sality | 3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Size

3.6MB
MD5

1b062255a98fa64cc9e0daf3122ce4d0
SHA1

031ed3e4cd283ae60ccaf3ab2b885db1ccd0a62e
SHA256

3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8
SHA512

3760dac013d74d4dbddc75deebfb97bd7f8c1009330a2b0a859369113ef51a0ccaab3faa0e4a9c289813a8d8c3839880ca620a4ab97cc6c354d154f418ac4b02
SSDEEP

98304:iXh3tyriQkw0WxMnAZA+wxNrpqCYB64SqmH3:iNtyr5gWsAZADrICYgumH3

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

4136 update.exe
Loads dropped DLL 2 IoCs

Processes:

update.exe

pid process

4136 update.exe
4136 update.exe

pid	process
4136	update.exe

pid	process
4136	update.exe
4136	update.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2848-3-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-17-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-21-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-20-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-23-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-18-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-22-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-5-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-4-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-1-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-82-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-83-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-84-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-85-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-86-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-88-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-98-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-99-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-101-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-102-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-104-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-106-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-109-0x00000000027C0000-0x000000000387A000-memory.dmp	upx
behavioral2/memory/2848-159-0x00000000027C0000-0x000000000387A000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

description	ioc	process
File opened (read-only)	\??\L:	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
File opened (read-only)	\??\M:	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
File opened (read-only)	\??\E:	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
File opened (read-only)	\??\G:	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
File opened (read-only)	\??\H:	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
File opened (read-only)	\??\I:	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
File opened (read-only)	\??\J:	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
File opened (read-only)	\??\K:	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

Drops file in Windows directory 4 IoCs

Processes:

update.exe3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

description	ioc	process
File opened for modification	\??\c:\windows\KB954550-v7.log	update.exe
File created	C:\Windows\e5765ce	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
File opened for modification	C:\Windows\SYSTEM.INI	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
File opened for modification	C:\Windows\setupapi.log	update.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

pid	process
2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Token: SeDebugPrivilege	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

description	pid	process	target process
PID 2848 wrote to memory of 780	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	fontdrvhost.exe
PID 2848 wrote to memory of 788	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	fontdrvhost.exe
PID 2848 wrote to memory of 1008	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	dwm.exe
PID 2848 wrote to memory of 2816	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	sihost.exe
PID 2848 wrote to memory of 2888	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	svchost.exe
PID 2848 wrote to memory of 2544	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	taskhostw.exe
PID 2848 wrote to memory of 3480	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	Explorer.EXE
PID 2848 wrote to memory of 3600	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	svchost.exe
PID 2848 wrote to memory of 3796	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	DllHost.exe
PID 2848 wrote to memory of 3920	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	StartMenuExperienceHost.exe
PID 2848 wrote to memory of 3984	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	RuntimeBroker.exe
PID 2848 wrote to memory of 4064	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	SearchApp.exe
PID 2848 wrote to memory of 3876	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	RuntimeBroker.exe
PID 2848 wrote to memory of 2452	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	RuntimeBroker.exe
PID 2848 wrote to memory of 1100	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	TextInputHost.exe
PID 2848 wrote to memory of 4136	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	update.exe
PID 2848 wrote to memory of 4136	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	update.exe
PID 2848 wrote to memory of 780	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	fontdrvhost.exe
PID 2848 wrote to memory of 788	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	fontdrvhost.exe
PID 2848 wrote to memory of 1008	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	dwm.exe
PID 2848 wrote to memory of 2816	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	sihost.exe
PID 2848 wrote to memory of 2888	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	svchost.exe
PID 2848 wrote to memory of 2544	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	taskhostw.exe
PID 2848 wrote to memory of 3480	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	Explorer.EXE
PID 2848 wrote to memory of 3600	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	svchost.exe
PID 2848 wrote to memory of 3796	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	DllHost.exe
PID 2848 wrote to memory of 3920	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	StartMenuExperienceHost.exe
PID 2848 wrote to memory of 3984	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	RuntimeBroker.exe
PID 2848 wrote to memory of 4064	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	SearchApp.exe
PID 2848 wrote to memory of 3876	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	RuntimeBroker.exe
PID 2848 wrote to memory of 2452	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	RuntimeBroker.exe
PID 2848 wrote to memory of 1100	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	TextInputHost.exe
PID 2848 wrote to memory of 4136	2848	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe	update.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1008

