cb5d2ab663260339e517a1cff9e84a4aa9f651046b606dc19bb96c69a7f9a9dc

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 07:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Size

45KB
MD5

1688adc6cb34f91103572ddee2d82f00
SHA1

f43c887572cd341090f991226a2be31fa9eac15e
SHA256

cb5d2ab663260339e517a1cff9e84a4aa9f651046b606dc19bb96c69a7f9a9dc
SHA512

7783f483f00546dce881f2673add3c7081ac8574c273c3e90022b04c9c541f195ee76a657696dc21a5865f2dcb210c09d86f50ed71094ad7f98926b8512fd6af
SSDEEP

768:PmFQj8rM9whcqet8WfuzHVHFNNqDaG0XjqGoxhz/8szBnP7DFK+5nEW1:FAwEmBGz1lNNqDaG0Poxhlzme

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
4268	xk.exe
4924	IExplorer.exe
1508	WINLOGON.EXE
1136	CSRSS.EXE
1716	SERVICES.EXE
4964	LSASS.EXE
1400	SMSS.EXE
2020	xk.exe
2108	IExplorer.exe
212	WINLOGON.EXE
208	CSRSS.EXE
2304	SERVICES.EXE
1416	LSASS.EXE
2960	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File created	C:\desktop.ini	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened for modification	F:\desktop.ini	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File created	F:\desktop.ini	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\R:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\W:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\S:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\U:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\V:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\B:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\E:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\H:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\J:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\K:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\L:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\M:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\G:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\N:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\O:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\P:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\T:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened (read-only)	\??\X:	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
4268	xk.exe
4924	IExplorer.exe
1508	WINLOGON.EXE
1136	CSRSS.EXE
1716	SERVICES.EXE
4964	LSASS.EXE
1400	SMSS.EXE
2020	xk.exe
2108	IExplorer.exe
212	WINLOGON.EXE
208	CSRSS.EXE
2304	SERVICES.EXE
1416	LSASS.EXE
2960	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4268	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	91
PID 4764 wrote to memory of 4268	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	91
PID 4764 wrote to memory of 4268	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	91
PID 4764 wrote to memory of 4924	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	92
PID 4764 wrote to memory of 4924	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	92
PID 4764 wrote to memory of 4924	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	92
PID 4764 wrote to memory of 1508	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	93
PID 4764 wrote to memory of 1508	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	93
PID 4764 wrote to memory of 1508	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	93
PID 4764 wrote to memory of 1136	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	94
PID 4764 wrote to memory of 1136	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	94
PID 4764 wrote to memory of 1136	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	94
PID 4764 wrote to memory of 1716	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	95
PID 4764 wrote to memory of 1716	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	95
PID 4764 wrote to memory of 1716	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	95
PID 4764 wrote to memory of 4964	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	96
PID 4764 wrote to memory of 4964	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	96
PID 4764 wrote to memory of 4964	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	96
PID 4764 wrote to memory of 1400	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	97
PID 4764 wrote to memory of 1400	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	97
PID 4764 wrote to memory of 1400	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	97
PID 4764 wrote to memory of 2020	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	105
PID 4764 wrote to memory of 2020	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	105
PID 4764 wrote to memory of 2020	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	105
PID 4764 wrote to memory of 2108	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	106
PID 4764 wrote to memory of 2108	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	106
PID 4764 wrote to memory of 2108	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	106
PID 4764 wrote to memory of 212	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	107
PID 4764 wrote to memory of 212	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	107
PID 4764 wrote to memory of 212	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	107
PID 4764 wrote to memory of 208	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	108
PID 4764 wrote to memory of 208	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	108
PID 4764 wrote to memory of 208	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	108
PID 4764 wrote to memory of 2304	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	109
PID 4764 wrote to memory of 2304	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	109
PID 4764 wrote to memory of 2304	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	109
PID 4764 wrote to memory of 1416	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	110
PID 4764 wrote to memory of 1416	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	110
PID 4764 wrote to memory of 1416	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	110
PID 4764 wrote to memory of 2960	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	111
PID 4764 wrote to memory of 2960	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	111
PID 4764 wrote to memory of 2960	4764	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe	111

