77c6967bca94a3206e83145c7f791aab5530c633fa31006191a5689c80f22933

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Size

170KB
MD5

3c9661e2a76ec5bb2683493766f060d0
SHA1

2c410ae440de85967f7f6736de95d709b94e2ff7
SHA256

77c6967bca94a3206e83145c7f791aab5530c633fa31006191a5689c80f22933
SHA512

66f2f4175263d57db57edcacf84141cfbbd71b0e3f49c414794b6640223e11ca21ad3795e3a989cf1bffc8d43f45686dc498731ad35dc5f3d89683397f96e9b1
SSDEEP

3072:3JpOm5axh63laEo+pXX1pQD2UCohD8mxLCj+5cmeDye42L712xrpdJ8xLeb7UJ:5Am5oh63laEo+pXX1pkF8mxeq5+4m71l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1176	ntuser.exe
3244	ntuser.exe
2432	ntuser.exe
948	ntuser.exe
3896	ntuser.exe
3232	ntuser.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	ntuser.exe
File opened (read-only)	\??\p:	ntuser.exe
File opened (read-only)	\??\r:	ntuser.exe
File opened (read-only)	\??\r:	ntuser.exe
File opened (read-only)	\??\B:	ntuser.exe
File opened (read-only)	\??\w:	ntuser.exe
File opened (read-only)	\??\V:	ntuser.exe
File opened (read-only)	\??\O:	ntuser.exe
File opened (read-only)	\??\W:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\s:	ntuser.exe
File opened (read-only)	\??\R:	ntuser.exe
File opened (read-only)	\??\S:	ntuser.exe
File opened (read-only)	\??\J:	ntuser.exe
File opened (read-only)	\??\W:	ntuser.exe
File opened (read-only)	\??\A:	ntuser.exe
File opened (read-only)	\??\V:	ntuser.exe
File opened (read-only)	\??\L:	ntuser.exe
File opened (read-only)	\??\X:	ntuser.exe
File opened (read-only)	\??\j:	ntuser.exe
File opened (read-only)	\??\s:	ntuser.exe
File opened (read-only)	\??\Z:	ntuser.exe
File opened (read-only)	\??\G:	ntuser.exe
File opened (read-only)	\??\I:	ntuser.exe
File opened (read-only)	\??\R:	ntuser.exe
File opened (read-only)	\??\Y:	ntuser.exe
File opened (read-only)	\??\o:	ntuser.exe
File opened (read-only)	\??\G:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\t:	ntuser.exe
File opened (read-only)	\??\A:	ntuser.exe
File opened (read-only)	\??\z:	ntuser.exe
File opened (read-only)	\??\N:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\I:	ntuser.exe
File opened (read-only)	\??\M:	ntuser.exe
File opened (read-only)	\??\V:	ntuser.exe
File opened (read-only)	\??\S:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\H:	ntuser.exe
File opened (read-only)	\??\O:	ntuser.exe
File opened (read-only)	\??\x:	ntuser.exe
File opened (read-only)	\??\x:	ntuser.exe
File opened (read-only)	\??\e:	ntuser.exe
File opened (read-only)	\??\l:	ntuser.exe
File opened (read-only)	\??\m:	ntuser.exe
File opened (read-only)	\??\q:	ntuser.exe
File opened (read-only)	\??\B:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\E:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\P:	ntuser.exe
File opened (read-only)	\??\R:	ntuser.exe
File opened (read-only)	\??\X:	ntuser.exe
File opened (read-only)	\??\A:	ntuser.exe
File opened (read-only)	\??\z:	ntuser.exe
File opened (read-only)	\??\H:	ntuser.exe
File opened (read-only)	\??\N:	ntuser.exe
File opened (read-only)	\??\Z:	ntuser.exe
File opened (read-only)	\??\k:	ntuser.exe
File opened (read-only)	\??\X:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	ntuser.exe
File opened (read-only)	\??\b:	ntuser.exe
File opened (read-only)	\??\w:	ntuser.exe
File opened (read-only)	\??\L:	ntuser.exe
File opened (read-only)	\??\Q:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\N:	ntuser.exe
File opened (read-only)	\??\P:	ntuser.exe
File opened (read-only)	\??\X:	ntuser.exe
File opened (read-only)	\??\K:	ntuser.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	icanhazip.com

