Malware Analysis Report

2025-08-11 00:07

Sample ID 240513-hny5kaec25
Target a33ace223221f156ad2565feb80d1d80_NeikiAnalytics
SHA256 9abeaa49787d3100f775be46625ac686cf690f06027a52f1ec9951e00705ac7f
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9abeaa49787d3100f775be46625ac686cf690f06027a52f1ec9951e00705ac7f

Threat Level: Known bad

The file a33ace223221f156ad2565feb80d1d80_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Detects BazaLoader malware

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 06:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 06:53

Reported

2024-05-13 06:56

Platform

win7-20240508-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2104 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2104 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2104 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2424 wrote to memory of 2592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2424 wrote to memory of 2592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2424 wrote to memory of 2592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2424 wrote to memory of 2592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2592 wrote to memory of 2672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2592 wrote to memory of 2672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2592 wrote to memory of 2672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2592 wrote to memory of 2672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2672 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2672 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2672 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2672 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2672 wrote to memory of 2828 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 2828 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 2828 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 2828 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1436 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1776 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1776 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1776 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2672 wrote to memory of 1776 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 06:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 06:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 06:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2104-2-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2104-1-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2104-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2104-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2104-0-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2424-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2104-18-0x0000000001D40000-0x0000000001D71000-memory.dmp

memory/2104-17-0x0000000001D40000-0x0000000001D71000-memory.dmp

C:\Windows\system\explorer.exe

MD5 e128346b219ecc9d6bb633b5097eb32e
SHA1 80e89a26f38c4bc6b3469e3c5ea80d3780435540
SHA256 1915cd69993fb2ecef91eaea11aae73ade95ac1aa674505a43800052bd9efb04
SHA512 b50132db1923e446cbe110b03442c73ad2b75a3012cc06a4788211b4443fcbe556b05204b83e9db8885eed14ff630f5bc5191bc0e4b7257ec512ff48c7c9e909

memory/2424-20-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2424-24-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 2bdf460df895992bd5c245623fb11bde
SHA1 5f407c3fb0f3873aa05fcf8f8e09d7d2864dca25
SHA256 4a1ae360f521c5ab1364bb4acbe124ce3fac4a277438ac54f79a11d9e6863fcd
SHA512 e6783c5ff31bbe3cd627841aac20b8eb9f66e63c22bd510e784ac79ac0690836b297e09431382216cb5f3fa403dcbc08300f3d81315c59cbc871ef40d6c728f3

memory/2592-55-0x0000000002F00000-0x0000000002F31000-memory.dmp

memory/2592-54-0x0000000002F00000-0x0000000002F31000-memory.dmp

C:\Windows\system\svchost.exe

MD5 65895be4905dcd58a6ac1dafad47ac7b
SHA1 24a7fff91afb8ee5d9fe1017e67e6e698ea7b5d1
SHA256 ceccb348eb3b8d81fc7b5b801bd773e26e049e2ceac71fcfe016a5c696300cde
SHA512 818c93ffa362453fc7bd9f3ca552c9e2431fdd49bc03df3ab1ae9409307594e132281e21a9d385db85bbfefd6b521c8f517e83bd1462e52cf96a4757c99a456c

memory/2592-43-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2592-38-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2592-37-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2424-36-0x0000000002840000-0x0000000002871000-memory.dmp

memory/2672-56-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2672-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2424-69-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2672-67-0x0000000002640000-0x0000000002671000-memory.dmp

memory/2672-66-0x0000000002640000-0x0000000002671000-memory.dmp

memory/2104-65-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2496-70-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2496-76-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2592-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2104-83-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2104-82-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 51fa753a71e94a9272ab8abd28a7657b
SHA1 4998cf7fe2a215f85b9a75d5c32ecf1983757b9f
SHA256 b9c4e1f45e42934c2a24374e3292934783b8fe974c85e5bf13cc01225ce45fb6
SHA512 667809453f9d77fa8b717a9a9d7fa19ccddfead546525e2a3b3ceb63d6d7d6391c1a1062e441af7afb5822b83c623b1307c5a1ab181ddb93b1fb34ccce75db96

memory/2424-85-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2672-86-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2424-95-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 06:53

