sality | a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

Processes:

a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

Drops startup file 2 IoCs

Processes:

W43152D.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\898F04.lnk	W43152D.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\898F04.lnk	W43152D.EXE

Executes dropped EXE 2 IoCs

Processes:

W43152D.EXENT-D4F6FF87.EXE

pid process

1064 W43152D.EXE
2512 NT-D4F6FF87.EXE

pid	process
1064	W43152D.EXE
2512	NT-D4F6FF87.EXE

Loads dropped DLL 13 IoCs

Processes:

a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exeW43152D.EXENT-D4F6FF87.EXE

pid	process
2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
1064	W43152D.EXE
1064	W43152D.EXE
1064	W43152D.EXE
1064	W43152D.EXE
1064	W43152D.EXE
1064	W43152D.EXE
1064	W43152D.EXE
2512	NT-D4F6FF87.EXE
2512	NT-D4F6FF87.EXE
2512	NT-D4F6FF87.EXE

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2524-3-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/2524-12-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/2524-14-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/2524-24-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/2524-15-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/2524-27-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/2524-29-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/2524-4-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/2524-25-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/2524-9-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/2524-1-0x0000000002270000-0x000000000332A000-memory.dmp	upx
behavioral2/memory/2524-76-0x0000000002270000-0x000000000332A000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

Modify Registry

Processes:

a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

NT-D4F6FF87.EXE

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\A04925 = "C:\\Windows\\SysWOW64\\1110cc\\W43152D.EXE" NT-D4F6FF87.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\A04925 = "C:\\Windows\\SysWOW64\\1110cc\\W43152D.EXE"	NT-D4F6FF87.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

Drops file in System32 directory 10 IoCs

Processes:

a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exeW43152D.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\1110cc\krnln.fnr	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\1110cc\W43152D.EXE	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\1110cc\internet.fne	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\1110cc\8c22dc40.txt	W43152D.EXE
File created	C:\Windows\SysWOW64\1110cc\NT-D4F6FF87.EXE	W43152D.EXE
File created	C:\Windows\SysWOW64\1110cc\dp1.fne	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\1110cc\eAPI.fne	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\1110cc\HtmlView.fne	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\1110cc\W43152D.TXT	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\1110cc\8c22dc40.txt	W43152D.EXE

Drops file in Windows directory 2 IoCs

Processes:

a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\e573548	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
File opened for modification	C:\Windows\SYSTEM.INI	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 35 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000cb58ac941100557365727300640009000400efbe874f7748dc589d952e000000c70500000000010000000000000000003a0000000000ec41130055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 5000310000000000cb58b49610004c6f63616c003c0009000400efbecb58ac94dc589d952e00000096e101000000010000000000000000000000000000003701a6004c006f00630061006c00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000cb58229e100041646d696e003c0009000400efbecb58ac94dc589d952e00000078e101000000010000000000000000000000000000007f41f900410064006d0069006e00000014000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000dc589d95100054656d7000003a0009000400efbecb58ac94dc589d952e00000097e101000000010000000000000000000000000000006033e400540065006d007000000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5600310000000000cb58ac9412004170704461746100400009000400efbecb58ac94dc589d952e00000083e10100000001000000000000000000000000000000069002004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

4812 explorer.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

pid process

2524 a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
2524 a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

pid	process
4812	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
Token: SeDebugPrivilege	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exeW43152D.EXEexplorer.exeNT-D4F6FF87.EXE

pid	process
2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
1064	W43152D.EXE
1064	W43152D.EXE
1064	W43152D.EXE
1064	W43152D.EXE
1064	W43152D.EXE
1064	W43152D.EXE
4812	explorer.exe
4812	explorer.exe
2512	NT-D4F6FF87.EXE
2512	NT-D4F6FF87.EXE
2512	NT-D4F6FF87.EXE
2512	NT-D4F6FF87.EXE
2512	NT-D4F6FF87.EXE
2512	NT-D4F6FF87.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exeW43152D.EXE

description	pid	process	target process
PID 2524 wrote to memory of 800	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	fontdrvhost.exe
PID 2524 wrote to memory of 808	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	fontdrvhost.exe
PID 2524 wrote to memory of 384	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	dwm.exe
PID 2524 wrote to memory of 2544	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	sihost.exe
PID 2524 wrote to memory of 2616	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	svchost.exe
PID 2524 wrote to memory of 2820	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	taskhostw.exe
PID 2524 wrote to memory of 3476	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	Explorer.EXE
PID 2524 wrote to memory of 3668	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	svchost.exe
PID 2524 wrote to memory of 3848	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	DllHost.exe
PID 2524 wrote to memory of 3944	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	StartMenuExperienceHost.exe
PID 2524 wrote to memory of 4008	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	RuntimeBroker.exe
PID 2524 wrote to memory of 1160	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	SearchApp.exe
PID 2524 wrote to memory of 3772	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	RuntimeBroker.exe
PID 2524 wrote to memory of 4920	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	TextInputHost.exe
PID 2524 wrote to memory of 1720	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	RuntimeBroker.exe
PID 2524 wrote to memory of 3336	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	backgroundTaskHost.exe
PID 2524 wrote to memory of 3188	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	backgroundTaskHost.exe
PID 2524 wrote to memory of 2124	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	explorer.exe
PID 2524 wrote to memory of 2124	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	explorer.exe
PID 2524 wrote to memory of 2124	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	explorer.exe
PID 2524 wrote to memory of 1064	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	W43152D.EXE
PID 2524 wrote to memory of 1064	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	W43152D.EXE
PID 2524 wrote to memory of 1064	2524	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe	W43152D.EXE
PID 1064 wrote to memory of 2512	1064	W43152D.EXE	NT-D4F6FF87.EXE
PID 1064 wrote to memory of 2512	1064	W43152D.EXE	NT-D4F6FF87.EXE
PID 1064 wrote to memory of 2512	1064	W43152D.EXE	NT-D4F6FF87.EXE

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:808

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2616

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2820

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a607e58ba05335ab33472830797585843f26d60a5c90bd2371e44f2759cfb133_NeikiAnalytics.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524

C:\Windows\SysWOW64\explorer.exe
explorer C:\Users\Admin\AppData\Local\Temp\
3⤵
PID:2124

C:\Windows\SysWOW64\1110cc\W43152D.EXE
C:\Windows\system32\\1110cc\W43152D.EXE
3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\1110cc\NT-D4F6FF87.EXE
C:\Windows\SysWOW64\1110cc\NT-D4F6FF87.EXE 4|-|SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A04925|-|C:\Windows\SysWOW64\1110cc\W43152D.EXE|-|0
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4008

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1160

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3772

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1720

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3336

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3188

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

Impair Defenses

T1562

Disable or Modify Tools