Analysis Overview
SHA256
842e36c3341012b2b4a4ba93306a9f341f150f124c67f2b839ea8c9ed489e3b4
Threat Level: Known bad
The file 2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Sality
Modifies firewall policy service
UAC bypass
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Executes dropped EXE
Checks computer location settings
Windows security modification
UPX packed file
Loads dropped DLL
Checks whether UAC is enabled
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System policy modification
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-17 01:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 01:29
Reported
2024-06-17 01:32
Platform
win7-20231129-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
C:\Windows\SysWOW64\cmd.exe
cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq BlueStacksServices.exe" | find "BlueStacksServices.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq BlueStacksServices.exe"
C:\Windows\SysWOW64\find.exe
find "BlueStacksServices.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq BlueStacksServices.exe" | find "BlueStacksServices.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq BlueStacksServices.exe"
C:\Windows\SysWOW64\find.exe
find "BlueStacksServices.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wallet.now.gg | udp |
| US | 34.96.124.47:443 | wallet.now.gg | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 34.96.124.47:443 | wallet.now.gg | tcp |
Files
memory/1364-0-0x0000000000400000-0x00000000005D0000-memory.dmp
memory/1364-2-0x0000000001F00000-0x0000000002F8E000-memory.dmp
memory/1364-11-0x0000000001F00000-0x0000000002F8E000-memory.dmp
memory/1364-6-0x0000000001F00000-0x0000000002F8E000-memory.dmp
memory/1364-8-0x0000000001F00000-0x0000000002F8E000-memory.dmp
memory/1364-12-0x0000000001F00000-0x0000000002F8E000-memory.dmp
memory/1364-13-0x0000000001F00000-0x0000000002F8E000-memory.dmp
memory/1364-9-0x0000000001F00000-0x0000000002F8E000-memory.dmp
memory/1364-7-0x0000000001F00000-0x0000000002F8E000-memory.dmp
memory/1364-10-0x0000000001F00000-0x0000000002F8E000-memory.dmp
memory/2840-35-0x0000000000400000-0x00000000005D0000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\nsExec.dll
| MD5 | ec0504e6b8a11d5aad43b296beeb84b2 |
| SHA1 | 91b5ce085130c8c7194d66b2439ec9e1c206497c |
| SHA256 | 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962 |
| SHA512 | 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57 |
C:\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\0F761B9C_Rar\Un_A.exe
| MD5 | a5b90f557b45c1398fe648e4377bae9b |
| SHA1 | 65e051d4faecc72528c77064b6c7b23fb419f04f |
| SHA256 | a4bd67571bcba77ed3f5a4ebb2e2ffbc3d2320d8bf8b4b1fae2ca668af2149b8 |
| SHA512 | 755c1b548870dbf48ab669f15d31f0e2eab55d0c1bc23d712cb0c977ddb1ea6f811f31b4933bc629d69f01e460c735047df49604433ab0a284a187a19dc49220 |
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
| MD5 | 2e31947b461d41f8841ad6b7599da1c0 |
| SHA1 | 34397666cc9b7cbfc64cd87412b45796db7ebffc |
| SHA256 | 842e36c3341012b2b4a4ba93306a9f341f150f124c67f2b839ea8c9ed489e3b4 |
| SHA512 | 85f2a89a7d0838eef2fe9112e0f7906e86e31a5b67a512ee171ebab0133184be80d3fadfca2c7f105d6b6ca4fad6715b7cf74d8f05d5a57b201bd025b93339cc |
memory/1364-34-0x0000000000400000-0x00000000005D0000-memory.dmp
memory/1364-17-0x0000000001F00000-0x0000000002F8E000-memory.dmp
memory/1364-28-0x0000000004CB0000-0x0000000004E80000-memory.dmp
memory/1364-24-0x0000000001F00000-0x0000000002F8E000-memory.dmp
memory/1364-16-0x0000000001F00000-0x0000000002F8E000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\WinShell.dll
| MD5 | 1cc7c37b7e0c8cd8bf04b6cc283e1e56 |
| SHA1 | 0b9519763be6625bd5abce175dcc59c96d100d4c |
| SHA256 | 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6 |
| SHA512 | 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f |
\Users\Admin\AppData\Local\Temp\nso1B9D.tmp\INetC.dll
| MD5 | 38caa11a462b16538e0a3daeb2fc0eaf |
| SHA1 | c22a190b83f4b6dc0d6a44b98eac1a89a78de55c |
| SHA256 | ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a |
| SHA512 | 777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar2ED5.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 11239f4afe20f0fb64159896d89bff2a |
| SHA1 | 58c2743ebede91995fe3ea1750a3ecfe8a71cbd1 |
| SHA256 | 9991a2adba94fff931fc59c957a4cbb5ab80f2a9de8b9eeba40dab7276e722e7 |
| SHA512 | 33d40c06fa4ca90f702aa4689ea05a3b7299df66d18adccf4cbfffb39b9d559d0ccf8774c6b944605e9ab1da0b6c7cbb952ac69d91a6c43841771ab1c80f27cc |
memory/2840-220-0x0000000000400000-0x00000000005D0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 01:29
