Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 11:13
Behavioral task
behavioral1
Sample
dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe
-
Size
71KB
-
MD5
dc29ab672d676e1b4e9fee5a6d96ad60
-
SHA1
d4e11031bad0b53db43f9cfa8ed310e76c673da1
-
SHA256
889887c37f9b645d3500686949bd6328a6719acfd44e379c190e04747aed6a5c
-
SHA512
3c5d9c5fd0cc61815d54689be6aeae7bdd08f46cdc371cb3685ddd0de3f2e12fa70ca582398c2bc1e51c49e52590503a04fb476bf2c71f7829b218b335b05e1e
-
SSDEEP
768:EXKeT2Si83nLt8tkGX8uxOHgRrW5YLKG9Y/HrSNm0kmG7xMsVAnc3yy85SBiLFMP:EFrmh0HgB3LKrL9AcnQFMc9zwR6i+Bo
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2272 explorer.exe 2660 spoolsv.exe 2808 svchost.exe 1616 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 108 dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe 108 dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe 2272 explorer.exe 2272 explorer.exe 2660 spoolsv.exe 2660 spoolsv.exe 2808 svchost.exe 2808 svchost.exe -
resource yara_rule behavioral1/memory/108-0-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/files/0x0037000000015d42-6.dat upx behavioral1/memory/108-9-0x00000000026B0000-0x00000000026E5000-memory.dmp upx behavioral1/memory/2272-15-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/files/0x00080000000160f3-22.dat upx behavioral1/files/0x00080000000162cc-35.dat upx behavioral1/memory/2660-41-0x00000000024D0000-0x0000000002505000-memory.dmp upx behavioral1/memory/1616-54-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/108-60-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2660-58-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/files/0x0009000000016d3b-61.dat upx behavioral1/memory/2272-62-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2808-64-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2272-73-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 108 dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2272 explorer.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2272 explorer.exe 2272 explorer.exe 2808 svchost.exe 2272 explorer.exe 2808 svchost.exe 2808 svchost.exe 2272 explorer.exe 2272 explorer.exe 2808 svchost.exe 2808 svchost.exe 2272 explorer.exe 2808 svchost.exe 2272 explorer.exe 2272 explorer.exe 2808 svchost.exe 2808 svchost.exe 2272 explorer.exe 2808 svchost.exe 2272 explorer.exe 2272 explorer.exe 2808 svchost.exe 2808 svchost.exe 2272 explorer.exe 2808 svchost.exe 2272 explorer.exe 2272 explorer.exe 2808 svchost.exe 2272 explorer.exe 2808 svchost.exe 2808 svchost.exe 2272 explorer.exe 2272 explorer.exe 2808 svchost.exe 2808 svchost.exe 2272 explorer.exe 2808 svchost.exe 2272 explorer.exe 2272 explorer.exe 2808 svchost.exe 2808 svchost.exe 2272 explorer.exe 2808 svchost.exe 2272 explorer.exe 2808 svchost.exe 2272 explorer.exe 2808 svchost.exe 2272 explorer.exe 2808 svchost.exe 2272 explorer.exe 2272 explorer.exe 2808 svchost.exe 2808 svchost.exe 2272 explorer.exe 2808 svchost.exe 2272 explorer.exe 2808 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2272 explorer.exe 2808 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 108 dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe 108 dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe 2272 explorer.exe 2272 explorer.exe 2660 spoolsv.exe 2660 spoolsv.exe 2808 svchost.exe 2808 svchost.exe 1616 spoolsv.exe 1616 spoolsv.exe 2272 explorer.exe 2272 