Malware Analysis Report

2025-01-06 11:58

Sample ID 240614-elagmsvamf
Target a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe
SHA256 fe08914df87c8274638d0673106d1954275a060dfb4e9a618f7c346bad1b981f
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe08914df87c8274638d0673106d1954275a060dfb4e9a618f7c346bad1b981f

Threat Level: Known bad

The file a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Disables use of System Restore points

Disables RegEdit via registry modification

Loads dropped DLL

UPX packed file

Executes dropped EXE

Modifies system executable filetype association

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies Control Panel

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:01

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:01

Reported

2024-06-14 04:03

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2236 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2236 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2236 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\xk.exe
PID 2236 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2236 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2236 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2236 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2236 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2236 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2236 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2236 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2236 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2236 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2236 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2236 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2236 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2236 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2236 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2236 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2236 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2236 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2236 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2236 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2236 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2236 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2236 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2236 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2236-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 a0aa95995a841d307ec8b829075ea760
SHA1 862b46f4e388d214d572e66f9bedea4f77d4239f
SHA256 fe08914df87c8274638d0673106d1954275a060dfb4e9a618f7c346bad1b981f
SHA512 703ccf838503394bb558452a2978a4ae0410b79039e160fc440f2228e6dabd6898e9abbcd095f0beec1854786febf75345cefacca18652a5491a494e0e2350ae

C:\Windows\xk.exe

MD5 6302ed10ddeacf8bfeb188e03b7af546
SHA1 bbb2714c2324d9cbe474a0013c9d0a0e11f227e8
SHA256 3baf3f573bea68d308af4ec38ed894ca9c073f66371e1d473ee728e4962a6da5
SHA512 3a11d9bca8f5f1d40d49a50f691a195f6e44501158bc0bec00d2f0bb0af2ea01ec5d039608e285bc4abeffe44538b186c5a1b9a4ad01a5bbe55fc123dac66e29

memory/2316-111-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2236-110-0x00000000005A0000-0x00000000005CF000-memory.dmp

memory/2236-109-0x00000000005A0000-0x00000000005CF000-memory.dmp

memory/2316-114-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 d440dabda66ed19ff00339cc4125b7ed
SHA1 126f57d4ed125060acbf2ec533de3d9049aea6e2
SHA256 c7b6aa5773085f35f6268e6617f286b247a441abeff37700a9922ed15e00e847
SHA512 3187699c246fc0190d0114e84c43bba864f55947f1e64b036452dfec788c541d877e988964b3abed76a40a78025fc7fa2b013ef3c27fe9766545067f6884269c

memory/2236-116-0x00000000005A0000-0x00000000005CF000-memory.dmp

memory/1200-123-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1200-126-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 a68392349a55ac66fd6d79602b831ec0
SHA1 56cc0681e86160902f88431233548669c3106731
SHA256 d18eb45e467a040c1477b8cc17c145bb50c1e630e42f69889087cc3bce7e2bcb
SHA512 b0d2529d776d468b1dfcc078071e3830426016e5e3f8a2db756adf1581d921336d3c0baf1d677c53d6dc4e310b2be4a9a180f05549169131d5b9b516a489f6a3

memory/2488-136-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2488-138-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 8315cedb97c000e598cc9c49cc1f88e1
SHA1 d2e6d78ec411176bf2d658ec407cee558543dd2d
SHA256 04c4d0a0f667557082e8c969507faf14ef86dee0a79b9544ca2cf6a9e43a2f6e
SHA512 f39c93821916cd0f322e52355b68351b471433dd9080e5f6bfe9f846686209d8843a8d311fa75ffb5406bfd1ab567b73c962e25e7b52117b2e07af85e3015811

memory/2828-151-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1692-159-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1692-161-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2236-165-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2180-172-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2236-179-0x00000000005A0000-0x00000000005CF000-memory.dmp

memory/2236-186-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1924-185-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:01