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2888

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2544

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2848

\??\c:\ada55ae2e2535ac2b360613c2617\update\update.exe
c:\ada55ae2e2535ac2b360613c2617\update\update.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:4136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4064

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3876

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2452

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0E576820_Rar\3df91e645333dda36cdc229efda6719d24a86b2040701dec5a52b2e9f72884b8_NeikiAnalytics.exe
Filesize
3.5MB

MD5
e84522f2695f1d553ce589c504ac5178

SHA1
8eb6daf074dfe6b7db9185465abfae476fca64ce

SHA256
0921cef0f1e6fe9657b9222c13e3eda6eeacf8a324eed91938a83d503fb1cb67

SHA512
257f2975ac33e5c45696bf00bb094cc11f0ae3671bc5cd4ec430c1de056f8523050282db7b19796b1f37d6807733e7e3d52ee291b15b11e7b20e63e25486e9c4

Download Submit
C:\ada55ae2e2535ac2b360613c2617\update\updspapi.dll
Filesize
451KB

MD5
54aa7048ec27dccb31533cfa768707da

SHA1
817fa5b49342a69944877338ecf20d7af4190289

SHA256
9c06e9d14ee17f41a7914b5fbbead56197c7b3cc9bc82d39bc222f94082d18ad

SHA512
4e72b8048689461bd0b47197c662e339118e5de5c84c6dea0e3a02f6057a3fc14e5919523d1c0187bf2d0a003c780fb3845acdb92d42a81c25ba8c8d4ae6624f

Download Submit
\??\c:\ada55ae2e2535ac2b360613c2617\update\update.exe
Filesize
955KB

MD5
58d02f4b24e448e0ed8455f3d2aad454

SHA1
4166102ebf45646b381b2edf638a03cd73307f6f

SHA256
2327927df7d768fb4053439881b8c01ef5178b3b6636a66b5a5b77888aef74bb

SHA512
fe52dce879d47268b9b9db6d241ff74f26778fb18e17172b963679b86ec85669296c076b61bb1c1f7e3d2f78f96331beac13c085b00148889e52e57b192b704e

Download Submit
\??\c:\ada55ae2e2535ac2b360613c2617\update\update.inf
Filesize
27KB

MD5
a1035ebe0d33083944b6f0664f5c073c

SHA1
cff517dd77e53cab6035980a8845ca683c8744aa

SHA256
4192b4940ed262133259f3df533ed7c6d03e1b09f09538c2de0116a19ad454d0

SHA512
2da44d12ba2972366266e51f82ec2fe763b7b2dd965d91c5a7400cf97f2aaf30cedcaf35b675d7e2c263105331aa2f4c3c23ed1e5d160028e7903a95bd0e41f8

Download Submit
memory/2848-4-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-1-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-20-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-21-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-26-0x0000000001000000-0x00000000013A8000-memory.dmp

Filesize
3.7MB

Download
memory/2848-23-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-18-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-25-0x0000000001000000-0x00000000013A8000-memory.dmp

Filesize
3.7MB

Download
memory/2848-22-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-5-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-17-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-166-0x0000000001000000-0x00000000013A8000-memory.dmp

Filesize
3.7MB

Download
memory/2848-19-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

Filesize
8KB

Download
memory/2848-3-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-0-0x0000000001000000-0x00000000013A8000-memory.dmp

Filesize
3.7MB

Download
memory/2848-11-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2848-10-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

Filesize
8KB

Download
memory/2848-24-0x0000000001002000-0x0000000001003000-memory.dmp

Filesize
4KB

Download
memory/2848-82-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-83-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-84-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-85-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-86-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-88-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-98-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-99-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-101-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-102-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-104-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-106-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-109-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-159-0x00000000027C0000-0x000000000387A000-memory.dmp

Filesize
16.7MB

Download
memory/2848-157-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

Filesize
8KB

Download
memory/4136-80-0x0000000001E40000-0x0000000001EB5000-memory.dmp

Filesize
468KB

Download