Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 10:23
Static task
static1
Behavioral task
behavioral1
Sample
b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe
-
Size
135KB
-
MD5
b2649969cea620ec40e625af91a7c100
-
SHA1
d4808aeebd7c08c14ecdbf28bd509d1f1cf0aeef
-
SHA256
2c9cdf610d7ca1a0fe5012ce4d1e892bfc75060965473a5997fb9b5943cfffad
-
SHA512
60fe3a879623bce6e2647698f31c59e606218e74199f7f0298fd989287d91bc1052b82d4021d7b0c9da63e9f343546946350a01652b0073cca80fefa47e21884
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVE16tZi:UVqoCl/YgjxEufVU0TbTyDDalni
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2972 explorer.exe 2312 spoolsv.exe 5020 svchost.exe 4204 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe 2972 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2972 explorer.exe 5020 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 2972 explorer.exe 2972 explorer.exe 2312 spoolsv.exe 2312 spoolsv.exe 5020 svchost.exe 5020 svchost.exe 4204 spoolsv.exe 4204 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4560 wrote to memory of 2972 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 85 PID 4560 wrote to memory of 2972 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 85 PID 4560 wrote to memory of 2972 4560 b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe 85 PID 2972 wrote to memory of 2312 2972 explorer.exe 86 PID 2972 wrote to memory of 2312 2972 explorer.exe 86 PID 2972 wrote to memory of 2312 2972 explorer.exe 86 PID 2312 wrote to memory of 5020 2312 spoolsv.exe 87 PID 2312 wrote to memory of 5020 2312 spoolsv.exe 87 PID 2312 wrote to memory of 5020 2312 spoolsv.exe 87 PID 5020 wrote to memory of 4204 5020 svchost.exe 88 PID 5020 wrote to memory of 4204 5020 svchost.exe 88 PID 5020 wrote to memory of 4204 5020 svchost.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b2649969cea620ec40e625af91a7c100_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4204
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5612e47efefe6db86d4b82bf03e19930f
SHA1b11c950ba397e210da5be4ea0cb85e82d42d2630
SHA256bce25edfbbcf87be7fc5d4ac328813c4da1cb047d397aafcb977aac0d9e1bb84
SHA512fca821422b0f2c57f016d8e820b991b5eaba7eaab65764f69192b81b96192d87414b4008820b612f366d149a899cc3f82466f67f200dfed1cce9443c9a1c11d9
-
Filesize
135KB
MD5f1cb45b782cf772160e3b587218e45c6
SHA1993df975ac87e34ade127fb67a99c1c4b09b4260
SHA256bbe5a0e2dedb062ac5f27ca369d5c96788f21e322724d087d0a0f459c182b6a4
SHA512348dd4dde6e954ff88a44627ef6559f980e4b7e2a0e15d6c727265fd7a993b9f6c8b9329530c92db2d92e01f04d6a47b0ec7ccc741aa1e799f00d48e4401e851
-
Filesize
135KB
MD51c41f22562d70dd8f36d98fe858a2815
SHA1f5885e65babae369ba8442c4c4e648b106656ca1
SHA256809202f5e4e9f9166bbc813f54edb3a0c08f61daa75c97efd49d7b710194e18d
SHA51281d878c9baf6059587b8b83d500cc3a1d73b2a956eeb61c2eb34328a4bdb358f34ce3cf64e2cc1a0bbfeee5f0f595e64dbf1c1492910717c0799999ef6d5b506