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1688adc6cb34f91103572ddee2d82f00_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4764
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4268
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4924
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1508
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1136
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1716
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4964
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1400
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2020
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2108
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:212
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:208
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2304
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1416
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
c6c3236fa0d37a6c88c228f4320c022a

SHA1
f6ba79f220bfe5e888089de6249bd6d0d2849aae

SHA256
11d263e6471afc1ee69efc17bc955ead378671de652bd73cc80a5cabd3246b0b

SHA512
46b8835ede5f38ce58b1660428192ce12e7dc966025f3cd29893ffd11d385f19c1830718d77578a7f1999ae5ae60e9871c64a5dd54afa906bde4e8f6fa1fbe3f

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
0d2d8b51ee203d5a8d82f0903882ea30

SHA1
7f2884834e9f0214f5963eaa76d1640ff30af80e

SHA256
cfd303cfda5794b3c0a0b5efa521b1a0e43db3579846630a27662cf859728083

SHA512
016f718c201c56a7da28b6ec3ee291e03438fb15c3b5695660956b0e1e544d969a289255d03f7629a5490120895209f894034bb59a1b5bdb01b030a9728338e3

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
dd47c09ed3edf458491ef0498e66ccce

SHA1
ed6544a21b50f5681dd7d3e6c54ad7361751b4f2

SHA256
ad65d33cac6445847efe85f9d0ca351591bb48e381249291c1968f45ce11f18a

SHA512
d532f81c4868601a19c14cab0b19a469c202e3195f8eceaef3bda928f3860391aebca7677c7f74d008902bb50e32fe01c7b8a1c0bd77f120f5b00e08b9990550

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
15c32661a6cbf5a6b7083f46f184445b

SHA1
4ef5b8d0242d5b504d67b784ab45f917912aafeb

SHA256
e9c2d6d15c0ee6b44b243d48010124a6a040c955d39d5fbf6e561099d8b3d067

SHA512
582cc43824e3582d73a6af9b084782cc4e7f8ae95115a6c6eebad5ad88c807228f8697aefccd6199b1ac9607a7e419b613e04e0ed5551d0bad7a8cee2d116444

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
45KB

MD5
cf76ea165aa45fc24e86d64ebbd2bdfd

SHA1
66a954e03a45957c0d81dc428d6737dc7104b851

SHA256
ab18d06a5f0b47bf1c97bb3fc280e04eb09849aa968422addd80a61967fa2bae

SHA512
f7262ef842292c6a8cdc0d0de075a1d7dba5a486bde3beeba03a944febd9c582486b383f4bf551d5caec4a30a140f8107b5ed3a9d834588464f10b38d96d565a

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
45KB

MD5
c1d9bfc6c48f8e4aade5d2615ab74f4f

SHA1
9e1677323da895bf13f8f5ffe20768b308278d39

SHA256
926d228087de6740098e37f5477dd5cbfca1d1f6513890099870759c42ae5dcb

SHA512
c1ddf34d5a2b44113182bdf26fce654ef1ebcf6fd899d885749e0327e0e802cc5a45586bbb9e3443f3612e48479c460280575a69b220d1c62876983ebb9c107d

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
45KB

MD5
4a695c0d62ecd3d7d77b580c31db22fd

SHA1
65110b55b0eebed94ab075927725adbb6918449f

SHA256
c78be9f0c950854264f52e9e4a9d54acfac08b8ccb65c9275a3cfab56559445e

SHA512
5f0024e6bcf6a3dd8984aabe50417d77fcab5d2816d609a00cf97f92ab2eb020264b04d6f81b0afebffd74e742ed8e45ecc404e531edf949e4fab45594f2fcc9

