Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 10:23
Static task
static1
Behavioral task
behavioral1
Sample
b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe
-
Size
135KB
-
MD5
b2649969cea620ec40e625af91a7c100
-
SHA1
d4808aeebd7c08c14ecdbf28bd509d1f1cf0aeef
-
SHA256
2c9cdf610d7ca1a0fe5012ce4d1e892bfc75060965473a5997fb9b5943cfffad
-
SHA512
60fe3a879623bce6e2647698f31c59e606218e74199f7f0298fd989287d91bc1052b82d4021d7b0c9da63e9f343546946350a01652b0073cca80fefa47e21884
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVE16tZi:UVqoCl/YgjxEufVU0TbTyDDalni
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 1992 explorer.exe 2560 spoolsv.exe 2628 svchost.exe 2672 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1992 explorer.exe 2560 spoolsv.exe 2628 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2556 schtasks.exe 2184 schtasks.exe 2572 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 2628 svchost.exe 2628 svchost.exe 1992 explorer.exe 2628 svchost.exe 1992 explorer.exe 2628 svchost.exe 1992 explorer.exe 2628 svchost.exe 1992 explorer.exe 2628 svchost.exe 1992 explorer.exe 2628 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1992 explorer.exe 2628 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 1992 explorer.exe 1992 explorer.exe 2560 spoolsv.exe 2560 spoolsv.exe 2628 svchost.exe 2628 svchost.exe 2672 spoolsv.exe 2672 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1484 wrote to memory of 1992 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 28 PID 1484 wrote to memory of 1992 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 28 PID 1484 wrote to memory of 1992 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 28 PID 1484 wrote to memory of 1992 1484 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 28 PID 1992 wrote to memory of 2560 1992 explorer.exe 29 PID 1992 wrote to memory of 2560 1992 explorer.exe 29 PID 1992 wrote to memory of 2560 1992 explorer.exe 29 PID 1992 wrote to memory of 2560 1992 explorer.exe 29 PID 2560 wrote to memory of 2628 2560 spoolsv.exe 30 PID 2560 wrote to memory of 2628 2560 spoolsv.exe 30 PID 2560 wrote to memory of 2628 2560 spoolsv.exe 30 PID 2560 wrote to memory of 2628 2560 spoolsv.exe 30 PID 2628 wrote to memory of 2672 2628 svchost.exe 31 PID 2628 wrote to memory of 2672 2628 svchost.exe 31 PID 2628 wrote to memory of 2672 2628 svchost.exe 31 PID 2628 wrote to memory of 2672 2628 svchost.exe 31 PID 1992 wrote to memory of 2588 1992 explorer.exe 32 PID 1992 wrote to memory of 2588 1992 explorer.exe 32 PID 1992 wrote to memory of 2588 1992 explorer.exe 32 PID 1992 wrote to memory of 2588 1992 explorer.exe 32 PID 2628 wrote to memory of 2556 2628 svchost.exe 33 PID 2628 wrote to memory of 2556 2628 svchost.exe 33 PID 2628 wrote to memory of 2556 2628 svchost.exe 33 PID 2628 wrote to memory of 2556 2628 svchost.exe 33 PID 2628 wrote to memory of 2184 2628 svchost.exe 38 PID 2628 wrote to memory of 2184 2628 svchost.exe 38 PID 2628 wrote to memory of 2184 2628 svchost.exe 38 PID 2628 wrote to memory of 2184 2628 svchost.exe 38 PID 2628 wrote to memory of 2572 2628 svchost.exe 40 PID 2628 wrote to memory of 2572 2628 svchost.exe 40 PID 2628 wrote to memory of 2572 2628 svchost.exe 40 PID 2628 wrote to memory of 2572 2628 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2672
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:25 /f5⤵
- Creates scheduled task(s)
PID:2556
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:26 /f5⤵
- Creates scheduled task(s)
PID:2184
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 10:27 /f5⤵
- Creates scheduled task(s)
PID:2572
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD51cf504fa108ebf920a06fa566e7cb340
SHA1acce6d7908dcd95fcd49d3c7dd6be3b0b62eeee0
SHA2566375cb246ea6f8e2dbda2c5b8f443ba0627c8c004db850bd782169ad244c8dde
SHA512173649952b6f774b6e6e9dc8bf148a9562d1ca6a51bb1b24ba307ffc676eea6a9157961744a7e552b0d0c8714a9e6ed7c63a3461897fe4ad226019c0e60a5d46
-
Filesize
135KB
MD58d359accb3d5e82a7842f7e6b4f3dd4e
SHA171b179b84ac52c11dcdf226afc6462201a94e81c
SHA256363689c05cbaba95424d37cdc54a37b41d50ccf5d0d3db08a766ffbee5597aa8
SHA512b39df8faab8478ee90cfb3066fa0a268c12effcc4a993ab4bfb96a607104fa643ff9abf1c0d970ffb98e6954b92a6eb3d7fd6e17d3743df772074dc72db0678c
-
Filesize
135KB
MD58a6c194666ba9345d7e7f230901c0d27
SHA169e9eafb7da749520340a3889b003ddf59d61dcd
SHA256415d12baff16d92b99699392339f5a0a997546d9cc999bd9faacbb3a46be0772
SHA5124a6eb4286db6089e83322f405638eef5fca0c16dd1e10bf3975147a6b4f05b225ae16fe3f7f9eb3a7101f6d8eab5b6d077c148a7972919af90a21e796c6f76c6