Malware Analysis Report

2025-08-10 14:13

Sample ID 240605-klygcsba9x
Target 4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe
SHA256 2b9a353e41202823310c0124a1b88dcc6ac43ddb57b4a1e8760a1106fc6040e2
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b9a353e41202823310c0124a1b88dcc6ac43ddb57b4a1e8760a1106fc6040e2

Threat Level: Known bad

The file 4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Disables use of System Restore points

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-05 08:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 08:41

Reported

2024-06-05 08:44

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1924 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1924 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1924 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1924 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1924 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1924 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1924 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1924 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1924 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1924 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1924 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1924 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1924 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1924 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1924 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1924 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1924 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1924 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1924 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1924 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1924 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1924 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1924 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1924 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/1924-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 4c29fc38a6eee0f6c67258f461f836d0
SHA1 b44c07905f8c4c1eae72d1cff537e7109a3d9d4a
SHA256 2b9a353e41202823310c0124a1b88dcc6ac43ddb57b4a1e8760a1106fc6040e2
SHA512 f11e9f412e1051aa10d1d85de17055be55bd5524627db87e659e2afa28ccac6a8bad8f92e2fdc87bdb7cbf6596f9d25920b4e761c2ea6bfde89a83730e97fc62

memory/1924-105-0x0000000000820000-0x000000000084E000-memory.dmp

C:\Windows\xk.exe

MD5 19b336ac9178da89fb93f0f4005b697d
SHA1 63c431f193db51d2867bce1eee8f676839f3775e
SHA256 bfd1c641121400ecda676aa77ccc6572a73b0897c586ff2d9d831821d966135f
SHA512 b8b77eb5efaddbdcd02294a92f37aa683d8b8b79e51ffec4d77061af5952fbc76c93167cd13a23dd057160750313ca438d5a7ad91e381917090090b4892f725e

memory/2564-110-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2564-113-0x0000000000400000-0x000000000042E000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 d023bda5fa084bca4a97bd2ec16e3676
SHA1 72a32217d022415c239d96ec81efb5ed22494542
SHA256 ea882d99197b5c98a63aac44cac19d3c3cfa8ab198828b210be44826a994a3e0
SHA512 b2b7e28678238c233f741ba097cdca210b8ef46e75dffe36b0111f678ab31e067b2b5774607f7a120b6b749f7da629d42931a0660387c72f0624b5cd4c54d797

memory/1924-121-0x0000000000820000-0x000000000084E000-memory.dmp

memory/2732-122-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2732-125-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 ee8bb2b5b4e4dac456b711ed892d2157
SHA1 5051afd2eabc2d7b5a3f2382d49c783609495d56
SHA256 eb2b5b888c298c0ec6630dbf5c337cec93f66cd1da27994437e8615a0501ed7d
SHA512 ebc1625d368c362a5735212509f9b343368777aff9277e0d2454074df2ea9dbffe6e264ef6aa0bc321af9d88ea90aa538fdf7389897f8bf7d735ab729972aaa3

memory/1924-135-0x0000000000820000-0x000000000084E000-memory.dmp

memory/2128-136-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 1d02e3637866311acf1fdefbd2412a20
SHA1 b798b7d34271164fedaf3b1d0a7298a9d364a084
SHA256 c26e08ea745def52f25c4a6769ceb7cf1b6234bd2b6f5b0c398861afaa703e74
SHA512 6f6a63f4d096959b92b1a144384070cca32cc75911a93836020896e27bb109c384737e863086ae0378d79cf89af649947dd0b15943c3a4a8c4036e8d4e2d8a67

memory/2128-140-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1836-146-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1836-149-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 6bcc03d40d9d5f514641e9abe45fcd14
SHA1 2e5f0f53cf2a333e3478a39d2a081105fec7b439
SHA256 6da5a5365ae0b8039a1d7017a170214f64a834c6b97fb11815cefae2abb3e18f
SHA512 02c4ab1d5a026987ae0688941b23e0f309df9ef16f7de6f8c1f611688d4841b85a4eb5d6055c172600d74a5495dcb69206075f50f947845265748c0ab69a213a

memory/852-160-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1924-158-0x0000000000400000-0x000000000042E000-memory.dmp

memory/852-162-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 e0dee34adc8b62d2f12377fd495167cf
SHA1 081e988738614e32070c53ed764131a1906f4223
SHA256 ecd4f387e893db0edf6d88eaadf8d93c9721dc8b1c7e26acb610c8f6f171430d
SHA512 54a9e302080f5e1fa3452e67b88302b4581db98e25b4f7cb51e393d9b4a273815b3568bb740c3c68fad548d0adddc572321468116cf9d9b6f919d59ca33186cd

