Malware Analysis Report

2025-01-06 08:57

Sample ID 240604-a4ef4aga39
Target 18df5813e757623533c83392c8934110_NeikiAnalytics.exe
SHA256 aa62192c36423343333f974b8033b84c411075903ecbf23b16e3c1ee76214daa
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa62192c36423343333f974b8033b84c411075903ecbf23b16e3c1ee76214daa

Threat Level: Known bad

The file 18df5813e757623533c83392c8934110_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables use of System Restore points

Disables RegEdit via registry modification

Modifies system executable filetype association

UPX packed file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

System policy modification

Modifies Control Panel

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:45

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:45

Reported

2024-06-04 00:48

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2216 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2216 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2216 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2216 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2216 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2216 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2216 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2216 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2216 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2216 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2216 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2216 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2216 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2216 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2216 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2216 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2216 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2216 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2216 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2216 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2216 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2216 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2216 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2216 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2216 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2216 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2216 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2216-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 18df5813e757623533c83392c8934110
SHA1 f05c5064cad2ace0a0f14b596396b9d57fcc3786
SHA256 aa62192c36423343333f974b8033b84c411075903ecbf23b16e3c1ee76214daa
SHA512 2b8c200218a6217f9f09d0aedf1840004e151be69322611df2abb17fce68f9eb6dcfddf052a1c221d898f9c4c4e360410d43046ff124296d1fb41b4eda03ace7

C:\Windows\xk.exe

MD5 b645d0d5f248060273ecd4e9e307cd24
SHA1 5dabf4af1b3d94ce3f74a539dbb7a14a39f690a0
SHA256 f1352197b0b55bf2c7d0190a3c8603fe6b7836b9fe9e138212c779206952f49f
SHA512 a277dbcc52882ef4a90531015a96bfe68191d72acdc33b88c26a293751a13b2613e705959474eca4b752b3a8a01590d08b8833ec755c0b0919efd5b2d06f4d49

memory/2160-111-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2216-110-0x0000000002470000-0x000000000249F000-memory.dmp

memory/2216-109-0x0000000002470000-0x000000000249F000-memory.dmp

memory/2160-115-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 040ef0e89d3ce2a049ea42b54aaaec3c
SHA1 5132f82a281153b9afbd3e11506571ebb43c6882
SHA256 a801f3bea8a9a53e90ce8fe7d643667fe06b7a6a579e25e81b83fab3deb40806
SHA512 50a339b39b158cc08295fa9476f87471a5b1c135b8a11dd4c5cbc0a5328b70ecd51129b77ed765745f31ad525a2296fa21ed982982e6690140917399aa08ade5

memory/2216-117-0x0000000002470000-0x000000000249F000-memory.dmp

memory/2940-124-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2940-127-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 ded6ddabaa2531231e24ab3eb0f42714
SHA1 c22e5404ccd8598ab103713938c619e9802c9df3
SHA256 a3ff2c22d1b355cb17935577147f9b9ed7e5b4f4aec1d27e1f28b95d770ac1f3
SHA512 96ac5a6321da9c64deea64c7fa1fa7245f7338aecac7be327ea582c61b664bfeb874ecce1fb2743a6ae3759e7fbb91c820b538bffc033925ea6e2ffa16363ba7

memory/2356-137-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 64399ed86adc9eeaf8bd2050fea44f51
SHA1 fe745b3ccf6784dcef1296425df580cad92dad67
SHA256 22b9c56be189f9499ead8395577f78c3f388b07417221f95967d1a2f34171af1
SHA512 deade7987ac7619513c90593960083ffa7e32f2813eda54196253dede0e403ffda2c8215a2ffdcf605b8cdf5748b024bb73fc1b2194e963928b8cd249e25bf44

memory/2356-141-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1884-149-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 2fce892c3c3a3cb31cbd56ece18df0ca
SHA1 e469675f1f76dc049a6757d303003d4f7309d2a9
SHA256 02ed60fc66573ab481eb3f2d879b464a75abdc74672e6176a15189e4738d0582
SHA512 2fe04662ab323cd00ab0ca8ed7394f77555edd6201b4e1d89e24a44262a5b6ccdf05b4281d7ee05fe8d8c8064e897bfb42dec308481564e13274ac3b87402056

memory/2216-159-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2504-160-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2504-162-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 0b53b11993802792328cc96ece35965a
SHA1 c861353e01c39fb08bfe3f98645b3e799361b5fb
SHA256 a9f33f1f396e18e537fe4ae8c52c96277401df05e07d03a920f461c9cc440878
SHA512 ad1733f4e0cdffb36ecd663b332d30abce662f1126e9101265186ecc6f102c22e84249bf6b0bdef1c056b8c8980ac43a95dd535587615bb4ac5f9851e3b90d92

memory/2808-171-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2216-170-0x0000000002470000-0x000000000249F000-memory.dmp

memory/2808-174-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 9557760c304e854574a8341158052236
SHA1 9532dd760c34ff58c0a0021f8f197fe51360e20c
SHA256 56a483f327a5191a7ea1b501755544b7881bcf9ad4cd9baf4df4f0af62c2f99d
SHA512 1eeedee43be2e26fc3e3476462c88edab2ca3443f01e67a10d754288d300bf1d4072eca10418151489d843492d5b98048a08150bfeb092a11189d9028890bb69

memory/1864-182-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1864-187-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2216-188-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:45

