1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Size

90KB
MD5

c7c08910097d82602c345146ce16afd0
SHA1

b4904411974aaf7bd3eb2b18d2f2bbda157a62b3
SHA256

1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12
SHA512

7fe8a2a4856338dcb1bf3cdb397e4434bcabf31cd01b4e36ad3e93e6a2a622dc8dc7cba3f7d3e4a405f9650acce37094c4ea79b730a91167825b0caec303ed1a
SSDEEP

1536:XJRtlEnBHHIgabuYotV/JbJCX5SBiCJRtlEnBHHIgabuYotV/JbJCX5SBi:XvtYxOuYotvYQICvtYxOuYotvYQI

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2580	xk.exe
2696	IExplorer.exe
2876	WINLOGON.EXE
268	CSRSS.EXE
1648	SERVICES.EXE
1528	LSASS.EXE
1164	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1620-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000015c9b-8.dat	upx
behavioral1/files/0x0008000000016228-109.dat	upx
behavioral1/memory/2580-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000167e8-116.dat	upx
behavioral1/memory/2580-115-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1620-117-0x00000000004B0000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/2696-125-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1620-124-0x00000000004B0000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/2696-129-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016c3a-130.dat	upx
behavioral1/files/0x0006000000016c57-149.dat	upx
behavioral1/memory/2876-148-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016c5b-155.dat	upx
behavioral1/memory/268-154-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016ca1-171.dat	upx
behavioral1/memory/1648-164-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016ccd-175.dat	upx
behavioral1/memory/1528-177-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1620-183-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1620-187-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1164-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
2580	xk.exe
2696	IExplorer.exe
2876	WINLOGON.EXE
268	CSRSS.EXE
1648	SERVICES.EXE
1528	LSASS.EXE
1164	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2580	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	28
PID 1620 wrote to memory of 2580	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	28
PID 1620 wrote to memory of 2580	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	28
PID 1620 wrote to memory of 2580	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	28
PID 1620 wrote to memory of 2696	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	29
PID 1620 wrote to memory of 2696	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	29
PID 1620 wrote to memory of 2696	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	29
PID 1620 wrote to memory of 2696	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	29
PID 1620 wrote to memory of 2876	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	30
PID 1620 wrote to memory of 2876	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	30
PID 1620 wrote to memory of 2876	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	30
PID 1620 wrote to memory of 2876	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	30
PID 1620 wrote to memory of 268	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	31
PID 1620 wrote to memory of 268	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	31
PID 1620 wrote to memory of 268	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	31
PID 1620 wrote to memory of 268	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	31
PID 1620 wrote to memory of 1648	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	32
PID 1620 wrote to memory of 1648	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	32
PID 1620 wrote to memory of 1648	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	32
PID 1620 wrote to memory of 1648	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	32
PID 1620 wrote to memory of 1528	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	33
PID 1620 wrote to memory of 1528	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	33
PID 1620 wrote to memory of 1528	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	33
PID 1620 wrote to memory of 1528	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	33
PID 1620 wrote to memory of 1164	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	34
PID 1620 wrote to memory of 1164	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	34
PID 1620 wrote to memory of 1164	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	34
PID 1620 wrote to memory of 1164	1620	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1620
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2580
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2696
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:268
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1648
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1528
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
90KB

MD5
d1f0783816f4a78180ff07c115a760ca

SHA1
5e96d3de564794e2565ad6ce4da60f539725bdb3

SHA256
1bd55ed7ce054b81dc7fffb93751a80a78cc5fbd9ff7cb7dab95d9ed8e2e702c

SHA512
c84606f591b56d7a01e17cd791e44b2cd606ffa7fe685d1e00d653a4bc04e78185236062f813c7a914cfadc691538329cb617698d155c1a4381027539e4bf0a6

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
90KB

MD5
6f852ce453b7450376f8432598d54905

SHA1
b884369f8459de084ee479f5a06bf565293b09f4

SHA256
b160589decadd02f5acf0c87c27070a5221b3cfbe48ad302771e8de14d2f926f

SHA512
c16b557badd6d5cf07e244938dac78d0dbbb39e53c2c82fd711d4aa4b06d3a13db10d868e9b3b47b5dccb0ab6f802cba1554001e2b407c842d7311e4458b8513

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
90KB

MD5
c7c08910097d82602c345146ce16afd0

SHA1
b4904411974aaf7bd3eb2b18d2f2bbda157a62b3

SHA256
1afe4c5827b8578259a78ff48d2349c59bf478a4936e55e53d4ac5e89f4b4a12

SHA512
7fe8a2a4856338dcb1bf3cdb397e4434bcabf31cd01b4e36ad3e93e6a2a622dc8dc7cba3f7d3e4a405f9650acce37094c4ea79b730a91167825b0caec303ed1a

Download Submit
C:\Windows\xk.exe

Filesize
90KB

MD5
3d8846f61fae28e0ec83adc348708ee6

SHA1
63e1dcd6065d4ea39324b8dec787d625d6defc1f

SHA256
7460108bbe370ad11053c3fefb862eda70968c20694066d2fa72074410596763

SHA512
b9f0290a64b05d7bcbf9b45c39858e550f5cee7a245841ff8ac70e17ae6a8ed4eda08cf27b2f8544b1e684dc3f29f0a6a1567ffd7dc58ad4a3fe9175fbfb37b8

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
90KB

MD5
1db4829ae2ed2a9c049fd66dc9ae45bf

SHA1
34f6f882a0682b24d2e25c68b95e3ad8d1d234b7

SHA256
b2186de591353d64636d0e409ed7733ff6cd762509a0ef341a5d0256209c0274

SHA512
bfc5af8afb75347b6351410667557b3559db55ed3fbf3fbb80ebba765902af6e763ba070f9ec5d0a039e5df9702d00a520bba3ee71cb97c30d0535992fc82815

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
90KB

MD5
f568fb952c7a6af22ce7612eed794edc

SHA1
527d910d88a9a9b4534f9df0c2decb27fc036726

SHA256
907b03088c0a96b314a436be296969ff866b48d5f9dc38bc44ac4852df57c0e5

SHA512
67f2bcdb8f4e2a4d22b60d852efbde23f32bbd943bfad6142f7ea5df675bb63cd9e50aac636a85e9f01c3016d59f6e80b037ec8f59d07c5ef43b88fc23267b09

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
90KB

MD5
3c6f98ca8f319758ae58f53a61b5bf24

SHA1
11e444255525b053391615d5147338f35442e930

SHA256
6d9f95ec14dab035119ae7d290ab844243b3359f239503c5d5efa63c55c4e6d8

SHA512
723f086b6f2eb43e24f3e0bab40226509c18aecd81a2c24673c3aa7d8d4f37e995ba6f8eab42513c5cf59357f579f8984913f2ad47ff888991814d9448b2e907

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
90KB

MD5
384867139f4c90c3e0ce25e62741c21d

SHA1
b6f9d7bcd6f5eef9755c4a4af08e07e3b8f4a3d5

SHA256
cd56901cfbd580b2cbe2ee7dffe1bd89b6d23ef61da6598babcf0ecf8d1325a4

SHA512
51427df3bec460a76217f23fca51841a32f4406429e611eee82c40903f56d42cd3ac7ba4b1bf20a9112e1cd90a78e11b729baeeebb4b7511300798e904146c12

Download Submit
memory/268-154-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-150-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/1620-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-137-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/1620-138-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/1620-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-117-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/1620-110-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/1620-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-124-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/1620-111-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/1648-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2580-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2580-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download