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 108 wrote to memory of 2272 108 dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe 28 PID 108 wrote to memory of 2272 108 dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe 28 PID 108 wrote to memory of 2272 108 dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe 28 PID 108 wrote to memory of 2272 108 dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe 28 PID 2272 wrote to memory of 2660 2272 explorer.exe 29 PID 2272 wrote to memory of 2660 2272 explorer.exe 29 PID 2272 wrote to memory of 2660 2272 explorer.exe 29 PID 2272 wrote to memory of 2660 2272 explorer.exe 29 PID 2660 wrote to memory of 2808 2660 spoolsv.exe 30 PID 2660 wrote to memory of 2808 2660 spoolsv.exe 30 PID 2660 wrote to memory of 2808 2660 spoolsv.exe 30 PID 2660 wrote to memory of 2808 2660 spoolsv.exe 30 PID 2808 wrote to memory of 1616 2808 svchost.exe 31 PID 2808 wrote to memory of 1616 2808 svchost.exe 31 PID 2808 wrote to memory of 1616 2808 svchost.exe 31 PID 2808 wrote to memory of 1616 2808 svchost.exe 31 PID 2808 wrote to memory of 2584 2808 svchost.exe 32 PID 2808 wrote to memory of 2584 2808 svchost.exe 32 PID 2808 wrote to memory of 2584 2808 svchost.exe 32 PID 2808 wrote to memory of 2584 2808 svchost.exe 32 PID 2808 wrote to memory of 2200 2808 svchost.exe 36 PID 2808 wrote to memory of 2200 2808 svchost.exe 36 PID 2808 wrote to memory of 2200 2808 svchost.exe 36 PID 2808 wrote to memory of 2200 2808 svchost.exe 36 PID 2808 wrote to memory of 1788 2808 svchost.exe 38 PID 2808 wrote to memory of 1788 2808 svchost.exe 38 PID 2808 wrote to memory of 1788 2808 svchost.exe 38 PID 2808 wrote to memory of 1788 2808 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\dc29ab672d676e1b4e9fee5a6d96ad60_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1616
-
-
C:\Windows\SysWOW64\at.exeat 11:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2584
-
-
C:\Windows\SysWOW64\at.exeat 11:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2200
-
-
C:\Windows\SysWOW64\at.exeat 11:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1788
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD59025530fa09dda8b2f753eaa7b083acd
SHA1e080e0c9435566cfdd74fbc7d27f76432a9a125b
SHA25686c206128f620d8e7a7f9dd304448958b0c2754a6f8f46353a2a4b4fb447b123
SHA5122c259e014a6393e16dfe341587ae0ed0948a42ef0814116a998230ca0f4b6942af8fa1fdbc1050c0a2d61299da810f679a6c038550888da63ba142999436722a
-
Filesize
71KB
MD51ee3fd2b2c87b6109cc982fab0caca20
SHA1dc3dbe15e1659a51c6ee8b1aec8776bdc68c14d7
SHA2562324a3e6b0cf654955f87b2b49fec7ef492738c72780dfd6e28b8ebf00e64927
SHA5127f47ac9b2cb2c2587c89d93c455e706e035d0346f0a98ccae2610803974316d348b24e27053da8b349700b7ed5fdafe4d0e8225fb3814ecc229e7b8be2057b0e
-
Filesize
71KB
MD5879d57e8d337cf76f7b81afba26e9f5b
SHA14c1957575f35c08b6d902952c56666f16c68bc1f
SHA2562162ce0d2f58246e1d47cc0b37700f4131344f91c8caefaebefe4b167cd0ae73
SHA512d4ce82482e7285881ae2e3c4c8b5b645c984dc04c1b62983bfe665ce00fc41480a048edaf72da30dceb38d6c7c2bab1b5fcb8ed66de8074ad997378de6afe123
-
Filesize
71KB
MD5291cb4d143b7326585ef5aad7ed5901d
SHA10ec5ff510b33f9843e333505fe9428b421d90932
SHA25674a06cc98657a41f8d3a68704bfdc54dbc2aec8ad2dd61cbb8740a2514284562
SHA512d5f575292005604e4a59bec84da99e0c0af1402e2cc868c21dab7d4775688f31b7d1deace708bebf8489f260d1ca06540848c0bbae77a9ebcc2d66f6f81682bd