Reported

2024-06-04 00:48

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1984 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1984 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1984 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1984 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1984 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1984 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1984 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1984 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1984 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1984 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1984 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1984 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1984 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1984 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1984 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1984 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1984 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1984 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1984 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1984 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\18df5813e757623533c83392c8934110_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1984-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 18df5813e757623533c83392c8934110
SHA1 f05c5064cad2ace0a0f14b596396b9d57fcc3786
SHA256 aa62192c36423343333f974b8033b84c411075903ecbf23b16e3c1ee76214daa
SHA512 2b8c200218a6217f9f09d0aedf1840004e151be69322611df2abb17fce68f9eb6dcfddf052a1c221d898f9c4c4e360410d43046ff124296d1fb41b4eda03ace7

C:\Windows\xk.exe

MD5 3d660f9b3b1a51e3836e9a40d5f03d78
SHA1 3af683aad12a20c9fe82e089e712843f1a2f2c77
SHA256 fedbc24cf8027f7b07df5b66b767f2449150c820ccbcb0d74ec030c9be06fee3
SHA512 7e29f6f1079be5cfbc1b69687e15aa3413e32e9a49976cb1eb2e1b477e0eeaed326a1e99b3194d9dff18a6b1bedf8cec7100706c242558b8b789604a1d76a3c6

C:\Windows\SysWOW64\IExplorer.exe

MD5 b4a56a6221bbcf3e1029c9975690779b
SHA1 ecf954349282b7ac0236b93be6e8248ab36aeb6a
SHA256 3da3016c94b6f895a8f8d2bc1f79441c7c3559b08f9c5b16996652401bca6627
SHA512 6a91e2bf096e46b7d6170e6fd13513a7917196bf6c4d0b4b98d82ac77dd36f14a2ea5a7c246c90e208fa970c894b581cbefabc9e434795e78f39d7324bdbcd8a

memory/4040-113-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3188-115-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3188-119-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 4a88888f91cab318fcf89ded2842062e
SHA1 716f303fc24c80aaf8d326e43d45b679f631c982
SHA256 61ed5731278ce5e8c42ff9ac1bd20bb241745a3d213958b680811b2d6489b0f3
SHA512 3436152a8443cc0988229c27149da668de010e63092ddd9b80c1eb0cdbfd4d83e18be65bb27b433249c359582ccef4b4992ebfb79f143d43869c37221c38fd70

memory/1284-127-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 1188eda0679ff0992c590c2684972c05
SHA1 1f9199165ed651f8e89235d17cf3953962e313b8
SHA256 25d455d51e5ce4c2b22578253a11e3d252942e40ea8d2c333f645adb38134024
SHA512 27b07198978a90db5a884296c15c86bf183c335bf578af204e27375ac6fcf59efdb675a9dc284687316d2b69d2206d6c565d01c073c158c81c2d7a39e2b5f90e

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 a209eb6358b82911b8e857b29fd10ce0
SHA1 c28e2039aea20106598e72f50cd0c6133825e83a
SHA256 65081b1d09f873ad6a2a0604f39b34d4756cd3387a16e99c12617c33d739ff1e
SHA512 ae1998ff2f0455fc177b9e62ec6be849e5fb13ae343f8434dbc38e6bee2cbe5569815a8d2bb2d07f9dcc3f1edab6d44a7d794c9f2a4feff32429b6535bf1b250

memory/1020-134-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2800-140-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 d76cd114f253dba8ea58564186b8833e
SHA1 c5b07dad781ea4dc8608a564197abf4b599154e1
SHA256 e84be2e2bce13c083aef4018bc7fc5decb786d00bf9e5a9c949704a5c03c8199
SHA512 e5ceabc6d72d4adf6eb68528e6ab29cbe98ac9023de5d38d8a0fed567f84b39ca50679c099d16f18a42c973ca9ab8b9a397d135c1d3b05827e7f37d667bd7759

memory/4488-147-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 b014a05417db2ac7b56576638bea4bab
SHA1 4bb9c19ccc87ea10443cd45d01677990108c79a8
SHA256 39d68a7fc70fa48fb7c4f014001e464003cbb537b6f0b46c567a0e3fca3f6679
SHA512 fb0baa62f79eec5a17d07717070e1bd46499f1306ebe6c9fccd493d8804da682e3b7b73f9cfd4a21f64d8c986efacde0aa786cef6fe3ab5180de87712763fe1a

memory/4432-153-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1984-154-0x0000000000400000-0x000000000042F000-memory.dmp