737ced1201360a098686aba2d4e10df2367a0eb14df80286d131649be8272c41

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Size

352KB
MD5

0dada09dae32a7793929e47c60da2310
SHA1

5b2d08a3375484138887bceddc6646799717a7e9
SHA256

737ced1201360a098686aba2d4e10df2367a0eb14df80286d131649be8272c41
SHA512

ae4ab3b21a3b7b2525dc91b625108153bb59aa4024115ad473624a10eaf94d9dbd386e714ece1bca53452c177e15b47ad521da313b5993589916b955145930f2
SSDEEP

6144:vIGEnprZkRs38t54c6rzNdfzIGEnprZkRs38t54c6rzNdf/:vxEnAR934fxEnAR934L

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	SMSS.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WlNLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WlNLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe

Executes dropped EXE 5 IoCs

pid	Process
2440	WlNLOGON.EXE
3004	Shell.exe
2480	CSRSS.EXE
2784	SERVICES.EXE
608	SMSS.EXE

Loads dropped DLL 8 IoCs

pid	Process
2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 62 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2968-0-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0007000000015e32-12.dat	upx
behavioral1/files/0x0006000000016cdc-92.dat	upx
behavioral1/files/0x0006000000016d18-97.dat	upx
behavioral1/memory/2968-98-0x0000000003560000-0x000000000360A000-memory.dmp	upx
behavioral1/memory/3004-105-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0006000000016d3a-108.dat	upx
behavioral1/memory/2480-115-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0006000000016d3e-118.dat	upx
behavioral1/memory/2784-127-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0006000000016d43-134.dat	upx
behavioral1/memory/2968-150-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/3004-157-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2440-153-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/608-137-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2480-172-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2784-175-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/608-183-0x0000000000400000-0x00000000004AA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Desktop.ini	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File created	C:\Windows\Desktop.ini	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Telematika.scr	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\OEMLOGO.BMP	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	SERVICES.EXE
File created	C:\Windows\SysWOW64\OEMINFO.ini	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\OEMINFO.ini	SMSS.EXE
File created	C:\Windows\SysWOW64\OEMLOGO.BMP	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Telematika.scr	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WlNLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File created	C:\Windows\WlNLOGON.EXE	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File created	C:\Windows\120.0.0.1.htm	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File opened for modification	C:\Windows\msvbvm60.dll	SMSS.EXE
File opened for modification	C:\Windows\	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File created	C:\Windows\msvbvm60.dll	WlNLOGON.EXE
File created	C:\Windows\msvbvm60.dll	CSRSS.EXE
File created	C:\Windows\msvbvm60.dll	SMSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File opened for modification	C:\Windows\WlNLOGON.EXE	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	CSRSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	SERVICES.EXE
File opened for modification	C:\Windows\Desktop.ini	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File created	C:\Windows\Desktop.ini	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File opened for modification	C:\Windows\120.0.0.1.htm	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
File opened for modification	C:\Windows\msvbvm60.dll	WlNLOGON.EXE
File created	C:\Windows\msvbvm60.dll	SERVICES.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 42 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s2359 = "Bengi"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s1159 = "Awan"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s1159 = "Awan"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s2359 = "Bengi"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s1159 = "Awan"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s2359 = "Bengi"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s2359 = "Bengi"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s1159 = "Awan"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s1159 = "Awan"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s2359 = "Bengi"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s1159 = "Awan"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s2359 = "Bengi"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	Shell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
608	SMSS.EXE
608	SMSS.EXE
608	SMSS.EXE
608	SMSS.EXE
608	SMSS.EXE
608	SMSS.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
2440	WlNLOGON.EXE
3004	Shell.exe
2480	CSRSS.EXE
2784	SERVICES.EXE
608	SMSS.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2440	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	28
PID 2968 wrote to memory of 2440	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	28
PID 2968 wrote to memory of 2440	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	28
PID 2968 wrote to memory of 2440	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	28
PID 2968 wrote to memory of 3004	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	29
PID 2968 wrote to memory of 3004	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	29
PID 2968 wrote to memory of 3004	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	29
PID 2968 wrote to memory of 3004	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	29
PID 2968 wrote to memory of 2480	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	30
PID 2968 wrote to memory of 2480	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	30
PID 2968 wrote to memory of 2480	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	30
PID 2968 wrote to memory of 2480	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	30
PID 2968 wrote to memory of 2784	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	31
PID 2968 wrote to memory of 2784	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	31
PID 2968 wrote to memory of 2784	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	31
PID 2968 wrote to memory of 2784	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	31
PID 2968 wrote to memory of 608	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	32
PID 2968 wrote to memory of 608	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	32
PID 2968 wrote to memory of 608	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	32
PID 2968 wrote to memory of 608	2968	0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe	32

C:\Users\Admin\AppData\Local\Temp\0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0dada09dae32a7793929e47c60da2310_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Drivers directory
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\WlNLOGON.EXE
  C:\Windows\WlNLOGON.EXE
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2440
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3004
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2480
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2784
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
352KB

