6c5a1126072bc5ae15385bf2097e8da72f8145345a47bab35c5716389ff5453d

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Size

272KB
MD5

317861e60ac84ff8427325e249887160
SHA1

37d9a6bee3eba04971dc7a174113141078f250bd
SHA256

6c5a1126072bc5ae15385bf2097e8da72f8145345a47bab35c5716389ff5453d
SHA512

f8db51d9878169cf9903c86bf238c46564a5b837d10f8b3119a9a686c03219165bb6441e729dd3bee651da33ddc3318a7ac9c0167dc03c0741c715c03e89d43a
SSDEEP

3072:Ax/5F/E7tEf07jU+p+tYlpJH7iXQNgggHlxDZiYLK5Wpht4xZVX4/awxf/:AxhF4cV+wWJH7igNgjdFKsCRAR/

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
4704	xk.exe
2540	IExplorer.exe
2880	xk.exe
1556	IExplorer.exe
3176	WINLOGON.EXE
4108	CSRSS.EXE
3656	SERVICES.EXE
2284	LSASS.EXE
2432	SMSS.EXE
4728	WINLOGON.EXE
4052	CSRSS.EXE
644	SERVICES.EXE
2520	LSASS.EXE
2176	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File created	C:\desktop.ini	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened for modification	F:\desktop.ini	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File created	F:\desktop.ini	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\H:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\J:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\K:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\P:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\S:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\L:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\O:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\R:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\B:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\M:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\T:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\V:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\X:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\G:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\I:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\N:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\U:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\W:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\xk.exe	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
File opened for modification	C:\Windows\xk.exe	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
4704	xk.exe
2540	IExplorer.exe
2880	xk.exe
1556	IExplorer.exe
3176	WINLOGON.EXE
4108	CSRSS.EXE
3656	SERVICES.EXE
2284	LSASS.EXE
2432	SMSS.EXE
4728	WINLOGON.EXE
4052	CSRSS.EXE
644	SERVICES.EXE
2520	LSASS.EXE
2176	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 4704	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	90
PID 1804 wrote to memory of 4704	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	90
PID 1804 wrote to memory of 4704	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	90
PID 1804 wrote to memory of 2540	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	91
PID 1804 wrote to memory of 2540	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	91
PID 1804 wrote to memory of 2540	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	91
PID 1804 wrote to memory of 2880	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	92
PID 1804 wrote to memory of 2880	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	92
PID 1804 wrote to memory of 2880	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	92
PID 1804 wrote to memory of 1556	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	93
PID 1804 wrote to memory of 1556	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	93
PID 1804 wrote to memory of 1556	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	93
PID 1804 wrote to memory of 3176	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	94
PID 1804 wrote to memory of 3176	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	94
PID 1804 wrote to memory of 3176	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	94
PID 1804 wrote to memory of 4108	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	95
PID 1804 wrote to memory of 4108	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	95
PID 1804 wrote to memory of 4108	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	95
PID 1804 wrote to memory of 3656	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	96
PID 1804 wrote to memory of 3656	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	96
PID 1804 wrote to memory of 3656	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	96
PID 1804 wrote to memory of 2284	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	97
PID 1804 wrote to memory of 2284	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	97
PID 1804 wrote to memory of 2284	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	97
PID 1804 wrote to memory of 2432	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	98
PID 1804 wrote to memory of 2432	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	98
PID 1804 wrote to memory of 2432	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	98
PID 1804 wrote to memory of 4728	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	106
PID 1804 wrote to memory of 4728	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	106
PID 1804 wrote to memory of 4728	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	106
PID 1804 wrote to memory of 4052	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	107
PID 1804 wrote to memory of 4052	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	107
PID 1804 wrote to memory of 4052	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	107
PID 1804 wrote to memory of 644	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	108
PID 1804 wrote to memory of 644	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	108
PID 1804 wrote to memory of 644	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	108
PID 1804 wrote to memory of 2520	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	109
PID 1804 wrote to memory of 2520	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	109
PID 1804 wrote to memory of 2520	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	109
PID 1804 wrote to memory of 2176	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	110
PID 1804 wrote to memory of 2176	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	110
PID 1804 wrote to memory of 2176	1804	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe	110