Reported

2024-05-13 06:56

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3304 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3304 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3304 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3160 wrote to memory of 404 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3160 wrote to memory of 404 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3160 wrote to memory of 404 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 404 wrote to memory of 3224 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 404 wrote to memory of 3224 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 404 wrote to memory of 3224 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3224 wrote to memory of 224 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3224 wrote to memory of 224 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3224 wrote to memory of 224 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3224 wrote to memory of 2904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3224 wrote to memory of 2904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3224 wrote to memory of 2904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3224 wrote to memory of 3616 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3224 wrote to memory of 3616 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3224 wrote to memory of 3616 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3224 wrote to memory of 1540 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3224 wrote to memory of 1540 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3224 wrote to memory of 1540 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a33ace223221f156ad2565feb80d1d80_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 06:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\at.exe

at 06:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 06:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/3304-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3304-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3304-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3304-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3304-2-0x0000000074C80000-0x0000000074DDD000-memory.dmp

C:\Windows\System\explorer.exe

MD5 d88dedabef80f93b72733aebb33257a5
SHA1 cbb5821a110b0d4c2bf2d235abf5587416ebcf4e
SHA256 40a436179a20182d86bf6b838c32ff8103cb7fa836efc4c94b756a5a96ec0e93
SHA512 ab9a1adc8ef43d3d1b6b3a1a5305abfc1e2d47f613be88d37c1789ddcbdece0bd84802cdb07f1a7731b91b3f2886023ff61d551bd9de244afd7cb7e7dde7a8d1

memory/3160-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3160-14-0x0000000074C80000-0x0000000074DDD000-memory.dmp

memory/3160-16-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 f2dbcab1299e3370a634e6c117506436
SHA1 1cc7645a7b555fc06c315e62bc68e6ae10adda2b
SHA256 97317a3912540b08a514bfcffee32298baa1353104e2639895a5ab265503edc8
SHA512 7bc51d667dc0c41bdd1e18761a923b1520767d34db25c1d0d10d23ec3767640512c046ddd190f8b5eb54028fcd0221a42711b460ba91657bc0ff4314ad54e49b

memory/404-25-0x0000000074C80000-0x0000000074DDD000-memory.dmp

C:\Windows\System\svchost.exe

MD5 ce9591e76e0bbd7402225ff948e32163
SHA1 871f7566dfe2829ebc5ba9416d307226c671fa71
SHA256 6ccaaa80e11f53a4476fac912e9ef41e90e25eb7468689277da4994feb3e9864
SHA512 2a8fee7926dddf78c00c71d7949f8e6178e4ff1fe1ea26ef2baa873e954b5d8371d6d7676fbc4b500fb22982134fc33b3c61ef46f6fb16e10f5fb380078ce5c4

memory/3304-35-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3224-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3304-39-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3224-36-0x0000000074C80000-0x0000000074DDD000-memory.dmp

memory/224-44-0x0000000074C80000-0x0000000074DDD000-memory.dmp

memory/224-49-0x0000000000400000-0x0000000000431000-memory.dmp

memory/404-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3304-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3304-56-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 834ea6c818813aa4e2906225f0bc0759
SHA1 9d518a9cfc7a48bf2f963172c9ba5c474056d831
SHA256 9bbf0b2fe9062c2e87d32d0b6656d343bee762f7c647466fac22508f2f2b913d
SHA512 07803daa326387abf744c923c3305fdcb10e3fbed3dfb8202eaa6b56fced4c25042ef84a289dc389a2ab60c9bea4ba14019b7d7f0236d911b98fc259035b5ee0

memory/3160-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3224-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3160-71-0x0000000000400000-0x0000000000431000-memory.dmp