638a986982d63c68d6b82c885ec565164eb8c12d82a6e48db1de200858963fba

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
Size

741KB
MD5

661d00e1dabffbf922ce29544c1c4760
SHA1

eccec63f4fd0153b555f2e19734595c97f213881
SHA256

638a986982d63c68d6b82c885ec565164eb8c12d82a6e48db1de200858963fba
SHA512

c927cfd89e110f0731f3242d3c091c60b4a1ebc9efce774d1dd0196dd8f11b5034722fea04e3363ba12121e598fe0c5421ecf37e4d1f00c2a727d03752611d2e
SSDEEP

12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1FA:lIt4kt0Kd6F6CNzYhUiEWEYcwY

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2860	explorer.exe
2560	spoolsv.exe
2580	svchost.exe
2928	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2860	explorer.exe
2560	spoolsv.exe
2580	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

pid	Process
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2860	explorer.exe
2560	spoolsv.exe
2580	svchost.exe
2928	spoolsv.exe
2580	svchost.exe
2860	explorer.exe
2580	svchost.exe
2860	explorer.exe
2580	svchost.exe
2860	explorer.exe
2580	svchost.exe
2860	explorer.exe
2580	svchost.exe
2860	explorer.exe
2580	svchost.exe
2860	explorer.exe
2580	svchost.exe
2860	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1056	schtasks.exe
2856	schtasks.exe
1172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2560	spoolsv.exe
2560	spoolsv.exe
2560	spoolsv.exe
2560	spoolsv.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2860	explorer.exe
2580	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2560	spoolsv.exe
2560	spoolsv.exe
2560	spoolsv.exe
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe
2928	spoolsv.exe
2928	spoolsv.exe
2928	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2860	2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe	28
PID 2388 wrote to memory of 2860	2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe	28
PID 2388 wrote to memory of 2860	2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe	28
PID 2388 wrote to memory of 2860	2388	661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe	28
PID 2860 wrote to memory of 2560	2860	explorer.exe	29
PID 2860 wrote to memory of 2560	2860	explorer.exe	29
PID 2860 wrote to memory of 2560	2860	explorer.exe	29
PID 2860 wrote to memory of 2560	2860	explorer.exe	29
PID 2560 wrote to memory of 2580	2560	spoolsv.exe	30
PID 2560 wrote to memory of 2580	2560	spoolsv.exe	30
PID 2560 wrote to memory of 2580	2560	spoolsv.exe	30
PID 2560 wrote to memory of 2580	2560	spoolsv.exe	30
PID 2580 wrote to memory of 2928	2580	svchost.exe	31
PID 2580 wrote to memory of 2928	2580	svchost.exe	31
PID 2580 wrote to memory of 2928	2580	svchost.exe	31
PID 2580 wrote to memory of 2928	2580	svchost.exe	31
PID 2860 wrote to memory of 2568	2860	explorer.exe	32
PID 2860 wrote to memory of 2568	2860	explorer.exe	32
PID 2860 wrote to memory of 2568	2860	explorer.exe	32
PID 2860 wrote to memory of 2568	2860	explorer.exe	32
PID 2580 wrote to memory of 2856	2580	svchost.exe	33
PID 2580 wrote to memory of 2856	2580	svchost.exe	33
PID 2580 wrote to memory of 2856	2580	svchost.exe	33
PID 2580 wrote to memory of 2856	2580	svchost.exe	33
PID 2580 wrote to memory of 1172	2580	svchost.exe	38
PID 2580 wrote to memory of 1172	2580	svchost.exe	38
PID 2580 wrote to memory of 1172	2580	svchost.exe	38
PID 2580 wrote to memory of 1172	2580	svchost.exe	38
PID 2580 wrote to memory of 1056	2580	svchost.exe	40
PID 2580 wrote to memory of 1056	2580	svchost.exe	40
PID 2580 wrote to memory of 1056	2580	svchost.exe	40
PID 2580 wrote to memory of 1056	2580	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\661d00e1dabffbf922ce29544c1c4760_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2860
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2580
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2928
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:53 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2856
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:54 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1172
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:55 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1056
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
741KB

MD5
e0ded6b6f656be2934fcf070673ca516

SHA1
0a1fe93e2819de1c1c41dd9dfc7490fa8eb46363

SHA256
194a75de17ccbf64acfb98cd12ff24b7bf139612070a877d2b0f0bb44243d815

SHA512
a97d78012ccd7effb0559a654aa1c0fcdd1e7da347ad6cc968595813f97d11daa2074c0566d1eb39dc1794f6c1c5aaa768181acda0fbc0149828e9d35ddaf756

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
741KB

MD5
87d018b2e47ccff0adf71e04f4400e8c

SHA1
a6a1d0e3e6684655a654163032b3def87a4fe7ae

SHA256
5cd97480852e05d9748859c16d43e4547186aba151c3d955af31f58eb4afc53a

SHA512
5b93410760cad04c9d51ab929978279a38fc8a460e9756a7e057624f30b66c27aa1c3deea0f43d66750fd26972d297d63acec4b10eea52def51f07b9c44dae77

Download Submit
\Windows\Resources\svchost.exe

Filesize
741KB

MD5
78c4e2be93da081cb2bb94c0547bd9b3

SHA1
e6248ee60ee057ca496ce740aa354bf3603164af

SHA256
d60384182f632191aa224a06a42dc17ef006b6b877b2554a00ce5623746f28a7

SHA512
200e68dfb92ef3350a8ee844224e00fe4d969864e886efd7d163a53be3382e5ad305ab54a627c919c8af8c3720e8565d3b97fe9076dec0ff2ce5778d636b6d70

Download Submit
memory/2388-10-0x0000000003CA0000-0x0000000004012000-memory.dmp

Filesize
3.4MB

Download
memory/2388-0-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2388-49-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2560-47-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2560-22-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2560-33-0x0000000003BE0000-0x0000000003F52000-memory.dmp

Filesize
3.4MB

Download
memory/2580-52-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2580-57-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2580-39-0x00000000037E0000-0x0000000003B52000-memory.dmp

Filesize
3.4MB

Download
memory/2580-79-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2580-51-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2580-63-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2580-61-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2580-54-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2580-55-0x00000000037E0000-0x0000000003B52000-memory.dmp

Filesize
3.4MB

Download
memory/2580-59-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2860-11-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2860-56-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2860-60-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2860-53-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2860-62-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2860-64-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2860-74-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2860-76-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2860-50-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2928-45-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download