7307c39ebeba1317ac80ac9c3a9ed9362484cddd9786abf8a6e5d72b735b5b8d

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 09:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aed457bd5c0140eab425f7130f6d4e50_NeikiAnalytics.exe
Size

206KB
MD5

aed457bd5c0140eab425f7130f6d4e50
SHA1

8fa7e3a22e47a2fec770c86b5c0a3c805a19c97a
SHA256

7307c39ebeba1317ac80ac9c3a9ed9362484cddd9786abf8a6e5d72b735b5b8d
SHA512

9eb2b86460a24738c426d953fd5c0d28143953c8ab7e4a46017bf3c0af4a515f6e56a78ef3c9737a9426b098e111d05de32e7b8bd8242cf345287e8eb3b0b2d5
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unTeeeeeeeeeeeeeeeeeeeeeO:zvEN2U+T6i5LirrllHy4HUcMQY6w

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1684	explorer.exe
2384	spoolsv.exe
3000	svchost.exe
2792	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2408	aed457bd5c0140eab425f7130f6d4e50_NeikiAnalytics.exe
2408	aed457bd5c0140eab425f7130f6d4e50_NeikiAnalytics.exe
1684	explorer.exe
1684	explorer.exe
2384	spoolsv.exe
2384	spoolsv.exe
3000	svchost.exe
3000	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	aed457bd5c0140eab425f7130f6d4e50_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	aed457bd5c0140eab425f7130f6d4e50_NeikiAnalytics.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
3000	svchost.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe
1684	explorer.exe
3000	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1684	explorer.exe
3000	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2408	aed457bd5c0140eab425f7130f6d4e50_NeikiAnalytics.exe
2408	aed457bd5c0140eab425f7130f6d4e50_NeikiAnalytics.exe
1684	explorer.exe
1684	explorer.exe
2384	spoolsv.exe
2384	spoolsv.exe
3000	svchost.exe
3000	svchost.exe
2792	spoolsv.exe
2792	spoolsv.exe
1684	explorer.exe
1684	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1684	2408	aed457bd5c0140eab425f7130f6d4e50_NeikiAnalytics.exe	28
PID 2408 wrote to memory of 1684	2408	aed457bd5c0140eab425f7130f6d4e50_NeikiAnalytics.exe	28
PID 2408 wrote to memory of 1684	2408	aed457bd5c0140eab425f7130f6d4e50_NeikiAnalytics.exe	28
PID 2408 wrote to memory of 1684	2408	aed457bd5c0140eab425f7130f6d4e50_NeikiAnalytics.exe	28
PID 1684 wrote to memory of 2384	1684	explorer.exe	29
PID 1684 wrote to memory of 2384	1684	explorer.exe	29
PID 1684 wrote to memory of 2384	1684	explorer.exe	29
PID 1684 wrote to memory of 2384	1684	explorer.exe	29
PID 2384 wrote to memory of 3000	2384	spoolsv.exe	30
PID 2384 wrote to memory of 3000	2384	spoolsv.exe	30
PID 2384 wrote to memory of 3000	2384	spoolsv.exe	30
PID 2384 wrote to memory of 3000	2384	spoolsv.exe	30
PID 3000 wrote to memory of 2792	3000	svchost.exe	31
PID 3000 wrote to memory of 2792	3000	svchost.exe	31
PID 3000 wrote to memory of 2792	3000	svchost.exe	31
PID 3000 wrote to memory of 2792	3000	svchost.exe	31
PID 3000 wrote to memory of 2668	3000	svchost.exe	32
PID 3000 wrote to memory of 2668	3000	svchost.exe	32
PID 3000 wrote to memory of 2668	3000	svchost.exe	32
PID 3000 wrote to memory of 2668	3000	svchost.exe	32
PID 3000 wrote to memory of 1712	3000	svchost.exe	36
PID 3000 wrote to memory of 1712	3000	svchost.exe	36
PID 3000 wrote to memory of 1712	3000	svchost.exe	36
PID 3000 wrote to memory of 1712	3000	svchost.exe	36
PID 3000 wrote to memory of 264	3000	svchost.exe	38
PID 3000 wrote to memory of 264	3000	svchost.exe	38
PID 3000 wrote to memory of 264	3000	svchost.exe	38
PID 3000 wrote to memory of 264	3000	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\aed457bd5c0140eab425f7130f6d4e50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aed457bd5c0140eab425f7130f6d4e50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1684
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
    - - C:\Windows\SysWOW64\at.exe
        
        at 09:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\at.exe
        
        at 09:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\at.exe
        
        at 09:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
bd62469f44da0bfe1d2f6fecb71c528c

SHA1
25f31e2257681351243d1a3df96c6ab59acfeded

SHA256
061b369b4057294feefc19a61d16d42ed889b419e4650982338cce6a984180d3

SHA512
f140bc80acc43073c675c7520b8b38ea6b83cf3259eea73aefe0f7068f7657acfbe5a61cebe1bb8b415f2bf2f78520e554a702c2a79b2515670a52df1effa8ec

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
503faa30373ee7a9a539803fb95af8ee

SHA1
e35a7fb4c0c3758b12bfec74b033077a23e7d7b3

SHA256
6489f87d4f709a5af61582fcca1d5b02f18e6449345f110e00cd9989af9a227d

SHA512
b081a7aba82e0d6b9364a6bbb8cbbfe1abcaeee38e00f31b37830d1ad6a2a75afd2e46b5675ae072cda60908992344ab46283a3f422801db3f0f16b79905fa6d

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
8476fe18519cb2d784c172f37ca38122

SHA1
07a07671fe9b6445bb236887ee3a377d1ca64649

SHA256
5949809a5d7b0f4c039bab18bdc2935dff3ba85ef540b926020bf9a3af223cc1

SHA512
0a77dfa72bdbd07d26e80700754e7f5980272aad7bfd888c85634b01866785fb1a421050ba4f3e8d8f40ac33b050ff4d0bfb55a9f10efacf9092eeed9858a148

Download Submit
\Windows\system\svchost.exe

Filesize
207KB

MD5
bc982b2ecd58cff3a069ba2d40fb6ed4

SHA1
d9bf0698d6e7f49b6e191f787e869eb0ca2fa6ff

SHA256
a55800892c7c23c0b80f6ece0c1648411e65b979ded42a91fc73f2083c946524

SHA512
f5155e3e0e5eb8808d77117fbfcf1b8c2fe002dc1a6638c07ee9e6e3ef61fc210c47f55530149a996cb4b3f01387b74f23bba07f47f0c51c092888de673d7297

Download Submit