MD5
c79d6eda818d1dde4abdfa5e800ffc32

SHA1
4125246ed1c869a8dec7f0fdcf1795f5b31c6b6b

SHA256
f087c5d7a044cd56d1e73ef1a4f5b3960fda50c4f115c1552c1dd8ac8b780568

SHA512
8dfcf1915a5c6f3aca6ef4039bf0f6530f51eaef66576ca100e633277be962ffda935e5acec06715064591af4ea142fce518a5a52446caa5d8eb4e6489485697

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
352KB

MD5
0dada09dae32a7793929e47c60da2310

SHA1
5b2d08a3375484138887bceddc6646799717a7e9

SHA256
737ced1201360a098686aba2d4e10df2367a0eb14df80286d131649be8272c41

SHA512
ae4ab3b21a3b7b2525dc91b625108153bb59aa4024115ad473624a10eaf94d9dbd386e714ece1bca53452c177e15b47ad521da313b5993589916b955145930f2

Download Submit
C:\Windows\Desktop.ini

Filesize
65B

MD5
990a0bd866566534e37192439277e040

SHA1
90abfe04350a375df3beddd411256143e606461b

SHA256
ee3aaf1bcc2539bdddb6f25f4d0902cd023d83d902196d1bf2fcd37a73469038

SHA512
e598c68ae8f1a62cbc870fb7cf2c634ba24d1f1bfa62428a23aac7c914b3a775fa06564b6e084eaf9215086da433a80e49f2cbe81ca990414df3e57716dea4b7

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\OEMINFO.ini

Filesize
462B

MD5
45d327d7d806625d696945dea064d7a2

SHA1
81a36b2a66c8dcce870a82409c6f772cc06addf0

SHA256
e022ef7261dfe3e79b78e4bff605ae3f0480cd54d80b7c3358bd9091a0f0f04a

SHA512
8b78bb4fa2c05d509cf171525b0ba7bf735a8890854f0ef16b29c9456ff547ccd86423068f61c21b8f35a0797ee44f9a8697861c34f133c6c26dfcf99e8f849c

Download Submit
C:\Windows\SysWOW64\OEMLOGO.BMP

Filesize
40KB

MD5
4de286f5923036648db750d58ba496e8

SHA1
0252d5d6c7a3b7dfa71fca4b30a53522fd7c6f67

SHA256
eb79555170611879e79b4cdba59bdf679e63df9d7927d01354e5cf859274c58c

SHA512
069daaa01a04add11a9e5fc0988b5d42e6ad50011fa148df41ffb3a905ffc170ab65ba66f4ad921306503d8792dd192c173c532232fc7ef146c09aa76ddf548f

Download Submit
C:\Windows\WlNLOGON.EXE

Filesize
352KB

MD5
02e7e6b50374a2c701e7d2ace85724da

SHA1
fd42f2a7d788915a6c296b6d59f0dd1d44e9327f

SHA256
fdef7d9926f7fc17d3c6751a69832ff479ec07e7e593a5bc17c371690b69fadd

SHA512
badd0e9e4abd03c43fa1e021dc9cef914066986f66357b8c2bf509181393986d4e5835ded2ef5ac76644f4a4a33e7fd457103a0c0b886f8aa9bf29d200bbcdba

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
352KB

MD5
cad3cb7a6d16e808d9ef637c4047c6a0

SHA1
d591fc91b0d3a3ddb71fb2196ce2a771c2175ff4

SHA256
ee8a6faf505687e75fe5209357c8cc12e8a75f04d90415939391e9dfc06c0db4

SHA512
25de6ea7de7c92582affe9ad888a400c1239a2a03763decc7226b71a827e43dbf3c59a626859bf3394be1d2bdf32b84cafb3e2c6d46ac12d505bea176fcbb3cc

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
352KB

MD5
0a7dc0599c15e04ac3fc26cc3c8f3c48

SHA1
7c85b669423898cef87cbea5e77fdc80533ce57f

SHA256
7c41622dc53002e5055e50c9a297b82589ab1d137d5a549af126f295341ea03f

SHA512
24537bbf736bf46113924cc97453d7c93009d11f813b33f69bc29460e090107dfbb4ad099ec8ad66f05790d2dbfd3f00558c937d6e8d7951854d7084debe8070

Download Submit
\Windows\SysWOW64\shell.exe

Filesize
352KB

MD5
43f28d5df7dcecf441e379f939b4d1aa

SHA1
e7cbdcedbadc87f3169cbf9881daa9602cc7f253

SHA256
a4f2a19f24e8f126488cfa4586810af81ce6c1ea2efd48439226b5c4cc6d8d95

SHA512
9390651c2164a3dea362977a5051b63f50285f49008a289a6e3f5f0b531580ab5cb5c78de23d6dcb94f233afb77d496ab6866feba44a354da27fd622f2231d9d

Download Submit
memory/608-137-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/608-183-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2440-153-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2440-152-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2480-115-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2480-172-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2784-127-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2784-175-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2968-98-0x0000000003560000-0x000000000360A000-memory.dmp

Filesize
680KB

Download
memory/2968-94-0x0000000003560000-0x000000000360A000-memory.dmp

Filesize
680KB

Download
memory/2968-0-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2968-150-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3004-157-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3004-105-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download