Reported

2024-06-14 04:03

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1640 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1640 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\xk.exe
PID 1640 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1640 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1640 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1640 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1640 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1640 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1640 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1640 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1640 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1640 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1640 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1640 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1640 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1640 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1640 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1640 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1640 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1640 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a0aa95995a841d307ec8b829075ea760_NeikiAnalytics.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1640-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 a0aa95995a841d307ec8b829075ea760
SHA1 862b46f4e388d214d572e66f9bedea4f77d4239f
SHA256 fe08914df87c8274638d0673106d1954275a060dfb4e9a618f7c346bad1b981f
SHA512 703ccf838503394bb558452a2978a4ae0410b79039e160fc440f2228e6dabd6898e9abbcd095f0beec1854786febf75345cefacca18652a5491a494e0e2350ae

C:\Windows\xk.exe

MD5 5cc232b28ebf38a0830ae3cc63560a20
SHA1 17afdba643b5bdcfcd7a3359039c3c5e4203b20e
SHA256 835a20f7e1fc9ad3b8e851d3875fc62e9c9904db16bacb9eefabcebe6aa93ba8
SHA512 b5f5e63f33ecc8410fda56659b9cf755ffbcbf5ef393448870cabfd7c2ee2f840d7a91b04b1d1e292e81eef8af97d26fbd0524bc4783705cf237884216dca906

C:\Windows\SysWOW64\IExplorer.exe

MD5 77c5467a73c54b118ea66e95a3a23974
SHA1 a27a406db1c55b233622287c1aebf0e5f7ef5fd7
SHA256 790b350c04da1d8696a95a325266892e5785532a6288173638e0a6760754abaf
SHA512 89bf7345ece76d0c24edc9f7c85bcf4e94592a7384e27f31085a0a174605b94ebe507a988714e7cfaefcd77818e69c1e172036ced8df0ad6f08f33535f640e5b

memory/4292-114-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2488-115-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2488-119-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4528-126-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 80a053f15148cd2fd84ee7628d200635
SHA1 ea4cee920d7446302ef1639b90b883b99a9ffea0
SHA256 c0e4ce78d73f8ca0f989ea0c8707a752a4e17e5daf09a26c1339f640a14a7bae
SHA512 ca59d9d1bc55620ca3e4279f3dbe9c10c1067aa2059205a2216647d54f6712a2f8e00411cabc8ef0cd8e66bfe9e48d4a5dfe88bc98ac75ea0033dc5c2acf4e36

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 d66b710e82e7e6afb2cb14394afabc16
SHA1 e267c539ba38ca868da9caca7bd5fd02cb885c01
SHA256 61eda7b5ae800f38249deac8af8aa93c320e9ec8b6d96343484af7c23e143dee
SHA512 7e7b4334686499d6896501af687ac8fd7a6180add6636d93b597de2339dd95ff08bce691c934a0e96ebb213e3dffcaefe53e33fd54bb5a63078d33d1b3ec7a58

memory/1916-137-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2704-135-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1916-141-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

MD5 3c24c788163c571ce30a3dd8c8d6f546
SHA1 30c893f855b021cf72957ee2bc8549e144b41ebb
SHA256 c01ba5df17e37263cb5734cd6f601772765f94d7b763aabf488dbc87f4225e63
SHA512 55daf348f8b2dc5ba9d0bdf75451ede221275687ade6ee11f46d21fe7c37a921bc94a12539009b9d5d73ed22e8219b59196e3260a290132cae37064696430061

memory/3332-147-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 e2db1256108c45d1b51bbaef5b855ead
SHA1 c698f64b20973b03cd0e7cf0be4788a94885f954
SHA256 59a48080775b7f64249a5a2bd8ca5d20296bb7c7768519d29da928f060bc28db
SHA512 6845da747d217e000d880def0cd8de242aa0dc46299f46b423f46c7c6aa4c85b001f694f365649771b72fea6113698b6a07247a84d1f921a1e0508cdb5048c8c

memory/2700-153-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1640-154-0x0000000000400000-0x000000000042F000-memory.dmp