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	317861e60ac84ff8427325e249887160_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\317861e60ac84ff8427325e249887160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\317861e60ac84ff8427325e249887160_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1804
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4704
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2880
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1556
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3176
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4108
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3656
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2284
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2432
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4728
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4052
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:644
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2520
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
272KB

MD5
03e8cc44b4609a7f5e8d70b440261921

SHA1
9d802ddb48e34bd75fc9c746cba3d31f8aac99b4

SHA256
103d6980f23b3f34c871c2aa3ee8e117ab6ef84f7c08596aa525c2c79fe54533

SHA512
c96c60e5ab407ed430c6a33c32f35b10257f356c46a3bbcad9e5ff523ee436412cff7d58f36106074965aef3800e0d09c7d829f25c322cb437fd6b0a97324562

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
128KB

MD5
db61d3c89c68081012e8bfbe9021d82a

SHA1
73f5776886caa352efa3c6aa7e5102b0f7491aa4

SHA256
ab5c3fc5c7d68b16a19818aac6c7a5cd5b415b4a5e006cc7d9f379d19ef1a403

SHA512
0afc33416cb63f6520366f2ce78d42fb43b4ea8fbd58a9cfdf2da3f8856f74ad27d350b1488ff8653d7f57d2d720858e66cf28995a8307bc6094461be5ab56ad

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
272KB

MD5
29386096b938693d5b63decafaa9050d

SHA1
ed8de32bbb2bcf2364ed9fbe3db91c412e306d5a

SHA256
01923665f207d36f7003c9c1639f340746b64493a25866cac2b9f88061178c97

SHA512
e20d63531bb44fb1bccad3c8c5fb6126843edf4e70680854026ce24c40fa8e98d7522c1cd6fdfbc943cf30913d8eb3fe1f9454be05310008a760c44b43e14134

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
272KB

MD5
317861e60ac84ff8427325e249887160

SHA1
37d9a6bee3eba04971dc7a174113141078f250bd

SHA256
6c5a1126072bc5ae15385bf2097e8da72f8145345a47bab35c5716389ff5453d

SHA512
f8db51d9878169cf9903c86bf238c46564a5b837d10f8b3119a9a686c03219165bb6441e729dd3bee651da33ddc3318a7ac9c0167dc03c0741c715c03e89d43a

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
192KB

MD5
3738cd769bb4606f30d8ec65b51abeb6

SHA1
ca6df570bbc6bc209b391d0fbadf613948cdd0c8

SHA256
574ccef09e7f1e607fc08881b4fc2775ec4147f0fc27ddf44d63058667d41b86

SHA512
3cd9289ad6e4e916c2a6ecb79b3c402913f4d20db3d116505e10e8f52400e580f26923dfdc7d3205f62370b4c148f795f0336d8d1a519b5ff5015189dab0cfdf

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
272KB

MD5
7c20c59695a4b4f658b4601dbb08adb2

SHA1
55fba8ea40528c16c4140f0eb3597d546858833d

SHA256
31061dbbb262e24db43be7693f0834d97c7ddb960122474fd13f43a9ed2d8073

SHA512
de3ce5824032258a1d20797c474ea8d92b8ce78589d270a90fe0ac0b152a5056abb8c2f8623ba2c0af927c5ef5a32bb296e67d2add23f1a9a8efd490bbf2b9cf

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
272KB

MD5
1f19506bd8de6645f8d84ded1c3d0c4b

SHA1
f373cde60f770896e441b9cc2ffb9b5d44b6c7ea

SHA256
3602d27b2229b2932c7a7db9472b1a5a28862e9141e3999347d344ccba7a223f

SHA512
4098e61f6215fad803ed79e2dfafc868111fd227c88fd19be19194b978e6dde877f3bcb7d4fd34bc8a9fc2b0090cc258b470f1e0c9ea6cd060ddb929808e07af

