693344b16f58b92d4e6db5c01bb1bc93e97290a6f983665fc2d4e88272419698

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe
Size

326KB
MD5

2c6d180627372c3c0b52ff839ce356d0
SHA1

e08ccf0b3a71dc55ab0ccd9cff0c37e125bb11e8
SHA256

693344b16f58b92d4e6db5c01bb1bc93e97290a6f983665fc2d4e88272419698
SHA512

3b9f8375b9eb7074c711ae76399ef9a53d453df521d18ac1e78725b925f6547db3cf85cd00c9c1f2a29a39542cca45d2901c68f990c0c10fd7ce8743381562fe
SSDEEP

6144:zvEN2U+T6i5LirrllHy4HUcMQY6SbJhs7QW69hd1MMdxPe9N9uA0hu9TBJG:zENN+T5xYrllrU7QY6SbjDhu9THG

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
296	2c6d180627372c3c0b52ff839ce356d0_neikianalytics.exe
2532	icsys.icn.exe
2576	explorer.exe
2852	spoolsv.exe
2432	svchost.exe
2976	spoolsv.exe

Loads dropped DLL 11 IoCs

pid	Process
1628	2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe
1628	2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe
1628	2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe
2532	icsys.icn.exe
2532	icsys.icn.exe
2576	explorer.exe
2576	explorer.exe
2852	spoolsv.exe
2852	spoolsv.exe
2432	svchost.exe
2432	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2532	icsys.icn.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2432	svchost.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe
2576	explorer.exe
2432	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2576	explorer.exe
2432	svchost.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1628	2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe
1628	2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe
2532	icsys.icn.exe
2532	icsys.icn.exe
2576	explorer.exe
2576	explorer.exe
2852	spoolsv.exe
2852	spoolsv.exe
2432	svchost.exe
2432	svchost.exe
2976	spoolsv.exe
2976	spoolsv.exe
2576	explorer.exe
2576	explorer.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 296	1628	2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe	28
PID 1628 wrote to memory of 296	1628	2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe	28
PID 1628 wrote to memory of 296	1628	2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe	28
PID 1628 wrote to memory of 296	1628	2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe	28
PID 1628 wrote to memory of 2532	1628	2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe	29
PID 1628 wrote to memory of 2532	1628	2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe	29
PID 1628 wrote to memory of 2532	1628	2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe	29
PID 1628 wrote to memory of 2532	1628	2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe	29
PID 296 wrote to memory of 2632	296	2c6d180627372c3c0b52ff839ce356d0_neikianalytics.exe	30
PID 296 wrote to memory of 2632	296	2c6d180627372c3c0b52ff839ce356d0_neikianalytics.exe	30
PID 296 wrote to memory of 2632	296	2c6d180627372c3c0b52ff839ce356d0_neikianalytics.exe	30
PID 2532 wrote to memory of 2576	2532	icsys.icn.exe	32
PID 2532 wrote to memory of 2576	2532	icsys.icn.exe	32
PID 2532 wrote to memory of 2576	2532	icsys.icn.exe	32
PID 2532 wrote to memory of 2576	2532	icsys.icn.exe	32
PID 2576 wrote to memory of 2852	2576	explorer.exe	33
PID 2576 wrote to memory of 2852	2576	explorer.exe	33
PID 2576 wrote to memory of 2852	2576	explorer.exe	33
PID 2576 wrote to memory of 2852	2576	explorer.exe	33
PID 2852 wrote to memory of 2432	2852	spoolsv.exe	34
PID 2852 wrote to memory of 2432	2852	spoolsv.exe	34
PID 2852 wrote to memory of 2432	2852	spoolsv.exe	34
PID 2852 wrote to memory of 2432	2852	spoolsv.exe	34
PID 2432 wrote to memory of 2976	2432	svchost.exe	35
PID 2432 wrote to memory of 2976	2432	svchost.exe	35
PID 2432 wrote to memory of 2976	2432	svchost.exe	35
PID 2432 wrote to memory of 2976	2432	svchost.exe	35
PID 2432 wrote to memory of 2948	2432	svchost.exe	36
PID 2432 wrote to memory of 2948	2432	svchost.exe	36
PID 2432 wrote to memory of 2948	2432	svchost.exe	36
PID 2432 wrote to memory of 2948	2432	svchost.exe	36
PID 2432 wrote to memory of 1312	2432	svchost.exe	40
PID 2432 wrote to memory of 1312	2432	svchost.exe	40
PID 2432 wrote to memory of 1312	2432	svchost.exe	40
PID 2432 wrote to memory of 1312	2432	svchost.exe	40
PID 2432 wrote to memory of 1100	2432	svchost.exe	42
PID 2432 wrote to memory of 1100	2432	svchost.exe	42
PID 2432 wrote to memory of 1100	2432	svchost.exe	42
PID 2432 wrote to memory of 1100	2432	svchost.exe	42

