Analysis Overview
SHA256
65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd
Threat Level: Known bad
The file 65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Modifies visibility of file extensions in Explorer
Adds policy Run key to start application
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 07:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 07:24
Reported
2024-06-26 07:26
Platform
win7-20240419-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\windows\hosts.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\windows\hosts.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UIBNQNMA = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UIBNQNMA = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UIBNQNMA = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Windows\SysWOW64\REG.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\windows\hosts.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\W_X_C.vbs | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| File created | \??\c:\windows\W_X_C.bat | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\windows\hosts.exe | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
Network
Files
\Users\Admin\AppData\Local\Temp\avscan.exe
| MD5 | a4959c0e92883118ab272cfcdda0f1a5 |
| SHA1 | f8d555d6029d46f0dfe4bf65ae32dfd4d61fcc93 |
| SHA256 | 7ba472b5d688e38025387d27ce47bdd8cc0ca533ae6755c5ef756d24dab0d44b |
| SHA512 | a1b97ce682dfc4572671d2acd61266eb0ee8c9e0b81037a356b22180d4db7427ea0071fd657f1e23ed8c8fba236ede593949af8811ef2b7697f0487207dd6c39 |
C:\Windows\hosts.exe
| MD5 | 74e6e2b37f2b9d08e495d9a696d40a50 |
| SHA1 | 9ebb046c7fc20487c0c84aae619325036e232380 |
| SHA256 | 4b6886fd0f8d8aa04363c252560a0e8625930b51008aea54c5a93c1e8fb67257 |
| SHA512 | e88c7fe6138b6e87d6240ed39969348ee14ce6a88e77c53e36a7c4ded61632800e3709a929828ee3c127ee89d67143bee9c8c082766721f01faa54c505ff22aa |
\??\c:\windows\W_X_C.bat
| MD5 | 4db9f8b6175722b62ececeeeba1ce307 |
| SHA1 | 3b3ba8414706e72a6fa19e884a97b87609e11e47 |
| SHA256 | d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78 |
| SHA512 | 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b |
memory/2824-57-0x0000000002520000-0x0000000002620000-memory.dmp
memory/2824-56-0x0000000002520000-0x0000000002620000-memory.dmp
C:\Windows\W_X_C.vbs
| MD5 | b560f5eb12649ae9de609189bee7d86b |
| SHA1 | b621a1403d3134d759de734acb91fdb61601f5cc |
| SHA256 | d4b5384e61f2c30996731ebc65667207f993885ef00009c38158641a81e848de |
| SHA512 | 61024bc29c8663382f18ca843188751298d8de3df1c79526b67521d969ea110e62aaf4e6cb60cc8796a68f90ba557a4c7e2c4db0d80c161db3b4a1d3910b7f4f |
memory/1684-75-0x0000000000230000-0x0000000000240000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 37927b39114c91da7cd81db625fe912f |
| SHA1 | fd96b05bf8c3aa95da4e8257912ac3a441294c88 |
| SHA256 | 317877d4a170edc52366ecc33e00bdf0e3e90d890b87bf03ee90cc3681f8a617 |
| SHA512 | 1d6cced17101f76afe812132977a6fb82115428303c094b8e1894d4c95e71886478e0a7173f2910919b47438c8c55703a5f9b20312d60d520409682a108698ab |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | cefae30410baea364fda58d7c73bca5d |
| SHA1 | 1555e01e42bf8cbeaaead025a5e6ae0286987724 |
| SHA256 | 01dc624ee8c3ed52414acdf6b6b6b757a01adab1925071caff65f1adf5b6a39f |
| SHA512 | 2263d3a5bc9f8415892f120d737cfcc905be4420f89b945b3641d4822475ac4efe84c448cc82f98c7012e9e53caa29aee5fd7f80fa5ee123c77a08b6c2cdefcb |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 18435980eac6cdfa838355e7cf4cdb2f |
| SHA1 | c0e379e1ff1c7ba467ce85b335c29e29ce7d39c6 |