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
272KB

MD5
49cb0812c71c12adf12cc8984b10362c

SHA1
ca7b51599df3bd103c100b550dce157ec26cb56f

SHA256
feba4ef2ff7bff407daedc7fbaad2cc3704d40d25b03f73b0ba2994b6454f52e

SHA512
4af8e8bd2564a00acf28c38f901af48c6fb4dd2dcb8820eab02a61cc02512c6173a317de15318d20269da0fdd2c3f08d0773801b8d00fbf01a9f3397d5cf5962

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
192KB

MD5
900b922170fee0201ba5862d3ea310c4

SHA1
a980365d4708daedbf98eed82fd2984ce6a083cd

SHA256
ff1664961a7afd3a8d67756a7d011533c52e71963fe0d0b9b497f308c0d6e2f8

SHA512
fd88b2daf23e8e7932ab8f9638fc758e277b504ade645616ad3db19cb10b03bebe9263447ff1fffb732408ccb8732edd2eb5f9b0957d808f690b8fc40a029ab1

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
272KB

MD5
4ee91825740e5aba6d4d4ff24023f9b0

SHA1
4a36a84e31399fe83ab9517af2acdc97a91e1e0c

SHA256
0efb2914cc713f44b1d1fd725ae0a5680cb3068c68df759eafb59626004cdd7c

SHA512
063a32859d6ee7fa9f9ddc96b6b7b4e8aa6a7d85ab056ddaa25a3f38ba3ea6cd376cded3d4dc3f187aca0b00ee4d97be3054c7c27d1f211641ba5c00904336d1

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
272KB

MD5
15244a434cd29d9ba6ab948ab8d90424

SHA1
bb79175fb867745f17808f6a2354af9a6f37fa73

SHA256
37d7de0e0c9c9acc0d4106cbf3a6011522a8ee95bbcc0f474e5baedbd4d4dc3f

SHA512
9a8fdcd2df289a843a62fa115449ef66e8a536ec7900248dd5671a78ba7e044682b70778852ccae5c247047cbda19ad5dbd274df95d2f9c48cce4865dce45394

Download Submit
C:\Windows\xk.exe

Filesize
272KB

MD5
c4152078ee9bd410991473e311f5069d

SHA1
c52d39b208a9c78546c5463c8b7cdf5827c8a051

SHA256
c704d176817f62d8ec4701107b18615797f770ef5ba82f89c43b40a6c2ed6f0e

SHA512
45a13a03359bf670a7321f9c699546f86b1b36f8a905f881d48a32ad88879f1e02d71beae569b665ba55a6bd84ad11c7a3783e4f682b19fd5c3860546177cdc4

Download Submit
C:\Windows\xk.exe

Filesize
192KB

MD5
308b68df509dfaf85e78e01baaffb5ac

SHA1
326a555137f397a85f260b0d7be43f3cc6395c0a

SHA256
23ec9a842105572f43dbd3b2d2e364cad71070aa7c357a33ec2fb2c32d9cae52

SHA512
e50af75bc1c5c0f3436aa42ee24aa3f624278534bbe71cde211dad0960d39afbd838a3c1f4d4cdd94698474c046eea24e7341771b53907509a8ccb294dde2581

Download Submit
C:\Windows\xk.exe

Filesize
272KB

MD5
09b29df9c14bd5f925a3ddd455cfa63a

SHA1
92905df5af74adadff67e292098421961c0f8f33

SHA256
f9958d73f77bd44f8e78315bd89bdcc2bd6cfd8d962a823f742d0199c7102f79

SHA512
734904869dad9b63820b2bfb4f779dba66c623717995dafd2b72927126439ed5b71243a65ae36ea575d6a896c389687bdec5a3dbd9bafd58c8a6f017886a0b7c

Download Submit