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 9242ba80c1f2c8fdf082fb263f00c630
SHA1 e70aa91472011696bd2c29dbac43867f068bd32c
SHA256 4e3a17300c2c0d0db0df16d18c1b26bf06dda61e8593361b1352839f4f4cb95e
SHA512 963dda546cb42cd9d08a041490ca4586d98c9b778735dd45ae651bc0e6b2533996d4a06cd4b2bf523046f8f3774b1117ffd35938713b29e889215b1b93ed9970

memory/2640-175-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2036-183-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2036-184-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1924-186-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 08:41

Reported

2024-06-05 08:44

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 856 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 856 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\xk.exe
PID 856 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 856 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 856 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 856 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 856 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 856 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 856 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 856 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 856 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 856 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 856 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 856 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 856 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 856 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 856 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 856 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 856 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 856 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4c29fc38a6eee0f6c67258f461f836d0_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/856-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 4c29fc38a6eee0f6c67258f461f836d0
SHA1 b44c07905f8c4c1eae72d1cff537e7109a3d9d4a
SHA256 2b9a353e41202823310c0124a1b88dcc6ac43ddb57b4a1e8760a1106fc6040e2
SHA512 f11e9f412e1051aa10d1d85de17055be55bd5524627db87e659e2afa28ccac6a8bad8f92e2fdc87bdb7cbf6596f9d25920b4e761c2ea6bfde89a83730e97fc62

C:\Windows\xk.exe

MD5 231d0aa26439cfff49f3b4b70d1c2073
SHA1 5b08191d4fe6ee36520ded6cd4dea01537dab2b3
SHA256 fc82c7446b6c8c2ac7f3de3410610b292a47d77a02eda30d53d4ee86f940cfab
SHA512 5751656fae955b22c289ce8ada77a6eb17e006814980b3884749ac05b0bbdd69d884bbb649c7c82e44f900a387b4f08883ab8b8d464b3510f2f54b1f07f4075f

memory/1784-108-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1784-112-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 4d9419af12bb6ad66ca3af4cc4ef2f85
SHA1 2072abe6490d4f9278768b1a1f2b3116316b5f9d
SHA256 cbc10b17232b50670dc9141e82c142841b7b8c4d7c2a91e139e711b019034665
SHA512 597759f12f8a2660f3bed3fa3a5b9ea671a93fef4b35130bae8d8c8a43d53c2e39d0c244b91a0da5d1f64b207de8c8661e8d3329775bfa72583d404c30e794b1

memory/4136-118-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 b02a6b48e2e329ab8c970d17ad6d49e1
SHA1 edf7af4f0126264745d09c115a192a2abeed0fd9
SHA256 365d6a6c4e0b52e4d8b56222a089173ca354a7a3ddc9d5d8709b55f3ca2715ca
SHA512 63d87f663dd7ae9b37d5758850c5d2a02c7a24a051e0f1d18cb840f3ee7b5e709067a54e94f6335a9b122ac0764bf2cc5a388a7a587976a952f5cd96790b7833

memory/64-126-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 d6d756d3aaf5650aa1e27c49c45a0526
SHA1 8ff746a7e9733ef8be90ff5cda5a96bfb68d61b7
SHA256 c20dcf5726b38512fbdde0e07b0ef603d032fc41f5a7f5d211b03c0c89dd2f5e
SHA512 c02b7a3fbfce4e601cc6316e37b094b4f39481fbbf1370e67d60f344a2ecc3c27c33c7269770e6f62dc7fb2bb62232fd8f6c407d20376641a0351e340da74b7e

memory/2708-132-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 3268cc16734961d28fe0cbdf08335dc5
SHA1 d725469f6e5095c26e6d9ba86894122c2d911308
SHA256 e30d3fba4efd9b21f4f875165164edf0a567f73a34b180a0fb320f97c72d45d7
SHA512 4e9124128f4bc03bf93907ca43aa7cfc5c2a25aedcd12b1fbac392e962b65e22442d91d79a2149dff281b845c0551faecf0babf1fc482ad095358628ad3c2a67

memory/3812-139-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 0a60454a9c7288970ef71739440da4a5
SHA1 08daaa96b48e9bef6e04b26c080951a2975163da
SHA256 8ae68e44af4574ef3351a2d4c250aefd3ef207ec82fb680178ecfc7a3155eb65
SHA512 0425441b6aee833ae2d9c459344b1f41891d43b88f1dbc606e3442e2bedc7ce156518ce16e998d125a21645a8a0fa4cff3d7d6105c79d971a28e0d4c914f6162

memory/3168-146-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 b1d935b638d58603d4f70cefe4806edb
SHA1 8e1fe69177c48962ea9a1ea41f75729d0e7e6622
SHA256 6df9922111a7f4549bf7403b85d0a743d66115da5997c5b40e025751d655a71d
SHA512 8046139db32181cbcbd087045f0ca8eee61f07edec8edf139a5fb0e40374cd94d009d73ed10feddcf877f121b3d5c3084132b00a8594dd3563d2ca00aad81282

memory/60-153-0x0000000000400000-0x000000000042E000-memory.dmp

memory/856-155-0x0000000000400000-0x000000000042E000-memory.dmp