sality | 68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe

Adds policy Run key to start application 2 TTPs 8 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exeGlobal.exesvchost.exesystem.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe

Drops file in Drivers directory 4 IoCs

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exeGlobal.exesvchost.exesystem.exe

description	ioc	process
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	system.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

Image File Execution Options Injection

T1546.012

Processes:

system.exeGlobal.exesvchost.exe68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exeGlobal.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Global.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 3 IoCs

Processes:

Global.exesvchost.exesystem.exe

pid process

4920 Global.exe
1516 svchost.exe
1064 system.exe

pid	process
4920	Global.exe
1516	svchost.exe
1064	system.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

Modify Registry

Change Default File Association

T1546.001

Processes:

svchost.exesystem.exe68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exeGlobal.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	Global.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3984-9-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/3984-1-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/3984-20-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/3984-18-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/3984-23-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/3984-21-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/3984-8-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/3984-17-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/3984-7-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/3984-5-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/3984-24-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/3984-25-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/3984-77-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/3984-112-0x0000000002A70000-0x0000000003B2A000-memory.dmp	upx
behavioral2/memory/1516-149-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-152-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-153-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-150-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-151-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-148-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-147-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-140-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-141-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-137-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-165-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-164-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-174-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-175-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-176-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-183-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-184-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-185-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-187-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-190-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/1516-197-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

Modify Registry

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe

Adds Run key to start application 2 TTPs 12 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exeGlobal.exesvchost.exesystem.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe

Drops autorun.inf file 1 TTPs 11 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exeGlobal.exesystem.exesvchost.exe

description	ioc	process
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File opened for modification	D:\autorun.inf	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	svchost.exe
File opened for modification	C:\autorun.inf	Global.exe
File created	C:\autorun.inf	Global.exe
File created	D:\autorun.inf	Global.exe
File opened for modification	F:\autorun.inf	Global.exe
File created	F:\autorun.inf	Global.exe

Drops file in System32 directory 54 IoCs

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exesystem.exeGlobal.exesvchost.exe

description	ioc	process
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\Global.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Default.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	svchost.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\svchost.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Global.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe

Drops file in Windows directory 41 IoCs

Processes:

svchost.exesystem.exe68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exeGlobal.exe

description	ioc	process
File created	C:\WINDOWS\Fonts\tskmgr.exe	svchost.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File opened for modification	C:\Windows\SYSTEM.INI	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\pchealth\Global.exe	svchost.exe
File opened for modification	C:\WINDOWS\Media\rndll32.pif	Global.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	svchost.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	system.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\Fonts\Fonts.exe	Global.exe
File created	C:\WINDOWS\Help\microsoft.hlp	svchost.exe
File created	C:\WINDOWS\Media\rndll32.pif	system.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\Help\microsoft.hlp	Global.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	svchost.exe
File opened for modification	C:\WINDOWS\Fonts\wav.wav	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\Media\rndll32.pif	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\system\KEYBOARD.exe	Global.exe
File created	C:\WINDOWS\Media\rndll32.pif	svchost.exe
File created	C:\WINDOWS\Help\microsoft.hlp	system.exe
File created	C:\Windows\e574006	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\Fonts\wav.wav	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\Windows\e576801	svchost.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	svchost.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	system.exe
File created	C:\WINDOWS\pchealth\Global.exe	system.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	system.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	Global.exe
File created	C:\WINDOWS\pchealth\Global.exe	Global.exe
File opened for modification	C:\WINDOWS\Fonts\tskmgr.exe	Global.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	Global.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	svchost.exe
File created	C:\WINDOWS\pchealth\Global.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	Global.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	svchost.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	system.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
File created	C:\WINDOWS\Help\microsoft.hlp	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 16 IoCs

evasion

Processes:

system.exeGlobal.exesvchost.exe68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\AutoEndTasks = "1"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\AutoEndTasks = "1"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\AutoEndTasks = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop	Global.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\AutoEndTasks = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	svchost.exe

Modifies registry class 46 IoCs

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exeGlobal.exesvchost.exesystem.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exesvchost.exe

pid	process
3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe
1516	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Token: SeDebugPrivilege	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exeGlobal.exesvchost.exesystem.exe

pid process

3984 68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
4920 Global.exe
1516 svchost.exe
1064 system.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exeGlobal.exesvchost.exe

