Malware Analysis Report

2024-09-11 12:02

Sample ID 240617-aar54ayeqp
Target 215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe
SHA256 0e1c4959ad7549094383552f76aa2eeae497c216ed5a233c7f901b3891287971
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e1c4959ad7549094383552f76aa2eeae497c216ed5a233c7f901b3891287971

Threat Level: Known bad

The file 215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

UAC bypass

Modifies firewall policy service

Modifies visiblity of hidden/system files in Explorer

Sality

Modifies visibility of file extensions in Explorer

Windows security bypass

Windows security modification

Loads dropped DLL

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 00:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 00:00

Reported

2024-06-17 00:03

Platform

win10v2004-20240611-en

Max time kernel

43s

Max time network

153s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57ab34 C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File created C:\Windows\e576206 C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1012 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1012 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 1012 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 1012 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 1012 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1012 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 1012 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 1012 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 1012 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 1012 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1012 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1012 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1012 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1012 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 1012 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1012 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1012 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1012 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 1012 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 1012 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2156 wrote to memory of 788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2156 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2156 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\dwm.exe
PID 2156 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\sihost.exe
PID 2156 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2156 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhostw.exe
PID 2156 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2156 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\DllHost.exe
PID 2156 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2156 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2156 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2156 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2156 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2156 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2156 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2156 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2156 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2156 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2156 wrote to memory of 788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2156 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2156 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\dwm.exe
PID 2156 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\sihost.exe
PID 2156 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2156 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhostw.exe
PID 2156 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 2156 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2156 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\DllHost.exe
PID 2156 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2156 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2156 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2156 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2156 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2156 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2156 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2156 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2156 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2156 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 2156 wrote to memory of 788 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2156 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 2156 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\dwm.exe
PID 2156 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\sihost.exe
PID 2156 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 2156 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhostw.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.184:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 184.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/1012-0-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1012-1-0x00000000032C0000-0x000000000437A000-memory.dmp

memory/1012-3-0x00000000032C0000-0x000000000437A000-memory.dmp

memory/1012-5-0x00000000032C0000-0x000000000437A000-memory.dmp

memory/1012-6-0x00000000032C0000-0x000000000437A000-memory.dmp

memory/1012-7-0x00000000032C0000-0x000000000437A000-memory.dmp

memory/1012-4-0x00000000032C0000-0x000000000437A000-memory.dmp

memory/1012-8-0x00000000032C0000-0x000000000437A000-memory.dmp

memory/1012-14-0x00000000032C0000-0x000000000437A000-memory.dmp

memory/1012-15-0x00000000032C0000-0x000000000437A000-memory.dmp

memory/1012-23-0x00000000009B0000-0x00000000009B2000-memory.dmp

memory/1012-22-0x00000000009B0000-0x00000000009B2000-memory.dmp

memory/1012-17-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/1012-16-0x00000000009B0000-0x00000000009B2000-memory.dmp

memory/1012-20-0x00000000032C0000-0x000000000437A000-memory.dmp

memory/1012-24-0x00000000032C0000-0x000000000437A000-memory.dmp

memory/1012-27-0x00000000032C0000-0x000000000437A000-memory.dmp

memory/1012-35-0x00000000032C0000-0x000000000437A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

MD5 215be702816a66d7b4a8884c71dd8100
SHA1 9f5efe443c242ef5e81f1ceca81b9c02353fa87e
SHA256 0e1c4959ad7549094383552f76aa2eeae497c216ed5a233c7f901b3891287971
SHA512 84a956cab8b81e3cd317a28569b59d937b5464762af3df6841a2bbc959a97888e70a8d381cad1f15eeb32487b33d9f4723432c295181294329787a374345293f

memory/1012-48-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1012-36-0x00000000009B0000-0x00000000009B2000-memory.dmp

memory/2156-33-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1012-28-0x00000000032C0000-0x000000000437A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E578B87_Rar\rundll32.exe

