1f9615353a45cbd37fe0088014a7bb0a5f1512eb3a33e8581244435c93919d68

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
Size

130KB
MD5

6b0c30b4ee33491f5bc576dbe2bfd1c0
SHA1

c1a0b4bfce169ed0cbbfe6ce6ddd2edb5e73d155
SHA256

1f9615353a45cbd37fe0088014a7bb0a5f1512eb3a33e8581244435c93919d68
SHA512

fe33dd821ed1953c529bee4ac3b2b2c66dcda37c0b5bc90edca1643697067b316766b83cf0693350289c782a27e379e3f979be7fd441fccf53fe5ab7c4e09ec5
SSDEEP

3072:rqoCl/YgjxEufVU0TbTyDDal270FnJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJt:uLqdufVUNDalJJJJJJJJJJJJJJJJJJJb

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1500	explorer.exe
3444	spoolsv.exe
4352	svchost.exe
1864	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe
1500	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1500	explorer.exe
4352	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
1500	explorer.exe
1500	explorer.exe
3444	spoolsv.exe
3444	spoolsv.exe
4352	svchost.exe
4352	svchost.exe
1864	spoolsv.exe
1864	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 1500	4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe	87
PID 4856 wrote to memory of 1500	4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe	87
PID 4856 wrote to memory of 1500	4856	6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe	87
PID 1500 wrote to memory of 3444	1500	explorer.exe	88
PID 1500 wrote to memory of 3444	1500	explorer.exe	88
PID 1500 wrote to memory of 3444	1500	explorer.exe	88
PID 3444 wrote to memory of 4352	3444	spoolsv.exe	89
PID 3444 wrote to memory of 4352	3444	spoolsv.exe	89
PID 3444 wrote to memory of 4352	3444	spoolsv.exe	89
PID 4352 wrote to memory of 1864	4352	svchost.exe	90
PID 4352 wrote to memory of 1864	4352	svchost.exe	90
PID 4352 wrote to memory of 1864	4352	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6b0c30b4ee33491f5bc576dbe2bfd1c0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1500
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4352
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
130KB

MD5
69a4a0d0ac535882777a346a72f7c9bf

SHA1
03c70048715a3361ba49475c720069faf1e71ac4

SHA256
bb5740674de97a13185324a7feca060f0c748d760851b49f2ca913a389bfa5a2

SHA512
da4cf44195d019078559e732083d030daa9d938036dc11bbdb8011bc27a614fb7f2d48cabac3aacafe781fbb3e9e4bc55731667629c04b0f9723c33d326561cd

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
130KB

MD5
4a7195671d6b145b472f3dd337ae0361

SHA1
c9f96e20d591d36efe7e24d49de8af75e2888a52

SHA256
489ba4f58760ee8abc3d04f4adc92ff34033dfe74a51606f2fadaa2925b33ebd

SHA512
a6f7de2e0ddc6836c9f64ef75386f43112f8615dbdc617562e420fd652247aea41c41a220a02647451cae08d6c64bdffdde4e3c8e6cc4aa4d913b8d70c7e2b4e

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
130KB

MD5
157dddb07363ec44304ede817bacce56

SHA1
2bcac50c81a75de760dc3fd6d0c27d25c23bce06

SHA256
02ec1cdc6f8be4e0d46c83bc8ca823dc3b2750bab4e678b47f0b57e1509d9ae4

SHA512
425d0c2115d947af73bc46bb36185d28dfd68d6d00dffb67c4c09d6e44246ba954190d7efcc6d704e89c5ec0e8fb2475061dee40658a2a7dcfa135ea1fbe1eda

Download Submit
memory/4856-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download