Malware Analysis Report

2024-09-11 11:47

Sample ID 240616-hxatbsyajl
Target df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe
SHA256 bb1a2c1ecf168a2d6bd3475d3f285f317d7d79376774141f13962a374b5bf05a
Tags
sality backdoor bootkit evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb1a2c1ecf168a2d6bd3475d3f285f317d7d79376774141f13962a374b5bf05a

Threat Level: Known bad

The file df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor bootkit evasion persistence trojan upx

Sality

Windows security bypass

UAC bypass

Modifies firewall policy service

UPX packed file

Windows security modification

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 07:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 07:06

Reported

2024-06-16 07:09

Platform

win7-20240611-en

Max time kernel

119s

Max time network

124s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f768bbc C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2232 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2232 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2232 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2232 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2232 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2232 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2232 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2232 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2232 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2232 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2232 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Network

Country Destination Domain Proto
US 8.8.8.8:53 genuine.microsoft.com udp
US 134.170.185.174:80 genuine.microsoft.com tcp

Files

memory/2232-0-0x0000000001000000-0x0000000001099000-memory.dmp

memory/2232-3-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-1-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-17-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

memory/2232-15-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

memory/2232-14-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

memory/1104-7-0x0000000001C60000-0x0000000001C62000-memory.dmp

memory/2232-21-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-18-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-5-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-22-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-24-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

memory/2232-19-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-23-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

memory/2232-6-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-20-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-4-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-33-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-35-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-34-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-36-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-37-0x00000000024A0000-0x000000000355A000-memory.dmp

C:\ProgramData\Office Genuine Advantage\data\data.dat

MD5 4f524a9367e51cc4c570c6e558e43cf0
SHA1 55efab98d3387c9f3da70c4401069ea473e03381
SHA256 7c292d6f2147724f46555f2128e313c4387f7aa37cb4414715a60e003fe4bf24
SHA512 acbd5344e7c59cc8172663e852491b58842c741f29a4e38dbfe11793e37dc543ff6073a74e4ecc341b448c58c873e7da92ab2845b5bfe5cd79730274bcc472f0

C:\ProgramData\Office Genuine Advantage\data\data.dat

MD5 8201be4fcd9486ea608e03ddae9a8960
SHA1 d5b3570df65d0495cc108f46936e1b4ac0b01486
SHA256 7cce7ea93b50127753fd0e2d30abd896258e8616f10ef6f09b517d011231eb1c
SHA512 1c7de9dc72c0bad71c65d2b2b02db786028962c26e2104d51ee002e805c3145e1aa603382321404ff66d00d1f909603b2f84e0a9b2d9f0518a439038567dcf9d

memory/2232-59-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-60-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-61-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-63-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-74-0x0000000003BF0000-0x0000000003BF2000-memory.dmp

memory/2232-73-0x0000000003C80000-0x0000000003C81000-memory.dmp

memory/2232-78-0x0000000003BF0000-0x0000000003BF2000-memory.dmp

memory/2232-79-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-81-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-82-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-84-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-85-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-91-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-94-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-101-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-103-0x00000000024A0000-0x000000000355A000-memory.dmp

memory/2232-125-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

memory/2232-147-0x0000000001000000-0x0000000001099000-memory.dmp

memory/2232-148-0x00000000024A0000-0x000000000355A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 07:06

Reported

2024-06-16 07:09

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

99s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e5736bf C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3044 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3044 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3044 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3044 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3044 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3044 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3044 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3044 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3044 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3044 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3044 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3044 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3044 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3044 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3044 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 3044 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 3044 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 3044 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3044 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 3044 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 3044 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 3044 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 3044 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3044 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3044 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3044 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 3044 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3044 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\df2e1c07f63950830fae5d554574b650_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 genuine.microsoft.com udp
US 52.111.229.43:443 tcp

Files

memory/3044-0-0x0000000001000000-0x0000000001099000-memory.dmp

memory/3044-3-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-1-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-9-0x0000000000560000-0x0000000000561000-memory.dmp

memory/3044-18-0x0000000000550000-0x0000000000552000-memory.dmp

memory/3044-17-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-15-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-16-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-19-0x0000000000550000-0x0000000000552000-memory.dmp

memory/3044-20-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-7-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-6-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-8-0x0000000000550000-0x0000000000552000-memory.dmp

memory/3044-5-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-21-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-25-0x00000000024B0000-0x000000000356A000-memory.dmp

C:\ProgramData\Office Genuine Advantage\data\data.dat

MD5 8756fc9b81d446babe6ef0e914c1daa4
SHA1 eb067e0d510cd690824af1baa81f9fbf4d2aea4b
SHA256 44285660ab587d03bf95bd1264e71eb89b2d316ac0e4a4318632ce0c7449cc24
SHA512 23465a929457a81c610e710c5b36d2b72af3b4ebd304aacb6220b0318f3b3da6999514fb2fe0114f8d2f35fddb52a998eb4355bbfc6e3ae55038941d649b43cf

memory/3044-26-0x00000000024B0000-0x000000000356A000-memory.dmp

C:\ProgramData\Office Genuine Advantage\data\data.dat

MD5 b7749537089fe7ae21f7007f5ed4c14c
SHA1 4b973d580e71f452f07a7c09b9087ed4671b7729
SHA256 38e905ac91306a31ff305318de633efdb7caa5da53bcc4224bebdccc42f4288d
SHA512 01f5ca46c9dd2616fc001bbe4c896376321b38c8c7266b2d488963eed9d28409d12bb1ac72dba9ad5a2cc2156dcdbe2476575442dcc46be5848c1494fd671f2e

memory/3044-46-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-47-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-48-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-50-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-51-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-52-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-54-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-55-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-57-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-58-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-61-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-63-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-67-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-73-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-75-0x00000000024B0000-0x000000000356A000-memory.dmp

memory/3044-77-0x0000000000550000-0x0000000000552000-memory.dmp

memory/3044-93-0x0000000001000000-0x0000000001099000-memory.dmp