Malware Analysis Report

2025-01-06 08:13

Sample ID 240604-byafmagf5s
Target 1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe
SHA256 8302ebabe86b30ccb42437bde5d8d33deb8b4dc267d3fdc99cd1ec6c998c917c
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8302ebabe86b30ccb42437bde5d8d33deb8b4dc267d3fdc99cd1ec6c998c917c

Threat Level: Known bad

The file 1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Disables use of System Restore points

Disables RegEdit via registry modification

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies registry class

System policy modification

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:32

Reported

2024-06-04 01:35

Platform

win7-20240221-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1100 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1100 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1100 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1100 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1100 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1100 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1100 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1100 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1100 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1100 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1100 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1100 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1100 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1100 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1100 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1100 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1100 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1100 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1100 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1100 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1100 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1100 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1100 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1100 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1100 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1100 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1100 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/1100-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 1d564ae000b7f3fc215d621a81e45f50
SHA1 300661dd7833fabb370d30fad99503cc9d8046ca
SHA256 8302ebabe86b30ccb42437bde5d8d33deb8b4dc267d3fdc99cd1ec6c998c917c
SHA512 5174672bbd2e4ffe86e14cda2e5638452a119978350c51bf2568ad2fa96299205e145ff3116e2ee393a64c1226623894027ec394a75722f8fe78f8340adc8dba

memory/1100-106-0x0000000002820000-0x000000000284E000-memory.dmp

memory/1100-111-0x0000000002820000-0x000000000284E000-memory.dmp

C:\Windows\xk.exe

MD5 db61dffef2d1e067b1c7f482e5247f06
SHA1 af4e2a9442c1d8e7c1104f3ed54fcb5ff2c51858
SHA256 e97b8bc5bb0034bbcaa0ca38c2526b699173fe3663193a3a42e4bf31f02a9688
SHA512 d7631f27c46e83843ff11b18f95a71ce977b54b80e088731f95c9bfb512b914e3473baa06539b96cf648f57d4f1113b36d0562ae3d589b518d97797ec614824b

\Windows\SysWOW64\IExplorer.exe

MD5 3925f80ff79286ba0b19445172a16af3
SHA1 d1a1c3f8be47085392985a2a0b46497adbc98eea
SHA256 65c49353aa485fda8dae3d721bfd9693a9542320e47f91adebc650984a7521b7
SHA512 365841a277e61eae43fee2783dc06454384f07320838d94ce91936742837711847f486a30e16e749a6297a1785ee5a43bf7f9a6b0f07da8ac9de761b18ec5a44

memory/2472-114-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2780-127-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1100-132-0x0000000002820000-0x000000000284E000-memory.dmp

memory/1488-138-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1660-146-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1100-145-0x0000000002820000-0x000000000284E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 63384dc019ad8b8914807e38f323098c
SHA1 9d290d8b9749b38d0c832fd0d6b06a38bbf5b163
SHA256 7783f567e256e9a8c38b4b083ca1f33fb932f967757a2ac4c28011b0a51d5d37
SHA512 70ba2117cc2b396b127be6556d003472282f30c2c53b5f54e8f53cd02bc37d4feaa42a5793f78f7644d4c244dbd7bc1f45ca9dbcf072f26206c9531888643b69

memory/1100-157-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 95c23595ca5412c57a2fb9fd7f455f0e
SHA1 cd4a05d96d2f7b587c91d6ddae70059908600129
SHA256 2026e15824c2c604f7114ce166d5382d528f0b94e2b95bb8125b03e55ec07396
SHA512 9ab6b679adcd6d9da1b6ac798a4b6ed10f02f4f593932cda368dd9f23e4a96bd5c9eae198e478bbffb173324ca693e29a60012e5010ca85bbcf910aa0f62ff40

memory/800-170-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 859ba2ce17212d2f063580059a3ff708
SHA1 879e88f59792938b73fb9bafeda87ecae4f6c296
SHA256 07359a025ac93377320f1d68cb985ff41508c5019f8842ab1e0cdb5b5607aa0a
SHA512 755791c1860d15fed1fe66bd2e27090efef5e6b4d84a32bfca285a7884eb10240afba8c5523bac94fdc9f7c936cd1de89964cb115701d6fe54c59d7830eb7a24

memory/1496-179-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1100-178-0x0000000002820000-0x000000000284E000-memory.dmp

memory/1100-185-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1496-184-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1128-160-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1660-149-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 b6ae1eea5af64ecaf772aa115946ac22
SHA1 48cc6276b118409da2ad9cb464012efacf04b0f7
SHA256 b80bbc1058f49c1a2cb214f51e30e82b283d7fa224645c3e9d9915e767858bac
SHA512 23440b20e4234a42577e61e40c336e9045a8deb4db6a59ddf53792d1fa324e92faf46acd553c68c725e5fd90004a35add5f900a9795e9bbc9464e7ab9129a798