C:\Users\Admin\AppData\Local\Temp\2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2c6d180627372c3c0b52ff839ce356d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628
- \??\c:\users\admin\appdata\local\temp\2c6d180627372c3c0b52ff839ce356d0_neikianalytics.exe
  c:\users\admin\appdata\local\temp\2c6d180627372c3c0b52ff839ce356d0_neikianalytics.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1FB1.tmp\1FB2.tmp\1FB3.bat c:\users\admin\appdata\local\temp\2c6d180627372c3c0b52ff839ce356d0_neikianalytics.exe "
    3⤵
    PID:2632
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2532
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2852
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2976
      - C:\Windows\SysWOW64\at.exe
        
        at 20:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2948
      - C:\Windows\SysWOW64\at.exe
        
        at 20:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:1312
      - C:\Windows\SysWOW64\at.exe
        
        at 20:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1FB1.tmp\1FB2.tmp\1FB3.bat

Filesize
156B

MD5
0a49663c81882b5223fef72a73ad5ddb

SHA1
f0c5097726c1908087f0f0b1c5ebbff394002947

SHA256
57c9792955bab7ac601c69e8a16a1b3dec66144178b74b5d7843a04612182318

SHA512
b2f5964f0dd4db66296224fe901f1e4176d490796e8d3e1864608ff73d804d648443919f01718e77712741f811779ffac86fbec05e06ca0d643328477583c750

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
ff56dfb73d9f950ca166f5643587489f

SHA1
025a99018ceaaccf3a90a6467d6efa5a0e84603b

SHA256
01a35415749cbe63c21dc7773d94562f47c96fddcf0a66cca3587771b9d8726f

SHA512
a65ed14d9294549417d3d3ed4308e7d9d3ce6273938be45d75e72a2a64ef42ed7c5923d2e295b3a5ab9f65396aafd31f9e82a00bae2ab3496695a7592fdb6025

Download Submit
\Users\Admin\AppData\Local\Temp\2c6d180627372c3c0b52ff839ce356d0_neikianalytics.exe

Filesize
119KB

MD5
8a1056fc8516870fe59b26e9f2ac5ea5

SHA1
4b888e1b9d11e412f3d611ff0f53a1a469db98c2

SHA256
c7bb9de918938658d5ef03d01b4d71b97d778ca63c4a07d70fecaa75fce04665

SHA512
34eaebe6c2ecfab1903bb6c045f84efba61bd077ad93a42ddc204ab9168457de9694b76eb1e322a4eaee3ff303122552c944174c0d42fb2f8d11b2e0973b7cac

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
08525cc88ac970331c5b8fa3758ef985

SHA1
c8482944c646456e2c19f531b82469cba2d20a56

SHA256
8a3804fab841d92048c21b46aa606e3f500c6a55b1862674b11db638c5fdbe1b

SHA512
7f2eb013edd0c1e9104ff30f11e02cc4120d03aa1154ec82bbb818aa229b1a60687f280323797ad9cd113e77af738e461dc9877635a3d0642b54bec06e3fcf59

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
e371a6627d9cd474037b3e315c8e7aa2

SHA1
fab8d16f5c16c455a545fe9ca4d2d816c81f8625

SHA256
0aaa146c4646bf42101dbe96e978d31255ff9f35069e982dfd354a8721eec370

SHA512
da39ad1a854027bd869321f1298e2efdd33b153b69346912af213f20cceabb23f991550251f81c925f9f720b2ca2f738c862e3970113d99d284ace38cad69ea2

Download Submit
\Windows\system\spoolsv.exe

Filesize
207KB

MD5
a6fb28c06eb8212612cb47ab9d033497

SHA1
0e900fcc116f7c0f2a72e07d9a66e324f17a8625

SHA256
7f0e477cf060b9319c91e2f04acf7b7b85cd01f16bc4fdc2970e6ff4c7f10860

SHA512
f3202524466a5ec9e8847cf2cb40d7a4203f40b1f4ffb1b8d159ac1149c8cb9768cf19e0feb78c3e5f47bc62fe4fbe61152b57f64601c85573a97c18e737ca43

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
eb00bf3808845ed23942b8433cc7bf51

SHA1
2f3d07e3ed63eebc766b4529da3fbaeea62f50d2

SHA256
63c31dceb87fb0550b085279df8b6a4ce99f0fa27c6cbe673432fb7e2e33d15d

SHA512
797d896974f485d76dd015dfb6b188fc31871d128588eff8ce711cb0b111be9103c9c7ef8eddb1826d777621a6e8b5434d48e871be9b433b321b0e4e3b701624

Download Submit