Reported
2024-06-17 01:32
Platform
win10v2004-20240611-en
Max time kernel
97s
Max time network
97s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe | N/A |
Processes
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2e31947b461d41f8841ad6b7599da1c0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
C:\Windows\SysWOW64\cmd.exe
cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq BlueStacksServices.exe" | find "BlueStacksServices.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq BlueStacksServices.exe"
C:\Windows\SysWOW64\find.exe
find "BlueStacksServices.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq BlueStacksServices.exe" | find "BlueStacksServices.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq BlueStacksServices.exe"
C:\Windows\SysWOW64\find.exe
find "BlueStacksServices.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wallet.now.gg | udp |
| US | 34.96.124.47:443 | wallet.now.gg | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.124.96.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/3500-0-0x0000000000400000-0x00000000005D0000-memory.dmp
memory/3500-1-0x0000000002390000-0x000000000341E000-memory.dmp
memory/3500-9-0x0000000002390000-0x000000000341E000-memory.dmp
memory/3500-13-0x0000000002390000-0x000000000341E000-memory.dmp
memory/3500-10-0x0000000002390000-0x000000000341E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
| MD5 | 2e31947b461d41f8841ad6b7599da1c0 |
| SHA1 | 34397666cc9b7cbfc64cd87412b45796db7ebffc |
| SHA256 | 842e36c3341012b2b4a4ba93306a9f341f150f124c67f2b839ea8c9ed489e3b4 |
| SHA512 | 85f2a89a7d0838eef2fe9112e0f7906e86e31a5b67a512ee171ebab0133184be80d3fadfca2c7f105d6b6ca4fad6715b7cf74d8f05d5a57b201bd025b93339cc |
memory/3500-35-0x0000000000400000-0x00000000005D0000-memory.dmp
memory/3220-34-0x0000000000400000-0x00000000005D0000-memory.dmp
memory/3500-23-0x0000000002270000-0x0000000002272000-memory.dmp
memory/3500-27-0x0000000002390000-0x000000000341E000-memory.dmp
memory/3500-15-0x0000000002270000-0x0000000002272000-memory.dmp
memory/3500-14-0x0000000002270000-0x0000000002272000-memory.dmp
memory/3500-7-0x0000000002390000-0x000000000341E000-memory.dmp
memory/3500-8-0x0000000002390000-0x000000000341E000-memory.dmp
memory/3500-6-0x0000000002390000-0x000000000341E000-memory.dmp
memory/3500-5-0x0000000002390000-0x000000000341E000-memory.dmp
memory/3500-4-0x0000000002390000-0x000000000341E000-memory.dmp
memory/3500-12-0x00000000035A0000-0x00000000035A1000-memory.dmp
memory/3500-3-0x0000000002390000-0x000000000341E000-memory.dmp
memory/3500-11-0x0000000002270000-0x0000000002272000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E574FD5_Rar\Un_A.exe
| MD5 | a5b90f557b45c1398fe648e4377bae9b |
| SHA1 | 65e051d4faecc72528c77064b6c7b23fb419f04f |
| SHA256 | a4bd67571bcba77ed3f5a4ebb2e2ffbc3d2320d8bf8b4b1fae2ca668af2149b8 |
| SHA512 | 755c1b548870dbf48ab669f15d31f0e2eab55d0c1bc23d712cb0c977ddb1ea6f811f31b4933bc629d69f01e460c735047df49604433ab0a284a187a19dc49220 |
C:\Users\Admin\AppData\Local\Temp\nst4FE6.tmp\System.dll
| MD5 | 0d7ad4f45dc6f5aa87f606d0331c6901 |
| SHA1 | 48df0911f0484cbe2a8cdd5362140b63c41ee457 |
| SHA256 | 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca |
| SHA512 | c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9 |
C:\Users\Admin\AppData\Local\Temp\nst4FE6.tmp\StdUtils.dll
| MD5 | c6a6e03f77c313b267498515488c5740 |
| SHA1 | 3d49fc2784b9450962ed6b82b46e9c3c957d7c15 |
| SHA256 | b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e |
| SHA512 | 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803 |
C:\Users\Admin\AppData\Local\Temp\nst4FE6.tmp\nsExec.dll
| MD5 | ec0504e6b8a11d5aad43b296beeb84b2 |
| SHA1 | 91b5ce085130c8c7194d66b2439ec9e1c206497c |
| SHA256 | 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962 |
| SHA512 | 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57 |
C:\Users\Admin\AppData\Local\Temp\nst4FE6.tmp\WinShell.dll
| MD5 | 1cc7c37b7e0c8cd8bf04b6cc283e1e56 |
| SHA1 | 0b9519763be6625bd5abce175dcc59c96d100d4c |
| SHA256 | 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6 |
| SHA512 | 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f |
C:\Users\Admin\AppData\Local\Temp\nst4FE6.tmp\INetC.dll
| MD5 | 38caa11a462b16538e0a3daeb2fc0eaf |
| SHA1 | c22a190b83f4b6dc0d6a44b98eac1a89a78de55c |
| SHA256 | ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a |
| SHA512 | 777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1 |
memory/3220-87-0x0000000000400000-0x00000000005D0000-memory.dmp