Maps connected drives based on registry 3 TTPs 14 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntuser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntuser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntuser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntuser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntuser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntuser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntuser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntuser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntuser.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ntuser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntuser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ntuser.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ntuser.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ntuser.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ntuser.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ntuser.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\3PAZNHVN.txt	ntuser.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ntuser.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ntuser.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ntuser.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ntuser.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ntuser.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	ntuser.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	ntuser.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ntuser.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	ntuser.exe

Modifies registry class 62 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe\shell\runas	ntuser.exe
Key created	\REGISTRY\MACHINE\Software\Classes\oemdrv\shell\runas\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv\Content-Type = "application/x-msdownload"	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv\shell\runas\command\ = "\"%1\" %*"	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe\shell\runas\command	ntuser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\open\command\IsolatedCommand = "\"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv\shell\open\command\IsolatedCommand = "\"%1\" %*"	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe\shell	ntuser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "oemdrv"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\ = "\"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv\DefaultIcon\ = "%1"	ntuser.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\runas\command\ = "\"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv\shell\runas\command	ntuser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\open	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\open\command\ = "\"C:\\ProgramData\\UserRuntime\\ntuser.exe\" /START \"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv\shell	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe\shell\open\command	ntuser.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\Content-Type = "application/x-msdownload"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\runas\command\IsolatedCommand = "\"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe\Content-Type = "application/x-msdownload"	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\UserRuntime\\ntuser.exe\" /START \"%1\" %*"	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv\shell\open\command	ntuser.exe
Key created	\REGISTRY\MACHINE\Software\Classes\oemdrv	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\oemdrv\DefaultIcon	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\DefaultIcon\ = "%1"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\runas\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\DefaultIcon	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv\ = "Application"	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	ntuser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv\shell\open	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv\shell\runas\command\IsolatedCommand = "\"%1\" %*"	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe\DefaultIcon	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe\DefaultIcon\ = "%1"	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe\shell\open	ntuser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\oemdrv\shell\open\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content-Type = "application/x-msdownload"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\UserRuntime\\ntuser.exe\" /START \"%1\" %*"	ntuser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\open\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv\DefaultIcon	ntuser.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\oemdrv\shell\runas	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe\ = "oemdrv"	ntuser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	ntuser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\ = "\"C:\\ProgramData\\UserRuntime\\ntuser.exe\" /START \"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\ = "Application"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\oemdrv\shell\runas	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.exe\shell\runas\command\ = "\"%1\" %*"	ntuser.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4224	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
4224	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
3244	ntuser.exe
3244	ntuser.exe
1176	ntuser.exe
1176	ntuser.exe
2432	ntuser.exe
2432	ntuser.exe
948	ntuser.exe
948	ntuser.exe
3896	ntuser.exe
3896	ntuser.exe
2432	ntuser.exe
2432	ntuser.exe
3232	ntuser.exe
3232	ntuser.exe
3244	ntuser.exe
3244	ntuser.exe
2432	ntuser.exe
2432	ntuser.exe
3232	ntuser.exe
3232	ntuser.exe
3244	ntuser.exe
3244	ntuser.exe
2432	ntuser.exe
2432	ntuser.exe
3232	ntuser.exe
3232	ntuser.exe
3244	ntuser.exe
3244	ntuser.exe
2432	ntuser.exe
2432	ntuser.exe
3232	ntuser.exe
3232	ntuser.exe
3244	ntuser.exe
3244	ntuser.exe
2432	ntuser.exe
2432	ntuser.exe
3232	ntuser.exe
3232	ntuser.exe
3244	ntuser.exe
3244	ntuser.exe
2432	ntuser.exe
2432	ntuser.exe
3232	ntuser.exe
3232	ntuser.exe
3244	ntuser.exe
3244	ntuser.exe
2432	ntuser.exe
2432	ntuser.exe
3232	ntuser.exe
3232	ntuser.exe
3244	ntuser.exe
3244	ntuser.exe
2432	ntuser.exe
2432	ntuser.exe
3232	ntuser.exe
3232	ntuser.exe
3244	ntuser.exe
3244	ntuser.exe
2432	ntuser.exe
2432	ntuser.exe
3232	ntuser.exe
3232	ntuser.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4224	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4224	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1176	ntuser.exe
Token: SeIncBasePriorityPrivilege	3244	ntuser.exe
Token: SeIncBasePriorityPrivilege	3896	ntuser.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2432	ntuser.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 1176	4224	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	81
PID 4224 wrote to memory of 1176	4224	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	81
PID 4224 wrote to memory of 1176	4224	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	81
PID 4224 wrote to memory of 3244	4224	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	82
PID 4224 wrote to memory of 3244	4224	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	82
PID 4224 wrote to memory of 3244	4224	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	82
PID 1176 wrote to memory of 2432	1176	ntuser.exe	84
PID 1176 wrote to memory of 2432	1176	ntuser.exe	84
PID 1176 wrote to memory of 2432	1176	ntuser.exe	84
PID 3244 wrote to memory of 948	3244	ntuser.exe	86
PID 3244 wrote to memory of 948	3244	ntuser.exe	86
PID 3244 wrote to memory of 948	3244	ntuser.exe	86
PID 3896 wrote to memory of 3232	3896	ntuser.exe	89
PID 3896 wrote to memory of 3232	3896	ntuser.exe	89
PID 3896 wrote to memory of 3232	3896	ntuser.exe	89

