc381c54c08a611e82f680ff2076d107ece1fa9
SHA512 5600ec4adeef8ec756a5d9a64c8570ef190223da4904353a1fa80639be80aa3f8e0555bcf31a7df2515170255b4be4ab399ef57833d6df133d5c94f7b2cd0128

memory/1800-125-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 12e8836346c72569b3ce5c0300bfb33d
SHA1 bd0023602688dd85b3fd4b2e1aa8836d54b7a053
SHA256 4d0ec18e04f20587acbd5d6bb19df55993aca12883f32043d7e6969ab589e645
SHA512 7c0df8842bb8c2bdbe147c7bbf305ba8d9ed522d48e1aa31375ad2d405e2e0a650b773ba9d4281c1f15403993800faa985a60cc7805e33b44160d8178ddcd256

memory/4200-132-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

MD5 b406090265e229633590ca4c643b00d5
SHA1 7fa042eb8c858eec064fe2ea8237016ed5421151
SHA256 15d9fc00f39ca64f3b5d670752ff7eeeb8e9d8a5f3591187b57ee4da027317d4
SHA512 ce20bf7750f23089a8d7127670c6f6e52671501db44d25a875c80df2c1d587e55ca1b1613f52a127a8fd1f1ae3bf2909605a0121a911190e51044eadc71b0d20

memory/4880-137-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4880-140-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 705474cfff2de8d2137ef84b6b87f3e7
SHA1 e1eda1695b662bd5a8c3cb88301e42c9796fe0b6
SHA256 30010eb3caf8cf144f5207fda126d212a9b4fe5a19ba3ab33005081b73cb5117
SHA512 5d3eb8ecff49a4b4111e1c07228817aaffef84c8babdbc16d44dabf0a79c2a6803a5da908f26920b391e645b6c038bfcd07193aac420ffe14e85d5832c8fd7c8

memory/1656-147-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 6ccb2086f3300bae8db0514f2fa80672
SHA1 d09d1d17b6c1ca88708148897606ef3d39061521
SHA256 aedf8365ad55894bf79e2af023a3e5252728422930c6ee13e4a85340cfbd019a
SHA512 2aed0452b251f8b6ca754cb9aa6d7bbf2dd1c2ee90b64631128f851f749c6c0df27ebeae12aacbf699d7222a3797ab8f56f60d16c4cca21ca55095f60bb94ed3

memory/3508-154-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3616-156-0x0000000000400000-0x000000000042F000-memory.dmp