MD5 2eb5d76180ce7b3241b281fa79ab3483
SHA1 06293dea80e39c7eb7ee2bdb00d60b58d932fa8a
SHA256 e1b9beb4617a720d55afaec364941bb18ea2c456a8b06b30a736f0cbb5c297e8
SHA512 35f553c76fc67afb88a6a090fcbad6af3e2faae154c9c84bd869714194012525a2d42b76dad855805f107a37c351f0de08fd9a03d8ddc1dd400d64640d81b90b

memory/2156-54-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-52-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-55-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-72-0x00000000030D0000-0x00000000030D2000-memory.dmp

memory/2156-62-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-71-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-70-0x00000000030D0000-0x00000000030D2000-memory.dmp

memory/2156-60-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-58-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-56-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-64-0x00000000037B0000-0x00000000037B1000-memory.dmp

memory/2156-61-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-59-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-57-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 ea394ce80efd9ea3ae97c46e133bcc76
SHA1 8e2900f3e2a65aba56e8c910bbb2d74e0c122de7
SHA256 c49c5b5b48c0254ba0cc86e472e92918cb230a7693122e26a018d99fd26cb667
SHA512 87be20cd63b602e7ba221ac304ffddd3299bf24a10db914bba236423ee7f641ad59456f75d912dff313a73fc44e0ca11d9c6feee8e133c6173d89b71f05ddc2a

memory/2156-73-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-74-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-75-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-76-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-77-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-80-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-81-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-83-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-84-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-86-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-88-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-91-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-129-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

memory/2156-130-0x00000000030D0000-0x00000000030D2000-memory.dmp

C:\iagju.exe

MD5 222faa9b1bb93f0163a93f8660b9026d
SHA1 ad42684c0678f99b3253d5e3b2e90cfe45f1cde8
SHA256 7c9ea91c2b44960e621be438e7d076c5c9a9ba986306579b15b27dc2b5454c5c
SHA512 cd779f1c13045eb033acdb9f053032982f914ad79fe17b4521b61a24344cb323e2ca0a091d145e5a5b383b3cc176a20d1bcdc963c0f01fd61346bf5fe32bc041

memory/2156-159-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2156-160-0x0000000004EE0000-0x0000000005F9A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 00:00

Reported

2024-06-17 00:03

Platform

win7-20240508-en

Max time kernel

29s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f760eb0 C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
File created C:\Windows\f76406a C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2348 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2348 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2348 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2348 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2348 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2348 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2348 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2348 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2348 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2348 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2708 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhost.exe
PID 2708 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\Dwm.exe
PID 2708 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 2708 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhost.exe
PID 2708 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\Dwm.exe
PID 2708 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\215be702816a66d7b4a8884c71dd8100_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

Network

N/A

Files

memory/2348-0-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2348-6-0x00000000024E0000-0x000000000359A000-memory.dmp

memory/2348-9-0x00000000024E0000-0x000000000359A000-memory.dmp

memory/2348-1-0x00000000024E0000-0x000000000359A000-memory.dmp

memory/2348-11-0x00000000024E0000-0x000000000359A000-memory.dmp

memory/2348-15-0x00000000024E0000-0x000000000359A000-memory.dmp

memory/2348-5-0x00000000024E0000-0x000000000359A000-memory.dmp

memory/2348-14-0x00000000024E0000-0x000000000359A000-memory.dmp

memory/2348-10-0x00000000024E0000-0x000000000359A000-memory.dmp

memory/2348-8-0x00000000024E0000-0x000000000359A000-memory.dmp

memory/2348-7-0x00000000024E0000-0x000000000359A000-memory.dmp

memory/1116-21-0x00000000002D0000-0x00000000002D2000-memory.dmp

memory/2348-34-0x0000000000C80000-0x0000000000C82000-memory.dmp

memory/2348-33-0x0000000000C90000-0x0000000000C91000-memory.dmp

memory/2348-31-0x0000000000C90000-0x0000000000C91000-memory.dmp

memory/2348-30-0x0000000000C80000-0x0000000000C82000-memory.dmp

memory/2348-35-0x0000000000C80000-0x0000000000C82000-memory.dmp

memory/2348-37-0x00000000024E0000-0x000000000359A000-memory.dmp

memory/2348-36-0x00000000024E0000-0x000000000359A000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