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 16fbae5d08e766554dbbed3630bd1c1f
SHA1 980acc342fb2508e268da5dd103cbc194d6071b7
SHA256 75a8070b15f42a295316e79a33df5f0b3989a9ac1ad93c6e5b8ac981c51ceb58
SHA512 5bc5ccd926436ae0c7cbff8662f1675a32eedce19309096277f98bffa82d9a0b519a1bde08bb2faf87d9094c8756fd3e1b1e884b4a18ad822ea160b1e733ab2e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:32

Reported

2024-06-04 01:35

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2408 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2408 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2408 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2408 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2408 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2408 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2408 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2408 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2408 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2408 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2408 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2408 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2408 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2408 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2408 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2408 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2408 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2408 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2408 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2408 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1d564ae000b7f3fc215d621a81e45f50_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2408-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 1d564ae000b7f3fc215d621a81e45f50
SHA1 300661dd7833fabb370d30fad99503cc9d8046ca
SHA256 8302ebabe86b30ccb42437bde5d8d33deb8b4dc267d3fdc99cd1ec6c998c917c
SHA512 5174672bbd2e4ffe86e14cda2e5638452a119978350c51bf2568ad2fa96299205e145ff3116e2ee393a64c1226623894027ec394a75722f8fe78f8340adc8dba

C:\Windows\xk.exe

MD5 04f1f6e25da4c2b8ca5c0a59c366f290
SHA1 c2ee68f1789470f73975e539877fe4c77c79a071
SHA256 90997c2808bc004c7341845501874d94e9388f7a583ca39939c03b2f415b3d39
SHA512 1cd6c6a2c402b5300bb867658a7a26ab328086a1924fa3fc444aa941a4ee00590f7a120eb1adc4153820dc6dff2079c4016d01d90e0fd7e8c530ebf92c1ef1d7

memory/3844-111-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 e95f55fe035b7449b45830d605727af8
SHA1 cf90cf9c9965d4a8e2e7c9c35b761b6536fd971b
SHA256 072a19caa386bfc19089c803acdb00801ba83a629341e8227765495b980ac91a
SHA512 671dc115af0594750ed9ee68a8ab896188f1b3eea8778b9d3a55d28baacd3cd337c2b5c38d8d76f9ef7c219d22a60826f0b210ecf61347d13c428661d55023a9

memory/4820-115-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4820-118-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 f89bb14a9b5397752ad6154c126343c6
SHA1 6a6032a0fe2f537abacc2f2d11b786c65df9fa95
SHA256 567dca36f8af5bd437fc55c44ca6b693214fef43eb0bffa25e8d1cf70c3c70c7
SHA512 79b49851260aa2251ef8fe6db58e50297485704efcab42c1676dae7b2698909e73a5248e0bd6d39b9873ad5834a254fe65c94a55744b7f036d087e980a5006a3

memory/1080-124-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 b327c5bd879d03682acd34ae577bb0cb
SHA1 62d6a5fda74e910a2bd289d4a80ba0fcede71917
SHA256 f65bf8e208f70b6fe93187fa89649e71cdbb753057859f6e941872228f7ff31e
SHA512 31555b28d4b93a1e04cfd4a679403ccd159a758f79139006787225f65f2d492c8476a2f6ed997d09b321dbb13ac02178baa7c326f66b373844ef6caee2aaed7b

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 a09cf890c5b353866d683bdcbed8b592
SHA1 2033f7f8f6111e7b4fa60e93773afeec955bab2d
SHA256 1d161c62f22dd87c9476fc7122897c1ec074f18454b29ac22e17b12ee4c6954c
SHA512 9644c3d714afabb699dc27966dbdb0c733b5074b821ab7cbc08fcada725c80dbc1197a00ec4c77e4feccab396ec713abda8270db32d5d2f9ef64db69c86dc94d

memory/4532-131-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1840-144-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2728-137-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2408-153-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2056-151-0x0000000000400000-0x000000000042E000-memory.dmp