description	pid	process	target process
PID 3984 wrote to memory of 788	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	fontdrvhost.exe
PID 3984 wrote to memory of 796	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	fontdrvhost.exe
PID 3984 wrote to memory of 60	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	dwm.exe
PID 3984 wrote to memory of 2872	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	sihost.exe
PID 3984 wrote to memory of 2996	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	svchost.exe
PID 3984 wrote to memory of 2080	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	taskhostw.exe
PID 3984 wrote to memory of 3436	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	Explorer.EXE
PID 3984 wrote to memory of 3576	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	svchost.exe
PID 3984 wrote to memory of 3776	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	DllHost.exe
PID 3984 wrote to memory of 3872	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	StartMenuExperienceHost.exe
PID 3984 wrote to memory of 3936	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	RuntimeBroker.exe
PID 3984 wrote to memory of 4016	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	SearchApp.exe
PID 3984 wrote to memory of 3832	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	RuntimeBroker.exe
PID 3984 wrote to memory of 4744	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	TextInputHost.exe
PID 3984 wrote to memory of 1308	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	RuntimeBroker.exe
PID 3984 wrote to memory of 4920	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	Global.exe
PID 3984 wrote to memory of 4920	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	Global.exe
PID 3984 wrote to memory of 4920	3984	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe	Global.exe
PID 4920 wrote to memory of 1516	4920	Global.exe	svchost.exe
PID 4920 wrote to memory of 1516	4920	Global.exe	svchost.exe
PID 4920 wrote to memory of 1516	4920	Global.exe	svchost.exe
PID 1516 wrote to memory of 788	1516	svchost.exe	fontdrvhost.exe
PID 1516 wrote to memory of 796	1516	svchost.exe	fontdrvhost.exe
PID 1516 wrote to memory of 60	1516	svchost.exe	dwm.exe
PID 1516 wrote to memory of 2872	1516	svchost.exe	sihost.exe
PID 1516 wrote to memory of 2996	1516	svchost.exe	svchost.exe
PID 1516 wrote to memory of 2080	1516	svchost.exe	taskhostw.exe
PID 1516 wrote to memory of 3436	1516	svchost.exe	Explorer.EXE
PID 1516 wrote to memory of 3576	1516	svchost.exe	svchost.exe
PID 1516 wrote to memory of 3776	1516	svchost.exe	DllHost.exe
PID 1516 wrote to memory of 3872	1516	svchost.exe	StartMenuExperienceHost.exe
PID 1516 wrote to memory of 3936	1516	svchost.exe	RuntimeBroker.exe
PID 1516 wrote to memory of 4016	1516	svchost.exe	SearchApp.exe
PID 1516 wrote to memory of 3832	1516	svchost.exe	RuntimeBroker.exe
PID 1516 wrote to memory of 4744	1516	svchost.exe	TextInputHost.exe
PID 1516 wrote to memory of 1308	1516	svchost.exe	RuntimeBroker.exe
PID 1516 wrote to memory of 4920	1516	svchost.exe	Global.exe
PID 1516 wrote to memory of 4920	1516	svchost.exe	Global.exe
PID 1516 wrote to memory of 1660	1516	svchost.exe	rundll32.exe
PID 1516 wrote to memory of 1064	1516	svchost.exe	system.exe
PID 1516 wrote to memory of 1064	1516	svchost.exe	system.exe
PID 1516 wrote to memory of 1064	1516	svchost.exe	system.exe
PID 1516 wrote to memory of 788	1516	svchost.exe	fontdrvhost.exe
PID 1516 wrote to memory of 796	1516	svchost.exe	fontdrvhost.exe
PID 1516 wrote to memory of 60	1516	svchost.exe	dwm.exe
PID 1516 wrote to memory of 2872	1516	svchost.exe	sihost.exe
PID 1516 wrote to memory of 2996	1516	svchost.exe	svchost.exe
PID 1516 wrote to memory of 2080	1516	svchost.exe	taskhostw.exe
PID 1516 wrote to memory of 3436	1516	svchost.exe	Explorer.EXE
PID 1516 wrote to memory of 3576	1516	svchost.exe	svchost.exe
PID 1516 wrote to memory of 3776	1516	svchost.exe	DllHost.exe
PID 1516 wrote to memory of 3872	1516	svchost.exe	StartMenuExperienceHost.exe
PID 1516 wrote to memory of 3936	1516	svchost.exe	RuntimeBroker.exe
PID 1516 wrote to memory of 4016	1516	svchost.exe	SearchApp.exe
PID 1516 wrote to memory of 3832	1516	svchost.exe	RuntimeBroker.exe
PID 1516 wrote to memory of 4744	1516	svchost.exe	TextInputHost.exe
PID 1516 wrote to memory of 1308	1516	svchost.exe	RuntimeBroker.exe
PID 1516 wrote to memory of 1064	1516	svchost.exe	system.exe
PID 1516 wrote to memory of 1064	1516	svchost.exe	system.exe

System policy modification 1 TTPs 10 IoCs

evasion

Modify Registry

Processes:

68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exeGlobal.exesvchost.exesystem.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	svchost.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:60

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2996

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\68242865c6bee25eac8a6a559039b8cef5bd048647ad8ba5dc076f1719a595d5_NeikiAnalytics.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3984

C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe"
3⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4920

C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1516

C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
5⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3872

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3936

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4744

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1660

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4392

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:3800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

Impair Defenses

T1562

Disable or Modify Tools

Disable or Modify System Firewall

T1562.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery