35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Size

1.3MB
MD5

af6cee3f9ef7e46eb68faf407942e380
SHA1

fa1b48a630b62247a23bdac43e5f8221736c8d3c
SHA256

35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9
SHA512

6aa6e1eb41b15d85db5bd59ac57234fdd56774370c91023ba405b3d2fe79451350cd39a0706c05cda155b9ec2430ee303ce26d923efb7ca7a78cecf503b42e9b
SSDEEP

12288:HXgvmzFHi0mo5aH0qMzd5807FHhPJQPDHvd:HXgvOHi0mGaH0qSdPFHb4V

Score

10^/10

defense_evasion evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exeybmqx.exeybmqx.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ybmqx.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exeybmqx.exeybmqx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ybmqx.exe

Adds policy Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exeybmqx.exeybmqx.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lrfmwcgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnmezqfbykketfaaxwa.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lrfmwcgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbbuqiyvtghcsfbcaafx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzqanwdrgkc = "croexmztoywoblecx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzqanwdrgkc = "croexmztoywoblecx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lrfmwcgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrsmjctrqegcthegfgmfg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzqanwdrgkc = "yrsmjctrqegcthegfgmfg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lrfmwcgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjfumamfzifwirjg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lrfmwcgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\croexmztoywoblecx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzqanwdrgkc = "jbbuqiyvtghcsfbcaafx.exe"	ybmqx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzqanwdrgkc = "vjfumamfzifwirjg.exe"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lrfmwcgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\croexmztoywoblecx.exe"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lrfmwcgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzqkaojfqpiwhbawu.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzqanwdrgkc = "vjfumamfzifwirjg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzqanwdrgkc = "lbzqkaojfqpiwhbawu.exe"	ybmqx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lrfmwcgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnmezqfbykketfaaxwa.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lrfmwcgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjfumamfzifwirjg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzqanwdrgkc = "lbzqkaojfqpiwhbawu.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lrfmwcgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzqkaojfqpiwhbawu.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzqanwdrgkc = "yrsmjctrqegcthegfgmfg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lrfmwcgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\croexmztoywoblecx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lrfmwcgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrsmjctrqegcthegfgmfg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzqanwdrgkc = "jbbuqiyvtghcsfbcaafx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzqanwdrgkc = "wnmezqfbykketfaaxwa.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzqanwdrgkc = "wnmezqfbykketfaaxwa.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qzqanwdrgkc = "vjfumamfzifwirjg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lrfmwcgr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbbuqiyvtghcsfbcaafx.exe"	ybmqx.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exeybmqx.exeybmqx.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ybmqx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ybmqx.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

Processes:

ybmqx.exeybmqx.exe

pid process

3436 ybmqx.exe
3856 ybmqx.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

ybmqx.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	ybmqx.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	ybmqx.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	ybmqx.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	ybmqx.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	ybmqx.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	ybmqx.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ybmqx.exeybmqx.exe35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxpaoygvlqjw = "vjfumamfzifwirjg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzqkaojfqpiwhbawu.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nztgwisjbidscj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbbuqiyvtghcsfbcaafx.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxpaoygvlqjw = "lbzqkaojfqpiwhbawu.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxpaoygvlqjw = "lbzqkaojfqpiwhbawu.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnmezqfbykketfaaxwa.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "croexmztoywoblecx.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbbuqiyvtghcsfbcaafx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbbuqiyvtghcsfbcaafx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzqkaojfqpiwhbawu.exe ."	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxqcrclbsysgp = "lbzqkaojfqpiwhbawu.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nztgwisjbidscj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzqkaojfqpiwhbawu.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrsmjctrqegcthegfgmfg.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "vjfumamfzifwirjg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "jbbuqiyvtghcsfbcaafx.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxqcrclbsysgp = "yrsmjctrqegcthegfgmfg.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxpaoygvlqjw = "yrsmjctrqegcthegfgmfg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxqcrclbsysgp = "lbzqkaojfqpiwhbawu.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdymdqbtmuqgrzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzqkaojfqpiwhbawu.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzqkaojfqpiwhbawu.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrsmjctrqegcthegfgmfg.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxqcrclbsysgp = "wnmezqfbykketfaaxwa.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "lbzqkaojfqpiwhbawu.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "vjfumamfzifwirjg.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "croexmztoywoblecx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjfumamfzifwirjg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrsmjctrqegcthegfgmfg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdymdqbtmuqgrzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbbuqiyvtghcsfbcaafx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdymdqbtmuqgrzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrsmjctrqegcthegfgmfg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrsmjctrqegcthegfgmfg.exe"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "wnmezqfbykketfaaxwa.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\croexmztoywoblecx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "jbbuqiyvtghcsfbcaafx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdymdqbtmuqgrzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrsmjctrqegcthegfgmfg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzqkaojfqpiwhbawu.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "jbbuqiyvtghcsfbcaafx.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "yrsmjctrqegcthegfgmfg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "yrsmjctrqegcthegfgmfg.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nztgwisjbidscj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrsmjctrqegcthegfgmfg.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nztgwisjbidscj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjfumamfzifwirjg.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjfumamfzifwirjg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxqcrclbsysgp = "yrsmjctrqegcthegfgmfg.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdymdqbtmuqgrzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjfumamfzifwirjg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxpaoygvlqjw = "wnmezqfbykketfaaxwa.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdymdqbtmuqgrzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\croexmztoywoblecx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "wnmezqfbykketfaaxwa.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxpaoygvlqjw = "wnmezqfbykketfaaxwa.exe"	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxqcrclbsysgp = "jbbuqiyvtghcsfbcaafx.exe ."	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdymdqbtmuqgrzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrsmjctrqegcthegfgmfg.exe"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "yrsmjctrqegcthegfgmfg.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxpaoygvlqjw = "yrsmjctrqegcthegfgmfg.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nztgwisjbidscj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzqkaojfqpiwhbawu.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnmezqfbykketfaaxwa.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdymdqbtmuqgrzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbzqkaojfqpiwhbawu.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdymdqbtmuqgrzq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnmezqfbykketfaaxwa.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "vjfumamfzifwirjg.exe"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nxpaoygvlqjw = "vjfumamfzifwirjg.exe"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nztgwisjbidscj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnmezqfbykketfaaxwa.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "jbbuqiyvtghcsfbcaafx.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "wnmezqfbykketfaaxwa.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxqcrclbsysgp = "croexmztoywoblecx.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cjygrydpc = "wnmezqfbykketfaaxwa.exe"	ybmqx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "lbzqkaojfqpiwhbawu.exe ."	ybmqx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vdtcowcpdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnmezqfbykketfaaxwa.exe ."	ybmqx.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ybmqx.exe35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exeybmqx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ybmqx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ybmqx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ybmqx.exe

Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 whatismyipaddress.com
6 whatismyipaddress.com
11 www.showmyipaddress.com
12 whatismyip.everdot.org
14 whatismyipaddress.com
15 whatismyip.everdot.org

flow	ioc
3	whatismyipaddress.com
6	whatismyipaddress.com
11	www.showmyipaddress.com
12	whatismyip.everdot.org
14	whatismyipaddress.com
15	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

Processes:

ybmqx.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\prbekmmtbyjoolrckujlvyeggn.sdi	ybmqx.exe
File created	C:\Windows\SysWOW64\prbekmmtbyjoolrckujlvyeggn.sdi	ybmqx.exe
File opened for modification	C:\Windows\SysWOW64\qdymdqbtmuqgrzqmfaaniwnaldweaqbjawpkk.sgx	ybmqx.exe
File created	C:\Windows\SysWOW64\qdymdqbtmuqgrzqmfaaniwnaldweaqbjawpkk.sgx	ybmqx.exe

Drops file in Program Files directory 4 IoCs

Processes:

ybmqx.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\qdymdqbtmuqgrzqmfaaniwnaldweaqbjawpkk.sgx	ybmqx.exe
File created	C:\Program Files (x86)\qdymdqbtmuqgrzqmfaaniwnaldweaqbjawpkk.sgx	ybmqx.exe
File opened for modification	C:\Program Files (x86)\prbekmmtbyjoolrckujlvyeggn.sdi	ybmqx.exe
File created	C:\Program Files (x86)\prbekmmtbyjoolrckujlvyeggn.sdi	ybmqx.exe

Drops file in Windows directory 4 IoCs

Processes:

ybmqx.exe

description	ioc	process
File opened for modification	C:\Windows\prbekmmtbyjoolrckujlvyeggn.sdi	ybmqx.exe
File created	C:\Windows\prbekmmtbyjoolrckujlvyeggn.sdi	ybmqx.exe
File opened for modification	C:\Windows\qdymdqbtmuqgrzqmfaaniwnaldweaqbjawpkk.sgx	ybmqx.exe
File created	C:\Windows\qdymdqbtmuqgrzqmfaaniwnaldweaqbjawpkk.sgx	ybmqx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

ybmqx.exe35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exeybmqx.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	ybmqx.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	ybmqx.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

ybmqx.exe

pid	process
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe
3436	ybmqx.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ybmqx.exe

pid process

3856 ybmqx.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ybmqx.exe

description pid process

Token: SeDebugPrivilege 3436 ybmqx.exe

pid	process
3856	ybmqx.exe

description	pid	process
Token: SeDebugPrivilege	3436	ybmqx.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe

description	pid	process	target process
PID 4420 wrote to memory of 3436	4420	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe	ybmqx.exe
PID 4420 wrote to memory of 3436	4420	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe	ybmqx.exe
PID 4420 wrote to memory of 3436	4420	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe	ybmqx.exe
PID 4420 wrote to memory of 3856	4420	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe	ybmqx.exe
PID 4420 wrote to memory of 3856	4420	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe	ybmqx.exe
PID 4420 wrote to memory of 3856	4420	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe	ybmqx.exe

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exeybmqx.exeybmqx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ybmqx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ybmqx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ybmqx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ybmqx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ybmqx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ybmqx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ybmqx.exe

C:\Users\Admin\AppData\Local\Temp\35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35a05bc9c2f03476ef8483c5d18768f10170ab11d0eaa8e3c5b95e73dc0e24a9_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4420

C:\Users\Admin\AppData\Local\Temp\ybmqx.exe
"C:\Users\Admin\AppData\Local\Temp\ybmqx.exe" "-"
2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3436

C:\Users\Admin\AppData\Local\Temp\ybmqx.exe
"C:\Users\Admin\AppData\Local\Temp\ybmqx.exe" "-"
2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:3856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ybmqx.exe
Filesize
2.0MB

MD5
f4edaba9ce16a19c2c9cfbaf443b0f73

SHA1
43cd21503e57cdbfc1d6e7dd83775f19609d517e

SHA256
3e7bb88cfcf24abdb95fd4f0311c5342f126976f40536748b1dc0baa68997c72

SHA512
940b52a764563207af28e5077358f2ca662c82e0b7589b505f1cb973cc281fab7d9a333c1ea72a15ca6e3c8714ae50eb1a30c9bf14e4074ced4cbead833b5ff0

Download Submit
C:\Users\Admin\AppData\Local\prbekmmtbyjoolrckujlvyeggn.sdi
Filesize
280B

MD5
45a1235912cfd4e843f3fa1de0ae33ae

SHA1
55b5462b9a56d25ce2d4e2aaeef1a6e1585fc13f

SHA256
dda3eb964049768637bd8bd7c12b82307584c3c0b0875e5322767bd8540bd995

SHA512
62d3de53ea7c3f0456ad0befccb30531e7b5bbc1b4025e659a89c8931716b1b072ac9233f3bb1c541fe3425cd93dcdc0559dbf08e434040e5b02a9761248e0e7

Download Submit
C:\Users\Admin\AppData\Local\qdymdqbtmuqgrzqmfaaniwnaldweaqbjawpkk.sgx
Filesize
4KB

MD5
e953af8a74092e74a3be6f6f7f4626a5

SHA1
b3d75d7dbdd9833ae480c57042df5bb64b7de45c

SHA256
261884d29e769455fd7fda89facd3d596f30c58a93576b6c8ee66ffd9374d41d

SHA512
8af45f284d71e1eaebcc0cbda5c94a7a3bb0aa8c620a9e3593d4747a9cbf5676d45034360ef6eba0bcbd6701034d88a7e9152b447790a6a3fb022df7dc1e2be4

Download Submit