Malware Analysis Report

2024-11-16 13:15

Sample ID 240625-31wv7avakj
Target 27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe
SHA256 27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d
Tags
sality backdoor evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d

Threat Level: Known bad

The file 27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion persistence trojan upx

Modifies visiblity of hidden/system files in Explorer

UAC bypass

Modifies firewall policy service

Modifies visibility of file extensions in Explorer

Windows security bypass

Sality

Loads dropped DLL

Executes dropped EXE

Windows security modification

UPX packed file

Deletes itself

Adds Run key to start application

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 23:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 23:59

Reported

2024-06-26 00:01

Platform

win7-20240508-en

Max time kernel

20s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\system32\taskhost.exe
PID 2128 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\system32\Dwm.exe
PID 2128 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 2128 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 2128 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2128 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2128 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2128 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2128 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2128 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2128 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 2668 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhost.exe
PID 2668 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\Dwm.exe
PID 2668 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

Network

N/A

Files

memory/2128-0-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2128-1-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2128-6-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2128-8-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2128-10-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2128-7-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2128-13-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2128-12-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2128-27-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2128-26-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2128-23-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2128-22-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1124-14-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/2128-11-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2128-9-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2128-31-0x0000000002630000-0x00000000036BE000-memory.dmp

memory/2128-32-0x0000000002630000-0x00000000036BE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

MD5 6f1fefa0d7c9fadfcfe9b410e1b4f310
SHA1 9ce4933ae761a9b409dfc0700869855ed733f57c
SHA256 27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d
SHA512 7ca0e807272c936f6bec72b59e67ed140c6164c8b481bef2fc5bc66b6de381cf66a73ab8fb5ed23eeef0dc11634b62b7b0012fcdfcd21cc3cdde72e10aa97146

memory/2128-54-0x0000000002630000-0x00000000036BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0F7623E5_Rar\rundll32.exe

MD5 2eb5d76180ce7b3241b281fa79ab3483
SHA1 06293dea80e39c7eb7ee2bdb00d60b58d932fa8a
SHA256 e1b9beb4617a720d55afaec364941bb18ea2c456a8b06b30a736f0cbb5c297e8
SHA512 35f553c76fc67afb88a6a090fcbad6af3e2faae154c9c84bd869714194012525a2d42b76dad855805f107a37c351f0de08fd9a03d8ddc1dd400d64640d81b90b

memory/2668-53-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2128-52-0x000000000A3C0000-0x000000000A480000-memory.dmp

memory/2128-51-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2128-46-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/2668-64-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-60-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-78-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2668-67-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-79-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2668-63-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-77-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/2668-65-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-61-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-66-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-62-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-58-0x0000000003A30000-0x0000000004ABE000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 c6369cfed89fe9b3de63093017bb4a43
SHA1 4c2667e59afa977a509dc8272a22a7e945a90ac4
SHA256 748735142b8dd8acea066d08e36cf243ab6a68e809d0dc9de7bfa7c353d36958
SHA512 e5cbc6a4d27b42636b7db827056f22714e3cf52ab47e08ce144917b5e1b439679535482aca47b3471d8957b2cc33a894fde50f638ba25366ae0f981dc18c3436

memory/2668-82-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-83-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-84-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-85-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-86-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-88-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-89-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-120-0x0000000003A30000-0x0000000004ABE000-memory.dmp

memory/2668-147-0x00000000001C0000-0x00000000001C2000-memory.dmp

F:\pdwmjy.pif

MD5 c33026732e02972ec90c20d0870f5aaf
SHA1 88369da23b891340358e9ad578668643732b8896
SHA256 e7438387d96500824838bfa9f3457b51beb9905a7648244a91bfa55c2e12cc7d
SHA512 c9eee3733773e3ce810e2f53904b6932369ea697e49e9e620ebcd408a84efc58d4f5f2900e5dc456fd1eb7331ebe73777eefb7c8ff4e2eb141396c66da6de959

memory/2668-209-0x0000000003A30000-0x0000000003ABD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 23:59

Reported

2024-06-26 00:01

Platform

win10v2004-20240508-en

Max time kernel

22s

Max time network

151s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4060 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4060 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\system32\fontdrvhost.exe
PID 4060 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\system32\dwm.exe
PID 4060 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\system32\sihost.exe
PID 4060 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4060 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\system32\taskhostw.exe
PID 4060 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\Explorer.EXE
PID 4060 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\system32\svchost.exe
PID 4060 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\system32\DllHost.exe
PID 4060 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4060 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4060 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4060 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4060 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe
PID 4060 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4060 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 4060 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 4060 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe
PID 3484 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 3484 wrote to memory of 804 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\fontdrvhost.exe
PID 3484 wrote to memory of 316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\dwm.exe
PID 3484 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\sihost.exe
PID 3484 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 3484 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\taskhostw.exe
PID 3484 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\Explorer.EXE
PID 3484 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\svchost.exe
PID 3484 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\system32\DllHost.exe
PID 3484 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3484 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 3484 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3484 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 3484 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 3484 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/4060-0-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/4060-1-0x00000000034C0000-0x000000000454E000-memory.dmp

