06fa71b51e1e78dcb852cd031ac8e2650af0f5c69460223e35cf3ebdf0a24d4f

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
Size

135KB
MD5

d8038817cbcb9b02b78c9a9c8a340df0
SHA1

3f15eacf256fb9487a4c29d761af0e0d605398bc
SHA256

06fa71b51e1e78dcb852cd031ac8e2650af0f5c69460223e35cf3ebdf0a24d4f
SHA512

1c96cd3ab801ae3b9ab43580394496bc63cd0d1cde2b8f92ba3c76d1b3320ee0e8cf8e8f1706f338cf38f5ff0a9d656961f5498cc87e57a17835c0f5885e79a9
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVCa:UVqoCl/YgjxEufVU0TbTyDDalQa

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2996	explorer.exe
2636	spoolsv.exe
2516	svchost.exe
3008	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2996	explorer.exe
2636	spoolsv.exe
2516	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2160	schtasks.exe
2672	schtasks.exe
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2516	svchost.exe
2516	svchost.exe
2996	explorer.exe
2516	svchost.exe
2996	explorer.exe
2516	svchost.exe
2996	explorer.exe
2516	svchost.exe
2996	explorer.exe
2516	svchost.exe
2996	explorer.exe
2516	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2996	explorer.exe
2516	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
2996	explorer.exe
2996	explorer.exe
2636	spoolsv.exe
2636	spoolsv.exe
2516	svchost.exe
2516	svchost.exe
3008	spoolsv.exe
3008	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2996	2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2996	2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2996	2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2996	2964	d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe	28
PID 2996 wrote to memory of 2636	2996	explorer.exe	29
PID 2996 wrote to memory of 2636	2996	explorer.exe	29
PID 2996 wrote to memory of 2636	2996	explorer.exe	29
PID 2996 wrote to memory of 2636	2996	explorer.exe	29
PID 2636 wrote to memory of 2516	2636	spoolsv.exe	30
PID 2636 wrote to memory of 2516	2636	spoolsv.exe	30
PID 2636 wrote to memory of 2516	2636	spoolsv.exe	30
PID 2636 wrote to memory of 2516	2636	spoolsv.exe	30
PID 2516 wrote to memory of 3008	2516	svchost.exe	31
PID 2516 wrote to memory of 3008	2516	svchost.exe	31
PID 2516 wrote to memory of 3008	2516	svchost.exe	31
PID 2516 wrote to memory of 3008	2516	svchost.exe	31
PID 2996 wrote to memory of 2612	2996	explorer.exe	32
PID 2996 wrote to memory of 2612	2996	explorer.exe	32
PID 2996 wrote to memory of 2612	2996	explorer.exe	32
PID 2996 wrote to memory of 2612	2996	explorer.exe	32
PID 2516 wrote to memory of 2160	2516	svchost.exe	33
PID 2516 wrote to memory of 2160	2516	svchost.exe	33
PID 2516 wrote to memory of 2160	2516	svchost.exe	33
PID 2516 wrote to memory of 2160	2516	svchost.exe	33
PID 2516 wrote to memory of 2672	2516	svchost.exe	38
PID 2516 wrote to memory of 2672	2516	svchost.exe	38
PID 2516 wrote to memory of 2672	2516	svchost.exe	38
PID 2516 wrote to memory of 2672	2516	svchost.exe	38
PID 2516 wrote to memory of 2852	2516	svchost.exe	40
PID 2516 wrote to memory of 2852	2516	svchost.exe	40
PID 2516 wrote to memory of 2852	2516	svchost.exe	40
PID 2516 wrote to memory of 2852	2516	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d8038817cbcb9b02b78c9a9c8a340df0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2996
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2516
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3008
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:47 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2160
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:48 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2672
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:49 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2852
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
1137e4a574a5b1e5006ee7b2e5fd9130

SHA1
838db2dcb855c37c0a7887eb1e75475125c9947a

SHA256
129b548533f5492f96c7f9940e58d73b535d2387f5f35fd79aa9d265959fc6ad

SHA512
99778ddca45373acf628810862a1a3df221f27ae952a48960d1c04baa84f6601276d17c6ef328f1abbb0cde72d880967bca308ce4a5a932027f9a59ecc301084

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
65441e0be98df659a9c46da4f1d3c241

SHA1
396cf99dfc5c300cbf08ce46558e769ab06c2880

SHA256
7a2b55af2e32efb0c55094e0bce6253ed980cb3b41b215a5ac788f574701f396

SHA512
a22dbab84bbbadb3c895bfc73580dbc70e21e97e420c8bd7c56079f0e62fba513db85949e87d50c4a78e71fd016d80c55ed5f7558921bd8cd499213bc8f1edb3

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
e8e207e7749793a40920d3484fef8fa2

SHA1
b0eefc4fe015fe9e71461111e0eb59119945f34e

SHA256
936b8ffd525c167822a39ae7eb9d24828a4e7407e1144bc9f8092b283eb96d33

SHA512
586748b8922dfb19b1204295da1934b045a4a1588955ddd69bc37efa280780c6967ad6f2521a1c700dab9b59c86fbb6734ceb8727b6832ca7c81f8383d6150c4

Download Submit
memory/2636-31-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/2636-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2964-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2964-10-0x00000000005D0000-0x00000000005EF000-memory.dmp

Filesize
124KB

Download
memory/2964-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3008-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download