| SHA256 | a8b6ac0ff98d62c576e76f5f0d2cc6fa1d75596a124e97bd05ce429ed176b85c |
| SHA512 | d7d1dae1530d7e819e5e95738f3798555ed9bf88a3a7fce1164bdd92c3e4c9b41c6ac2e00265d07030151daa6b18df8b125687875b36369f94c7752f9a8b7177 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 8ef0940526cd5db91a02ac7b8ea22cfe |
| SHA1 | 7ad8c30375cdac70ef5083dc33c1d8d214a8a89b |
| SHA256 | bae9dc827153b54a6dca77d421261bf300e6affdfbcf36bd160b1d7901e4411b |
| SHA512 | c9ae6dbde6b25b94f723467e478b9060bcedc87ecf26d6ad798c8d873a8becdf743a5f10f88a251bd873e4496ce871e2bb7e7f6cb2190fea4a9ab9cfabd3013c |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 15995b17c120a93494012dd66309b19e |
| SHA1 | bcc81021b27c4846fec49e5472c4593684b02d2d |
| SHA256 | ddfddbd370a0b2071a160ad3877f82b57d7f474a70fc72ce50db80c156d1efd6 |
| SHA512 | 638a5747584927215429f603dd32b6bf8fdf576269a94d4c6e19c443c0e692d0cdadbefe3e39c877e6d85c59f20965aec424b25fc527235f5485977b46e38fb0 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 0f3a4da96578b131b33ff4c66ac4033c |
| SHA1 | 0c16770226ee162286aba26c69c21b10d468d709 |
| SHA256 | a101cf1f044beb48a3285dc8af79a26f318783dd1cb8bbbf273c6d01db7309e3 |
| SHA512 | f9f6e3b48f4ae7b055aec4ee14f028b58850bf03eed9a80f0a0823b7d68b96299b7d0c7d3ce692af1165db4b6cc31f17cc6c7dae2dc46cfac08ba1505569ee6c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 07:24
Reported
2024-06-26 07:26
Platform
win10v2004-20240611-en
Max time kernel
128s
Max time network
99s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\windows\hosts.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\windows\hosts.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ENXQHETB = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ENXQHETB = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ENXQHETB = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Windows\SysWOW64\REG.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\windows\hosts.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\W_X_C.vbs | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| File created | \??\c:\windows\W_X_C.bat | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\windows\hosts.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\65c2b73eb85ec28d5b374fe34c805911f1c7295caee7308651cf1b33935fb0bd_NeikiAnalytics.exe"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\avscan.exe
| MD5 | 5e0bf5587770026e10c8d56ddc72c9b5 |
| SHA1 | a0409049170c277ab66f179d251aa0c304c7e941 |
| SHA256 | 290b2a042c9dc5dcf313383a679026f7a6962012132437d355ef33dd904e05b6 |
| SHA512 | 185b9dd7df9c4a4e98fe92e2d05e9d9b2e4513e62c5c02e8f1e391f74ed5f1a59dbe68f3ffe3b6b478de392969746b61b379b800e0d09eb811b2530d8bb867c0 |
C:\Windows\hosts.exe
| MD5 | 0c7ea8bdf6f973fb93a84078dfe58e16 |
| SHA1 | 8e4760f5c8a699af09a5e4de20ee0c0214533a88 |
| SHA256 | d856854c07ac7b351d0999f27628d7a20c563b10c9a2f5867bea453a3170beef |
| SHA512 | 92cb8a5d046007a6a429d0ba48376f9706b89a0317427e654e27278c1f1f69e96a711145d15cabe5302e767e3f945dd97c35c9f3c6575822a661d026c8074130 |
\??\c:\windows\W_X_C.bat
| MD5 | 4db9f8b6175722b62ececeeeba1ce307 |
| SHA1 | 3b3ba8414706e72a6fa19e884a97b87609e11e47 |
| SHA256 | d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78 |
| SHA512 | 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b |
C:\Windows\W_X_C.vbs
| MD5 | 1037a3f26ea204e975ce9b80057454c9 |
| SHA1 | b22c9b474d7e673cf96400addc51c4cc6f539d8b |
| SHA256 | 0188d783fbd81cfca2cb417420a1a9855003300a1a6cc4470bbf72684b338e2f |
| SHA512 | f48e76ec3263320f9e7661c14a1315df32e670efe8c8a8a8f8b0a8c26943fd08f65cc2566aac1ac89598b4f0f9127180da5dbf25749accbd142654ecb9c820b3 |