memory/4060-8-0x00000000034C0000-0x000000000454E000-memory.dmp

memory/4060-3-0x00000000034C0000-0x000000000454E000-memory.dmp

memory/4060-13-0x0000000001840000-0x0000000001842000-memory.dmp

memory/4060-17-0x0000000001840000-0x0000000001842000-memory.dmp

memory/4060-14-0x00000000034C0000-0x000000000454E000-memory.dmp

memory/4060-15-0x00000000034C0000-0x000000000454E000-memory.dmp

memory/4060-12-0x00000000034C0000-0x000000000454E000-memory.dmp

memory/4060-9-0x00000000034C0000-0x000000000454E000-memory.dmp

memory/4060-11-0x00000000018C0000-0x00000000018C1000-memory.dmp

memory/4060-10-0x0000000001840000-0x0000000001842000-memory.dmp

memory/4060-16-0x00000000034C0000-0x000000000454E000-memory.dmp

memory/4060-18-0x00000000034C0000-0x000000000454E000-memory.dmp

memory/4060-20-0x00000000034C0000-0x000000000454E000-memory.dmp

memory/4060-21-0x00000000034C0000-0x000000000454E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\rundll32.exe

MD5 6f1fefa0d7c9fadfcfe9b410e1b4f310
SHA1 9ce4933ae761a9b409dfc0700869855ed733f57c
SHA256 27a4495eb63c13bbe2f8de34ed43b12fa2b27541d693f0830d3935548924c93d
SHA512 7ca0e807272c936f6bec72b59e67ed140c6164c8b481bef2fc5bc66b6de381cf66a73ab8fb5ed23eeef0dc11634b62b7b0012fcdfcd21cc3cdde72e10aa97146

memory/4060-24-0x00000000034C0000-0x000000000454E000-memory.dmp

memory/4060-33-0x00000000034C0000-0x000000000454E000-memory.dmp

memory/3484-28-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/4060-43-0x0000000000400000-0x00000000004C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E5750A0_Rar\rundll32.exe

MD5 2eb5d76180ce7b3241b281fa79ab3483
SHA1 06293dea80e39c7eb7ee2bdb00d60b58d932fa8a
SHA256 e1b9beb4617a720d55afaec364941bb18ea2c456a8b06b30a736f0cbb5c297e8
SHA512 35f553c76fc67afb88a6a090fcbad6af3e2faae154c9c84bd869714194012525a2d42b76dad855805f107a37c351f0de08fd9a03d8ddc1dd400d64640d81b90b

C:\Windows\SYSTEM.INI

MD5 75d575952bde9cd7acbb405cb250ca13
SHA1 63177c93ca4fece85cda26d4a9460e8f43ea4a89
SHA256 1c04ed851a2967b5ae387ec2129722c88b42dcfc18ac7ccdf9a297365d79b2b6
SHA512 5ea40355b61a9a363ec22bf9d61fe144a51c3b64c16324577dc5b2a745f277ac21c7ee0a572854aeb1442504ca52e456974a3e8865bf4eccfe2496804c27b6cb

memory/3484-50-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-49-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-59-0x0000000006C50000-0x0000000006C52000-memory.dmp

memory/3484-58-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-54-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-51-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-61-0x0000000006C50000-0x0000000006C52000-memory.dmp

memory/3484-60-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-53-0x00000000071A0000-0x00000000071A1000-memory.dmp

memory/3484-57-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-56-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-47-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-55-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-65-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-64-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-66-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-68-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-67-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-70-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-71-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-72-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-73-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-75-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-77-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-79-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-82-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-84-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-86-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-98-0x0000000004EC0000-0x0000000005F4E000-memory.dmp

memory/3484-117-0x0000000006C50000-0x0000000006C52000-memory.dmp

C:\jjyygm.exe

MD5 1021a452feb2beaf0676a7e819f0b9b6
SHA1 c542357f5e064d78885cee18adb5fb5fa63d2f93
SHA256 aeba94164a4d97cad412c59db1068c2655405dead1d4cc6ed4e29fa703b5ffed
SHA512 4a89c6e70fdebc8b30236410ffb5d7717d0689d8ea792d7a357766e7c5a63731944fbe56f7fc815d621b0d8a5aadf439359e30afcb2d08640ea6001eb461547e

memory/3484-143-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/3484-144-0x0000000004EC0000-0x0000000005F4E000-memory.dmp