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
45KB

MD5
cb332af6c833ac705bc752a0594e568d

SHA1
09c2fd986af1d17158f3740e9f5355d9ef4e7775

SHA256
0666002a10b0947eea15431131066c9dbc54968ee6d2c32fe4be74374463ef79

SHA512
aba5318d9d157038375fb9a186d9b131035cc6fc0457e1af7d373bb9966934f3e20352f0c5684055d0d31276e0efc15736842d612058300c2724cf9b507d789a

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
f4d09a51ac3bd8db3133dc303d9dc99f

SHA1
c1cfbb0c1637805478e12fb23c8a298594784208

SHA256
6170ba37067a1b6eb2afdf14d4c6f4348a74b7f410f7edcea3db1db63e90cebf

SHA512
fff68771c5bf143363da106669d90128a90eef7e148a5f72a973769f9792b9a39a232848a94ae6cfac679fdc5885bcade62ad78abf54ec5e64b24b954443cd4c

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
881d404e290f56d41318b062f8e9d8bd

SHA1
2a38c841ae7b223b1acf9336e487d1ba97617ffe

SHA256
2936b6dde0c30af30f4ef76de4cc8c836141ddba24662f1c70e72e67415d3ead

SHA512
181cc6a4ce21b6fd1b0cd9c25455d9550ae3a13d332b739529710971292267073ab0bc034b78f875bde629d8f3988ec0baf6d9cd18c3265e3d09baefaf03ae8e

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
61b87a757f3d284efe70d9e95e26bf75

SHA1
79d9d92c40580b236b51f99ff7e7bc896aba13d9

SHA256
059c5c9b6a34cad6e64d5387d1e73a3ded7b5db76241126cf525309e3e72cce7

SHA512
adcdcba3fa7b9c51e5ba3d4526fbf6881d2e805b1261f4a87dc9644e1362d0a22d9b64f5b55cd497e53ef13c654dad39c6b50550413e0d4230233d4befbb5c90

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
38a348063e8d756d9619a8e58b8a4a6b

SHA1
42698fd1376c9d2ebb36be0f9ffd6297a4ea7a28

SHA256
a8583634ecf152f4397d60329d92e75a2c18e397fd67ecf0c8b70558a1bc10d7

SHA512
1f522d2271de3f8d17f113ff5f2e5de6e9a944da245bbb248a45a92f48adcef45516cddcf32083b32c260b7bd508290a4882fc6f68930282955e7e544d63916d

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
1688adc6cb34f91103572ddee2d82f00

SHA1
f43c887572cd341090f991226a2be31fa9eac15e

SHA256
cb5d2ab663260339e517a1cff9e84a4aa9f651046b606dc19bb96c69a7f9a9dc

SHA512
7783f483f00546dce881f2673add3c7081ac8574c273c3e90022b04c9c541f195ee76a657696dc21a5865f2dcb210c09d86f50ed71094ad7f98926b8512fd6af

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
108bbabb41f6f3ab02288ba859e870e5

SHA1
f77eed4109ea86eaaff89a7dbe6d63ea142d2945

SHA256
56be6f84ddde0f5595425098dff94844c7ea90f85b082aa13f39f590f4b887dc

SHA512
6ef5023c477edf9ff641d5fe94e41c00884f1de6799f6de1a7d56f2263025857d4d26775e7c9fa4cae84e520ab38e2061de19d201c39a8cd3596563474f909d9

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
674d4dc6a276d9c64aecdaae425b45b4

SHA1
352e01a4c69da2e8f06c079565a631ea0ec409f9

SHA256
4c6a21e62ba75c3f4aebda649977b7f9a6633b0712afa60d33a8d167c63a8550

SHA512
b933899b3ee62629652517c97cdf2327303e2d1b9ba742ec661d70468473d5c0b625a4a1096233b58b24e1879631f8f8271dc4dbd0ce4f72b6d5a3f11ded8c8c

Download Submit
memory/208-246-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/212-243-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/212-237-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1136-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1400-87-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1400-91-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1416-258-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1508-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1716-77-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2020-230-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2108-235-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2304-251-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2960-261-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4268-55-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4764-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4764-118-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4764-117-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4764-262-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4924-59-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4964-85-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download