a8fb298d3218040c5c577c00605dc993f0e3d336ccfa55e2f319a58b56ab9fe7

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
Size

135KB
MD5

0ffa9896301effd41a92fb1a5e962100
SHA1

b58445f2776136fd9718916e87f792533a17b8eb
SHA256

a8fb298d3218040c5c577c00605dc993f0e3d336ccfa55e2f319a58b56ab9fe7
SHA512

43ff652151021680497eddc95cd240d28eece9748fd3d36305eb5cf1e9088581a46892ed7224dc04b415e448c22d1c8a9e6d5c650b3c3e1ad864f07350c061f0
SSDEEP

1536:4fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVwE:4VqoCl/YgjxEufVU0TbTyDDaluE

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2296	explorer.exe
3020	spoolsv.exe
3076	svchost.exe
1392	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe
2296	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2296	explorer.exe
3076	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
2296	explorer.exe
2296	explorer.exe
3020	spoolsv.exe
3020	spoolsv.exe
3076	svchost.exe
3076	svchost.exe
1392	spoolsv.exe
1392	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 2296	4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe	82
PID 4756 wrote to memory of 2296	4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe	82
PID 4756 wrote to memory of 2296	4756	0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe	82
PID 2296 wrote to memory of 3020	2296	explorer.exe	83
PID 2296 wrote to memory of 3020	2296	explorer.exe	83
PID 2296 wrote to memory of 3020	2296	explorer.exe	83
PID 3020 wrote to memory of 3076	3020	spoolsv.exe	84
PID 3020 wrote to memory of 3076	3020	spoolsv.exe	84
PID 3020 wrote to memory of 3076	3020	spoolsv.exe	84
PID 3076 wrote to memory of 1392	3076	svchost.exe	85
PID 3076 wrote to memory of 1392	3076	svchost.exe	85
PID 3076 wrote to memory of 1392	3076	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ffa9896301effd41a92fb1a5e962100_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4756
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2296
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3076
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
e691b21cfeca24fe424039494e61e59c

SHA1
baf9650e04977b92651cc6a0ab1dcafaa9759bed

SHA256
60f52c996ac06d369e323a32f7ca8272e36dfac642ba31b55353f39ae1e18287

SHA512
6e69f4d3b735e378ef2e1214d81b546de2ed584b14834d9262d12d11475e6a168691777f7a6e0314f8bf4078a70cb0f3f1ec11f6bf4e1d74343ebe4cd609fb58

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
f4ff4dd70bd9044d89aa7daaa5c86df8

SHA1
cffd0d57ed35a8bd87346c8e636eb85e65a4f4db

SHA256
7c88455d76d375d21f9ee1e4f5b8a2acfc950ae5f1bf22f16df1b593b21bb463

SHA512
e8513d585a9a8e9c460945bf9d281646bb3491d227c8bcbb65c876601a12b1bcca8c9dfaebdd31cc3e292133a97496e7765747de9b7b6a0d5ad9ea7b145c4db6

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
3468128a22e5cca4282b9801dbd90073

SHA1
995fed31956e2b5307027e9a9ee562f5f485d111

SHA256
39a810a5d61dc6e88e2b9023f090c223485bd900c33ceb603173181867eedbff

SHA512
ef7a4b02825eec72033483f1ae9e241beacb5bd9179ed3c50a85e4247378eb60d11b6e9d8eba09afa6d7943819c9d18b7760d73c1e1096df36ba5d3da282c462

Download Submit
memory/1392-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3020-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4756-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4756-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download