Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 02:45
Static task
static1
Behavioral task
behavioral1
Sample
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe
-
Size
97KB
-
MD5
f2ad4cc069cdccb32b055d68f181b220
-
SHA1
09807b1a57ac981c463b2b1f35589c69424ebae8
-
SHA256
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a
-
SHA512
36a5eeecbd694c32c759c2d88cd5a3e15ee15665e114b9f4aa447fa9485d87c474a7c612d6f337df9fa4ac25eba9927613cfa0780b52de44a7e83582e3093dcc
-
SSDEEP
1536:NXk15iErYYuXi6k4N++9aVYXMrD7KCEWWjxLPz+0wYRrxjrbxGXzl+k:9k15Ee6k4L0Vv7KXNLb+XSxjrVQzQ
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe -
Processes:
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe -
Processes:
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral1/memory/2044-7-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-3-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-6-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-9-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-10-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-5-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-4-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-11-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-8-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-12-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-31-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-32-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-33-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-35-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-34-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-37-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-38-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-40-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-41-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-43-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-57-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-58-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-60-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-62-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-66-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-69-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-71-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-73-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-80-0x00000000006E0000-0x000000000179A000-memory.dmp upx behavioral1/memory/2044-81-0x00000000006E0000-0x000000000179A000-memory.dmp upx -
Processes:
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe -
Processes:
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exedescription ioc process File opened (read-only) \??\N: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\R: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\S: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\Y: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\J: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\K: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\M: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\T: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\W: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\E: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\L: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\P: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\Q: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\V: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\Z: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\H: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\I: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\U: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\X: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\G: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened (read-only) \??\O: 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe -
Drops file in Program Files directory 5 IoCs
Processes:
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7zG.exe 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe -
Drops file in Windows directory 2 IoCs
Processes:
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exedescription ioc process File created C:\Windows\f760e82 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe File opened for modification C:\Windows\SYSTEM.INI 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exepid process 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Token: SeDebugPrivilege 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exedescription pid process target process PID 2044 wrote to memory of 1184 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe taskhost.exe PID 2044 wrote to memory of 1284 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Dwm.exe PID 2044 wrote to memory of 1336 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Explorer.EXE PID 2044 wrote to memory of 1816 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe DllHost.exe PID 2044 wrote to memory of 1184 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe taskhost.exe PID 2044 wrote to memory of 1284 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Dwm.exe PID 2044 wrote to memory of 1336 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Explorer.EXE PID 2044 wrote to memory of 1184 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe taskhost.exe PID 2044 wrote to memory of 1284 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Dwm.exe PID 2044 wrote to memory of 1336 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Explorer.EXE PID 2044 wrote to memory of 1184 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe taskhost.exe PID 2044 wrote to memory of 1284 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Dwm.exe PID 2044 wrote to memory of 1336 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Explorer.EXE PID 2044 wrote to memory of 1184 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe taskhost.exe PID 2044 wrote to memory of 1284 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Dwm.exe PID 2044 wrote to memory of 1336 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Explorer.EXE PID 2044 wrote to memory of 1184 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe taskhost.exe PID 2044 wrote to memory of 1284 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Dwm.exe PID 2044 wrote to memory of 1336 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Explorer.EXE PID 2044 wrote to memory of 1184 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe taskhost.exe PID 2044 wrote to memory of 1284 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Dwm.exe PID 2044 wrote to memory of 1336 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Explorer.EXE PID 2044 wrote to memory of 1184 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe taskhost.exe PID 2044 wrote to memory of 1284 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Dwm.exe PID 2044 wrote to memory of 1336 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Explorer.EXE PID 2044 wrote to memory of 1184 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe taskhost.exe PID 2044 wrote to memory of 1284 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Dwm.exe PID 2044 wrote to memory of 1336 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Explorer.EXE PID 2044 wrote to memory of 1184 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe taskhost.exe PID 2044 wrote to memory of 1284 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Dwm.exe PID 2044 wrote to memory of 1336 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Explorer.EXE PID 2044 wrote to memory of 1184 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe taskhost.exe PID 2044 wrote to memory of 1284 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Dwm.exe PID 2044 wrote to memory of 1336 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Explorer.EXE PID 2044 wrote to memory of 1184 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe taskhost.exe PID 2044 wrote to memory of 1284 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Dwm.exe PID 2044 wrote to memory of 1336 2044 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2f96721596a021d7ed6d066b627c9510350c1625dc79e459dad9e415e0d5f40a_NeikiAnalytics.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1184-13-0x0000000002170000-0x0000000002172000-memory.dmpFilesize
8KB
-
memory/2044-35-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-9-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-6-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-34-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-24-0x0000000003800000-0x0000000003802000-memory.dmpFilesize
8KB
-
memory/2044-38-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-23-0x0000000003810000-0x0000000003811000-memory.dmpFilesize
4KB
-
memory/2044-37-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-10-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-5-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-4-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-21-0x0000000003810000-0x0000000003811000-memory.dmpFilesize
4KB
-
memory/2044-20-0x0000000003800000-0x0000000003802000-memory.dmpFilesize
8KB
-
memory/2044-11-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-8-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-12-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-31-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-32-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-33-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-0-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2044-26-0x0000000003800000-0x0000000003802000-memory.dmpFilesize
8KB
-
memory/2044-3-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-7-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-40-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-41-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-43-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-55-0x0000000002E70000-0x0000000002E72000-memory.dmpFilesize
8KB
-
memory/2044-56-0x0000000002E70000-0x0000000002E72000-memory.dmpFilesize
8KB
-
memory/2044-54-0x0000000003440000-0x0000000003441000-memory.dmpFilesize
4KB
-
memory/2044-57-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-58-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-60-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-62-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-66-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-69-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-71-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-73-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-80-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-81-0x00000000006E0000-0x000000000179A000-memory.dmpFilesize
16.7MB
-
memory/2044-86-0x0000000003800000-0x0000000003802000-memory.dmpFilesize
8KB
-
memory/2044-110-0x0000000002E70000-0x0000000002E72000-memory.dmpFilesize
8KB