MD5 215be702816a66d7b4a8884c71dd8100
SHA1 9f5efe443c242ef5e81f1ceca81b9c02353fa87e
SHA256 0e1c4959ad7549094383552f76aa2eeae497c216ed5a233c7f901b3891287971
SHA512 84a956cab8b81e3cd317a28569b59d937b5464762af3df6841a2bbc959a97888e70a8d381cad1f15eeb32487b33d9f4723432c295181294329787a374345293f

memory/2348-51-0x00000000024E0000-0x000000000359A000-memory.dmp

memory/2348-62-0x0000000000400000-0x00000000004C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0F761A25_Rar\rundll32.exe

MD5 2eb5d76180ce7b3241b281fa79ab3483
SHA1 06293dea80e39c7eb7ee2bdb00d60b58d932fa8a
SHA256 e1b9beb4617a720d55afaec364941bb18ea2c456a8b06b30a736f0cbb5c297e8
SHA512 35f553c76fc67afb88a6a090fcbad6af3e2faae154c9c84bd869714194012525a2d42b76dad855805f107a37c351f0de08fd9a03d8ddc1dd400d64640d81b90b

memory/2348-45-0x00000000024E0000-0x000000000359A000-memory.dmp

memory/2348-43-0x0000000008DB0000-0x0000000008E70000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 b6e01aedf44429e5e30a540908870efe
SHA1 af08e15ce006bd688a2c65440dd273a075851ba7
SHA256 d417168d269d8c392cc91ee93c0934233aed6abec6c25786bebab79e1a46d7dd
SHA512 53ca1c9aeb950feb340ab2ea8a421d25446877d20b228b2b2fa67a7de49e38868010d23acadb1c9decf560bbeb1fe6f97910a26378b9e18c6e7cfdccdce18adc

memory/2708-66-0x0000000003A80000-0x0000000004B3A000-memory.dmp

memory/2708-75-0x0000000003A80000-0x0000000004B3A000-memory.dmp

memory/2708-81-0x0000000003A80000-0x0000000004B3A000-memory.dmp

memory/2708-94-0x00000000002A0000-0x00000000002A2000-memory.dmp

memory/2708-93-0x0000000003A80000-0x0000000004B3A000-memory.dmp

memory/2708-72-0x0000000003A80000-0x0000000004B3A000-memory.dmp

memory/2708-73-0x0000000003A80000-0x0000000004B3A000-memory.dmp

memory/2708-69-0x0000000003A80000-0x0000000004B3A000-memory.dmp

memory/2708-70-0x0000000003A80000-0x0000000004B3A000-memory.dmp

memory/2708-92-0x00000000002A0000-0x00000000002A2000-memory.dmp

memory/2708-91-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2708-74-0x0000000003A80000-0x0000000004B3A000-memory.dmp

memory/2708-71-0x0000000003A80000-0x0000000004B3A000-memory.dmp

memory/2708-68-0x0000000003A80000-0x0000000004B3A000-memory.dmp

memory/2708-95-0x0000000003A80000-0x0000000004B3A000-memory.dmp

memory/2708-155-0x0000000003A80000-0x0000000004B3A000-memory.dmp

memory/2708-164-0x00000000002A0000-0x00000000002A2000-memory.dmp

C:\eacrpk.exe

MD5 2cc30069c607587a122cc8da3e00faa2
SHA1 9c10d874244cd768ad315c0ef8fc8045a94f22d2
SHA256 6808b1d0a37c6e3e6bbb1939fb105f1e39825b37ac7316a3e968b2f33a6ace92
SHA512 9aa5d14c63f0dc0c4e40401220f5344521667f535e1a33417f0fafb78e3a3985e3d873c0f2568829ae598db15d51193781e26309f52248e945f57a5aa149b5b1

memory/2708-215-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2708-216-0x0000000003A80000-0x0000000003B39000-memory.dmp