C:\Users\Admin\AppData\Local\Temp\3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe"
1⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224
- C:\ProgramData\UserRuntime\ntuser.exe
  "C:\ProgramData\UserRuntime\ntuser.exe" 1
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Roaming\UserRuntime\ntuser.exe
    "C:\Users\Admin\AppData\Roaming\UserRuntime\ntuser.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2432
- C:\ProgramData\UserRuntime\ntuser.exe
  "C:\ProgramData\UserRuntime\ntuser.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\ProgramData\UserRuntime\ntuser.exe
    "C:\ProgramData\UserRuntime\ntuser.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Suspicious behavior: EnumeratesProcesses
    PID:948

C:\ProgramData\UserRuntime\ntuser.exe
C:\ProgramData\UserRuntime\ntuser.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896
- C:\ProgramData\UserRuntime0\ntuser.exe
  "C:\ProgramData\UserRuntime0\ntuser.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UserRuntime\ntuser.exe

Filesize
170KB

MD5
8c5ce1fee9e5fa15f31a339390c5f4cf

SHA1
9f9532a245afa40f3e1c626e24d98ad8a78eacf4

SHA256
61fea7ec9d0286b494c3eace72e8411e3d75a03f9e3e89dc0950893a0704c6c7

SHA512
ef8b363a37eb3e10679f2b7e4f089dba7eb0c76339f25efec579f22d02ac82f736755ade0f5eacea1247a49e3c1d65c0433a634b2ed9cc172d1ee2c3a08cbf07

Download Submit
C:\Users\Admin\AppData\Roaming\UserRuntime\ntuser.exe

Filesize
170KB

MD5
e5be3709f68abf4a72195f39feb1ef4c

SHA1
275eef233307f9a18e254757712101eea1b8b152

SHA256
ec78f64c73981833df89a4ecfa3134dce23611325c38c3b447aa849661cbc466

SHA512
8473d6d60483411e0787ddd1576374a8f7b05003088eff59189b0e80715c65967afc32edbb6cf8016b97bbf7f329319a35c1857afdb72588c92b8b90d0e7fe85

Download Submit
memory/2432-20-0x0000000074300000-0x0000000074339000-memory.dmp

Filesize
228KB

Download