a39b4afa09b22dc7754c738a3e49cb35422a874bead239ecc417e8186e3705c3

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 15:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
Size

153KB
MD5

edcb14424d72d06061035647d7e4a6b0
SHA1

f02dc1ea3a8ad4d1f80cd2572f7c46a31c5d4c75
SHA256

a39b4afa09b22dc7754c738a3e49cb35422a874bead239ecc417e8186e3705c3
SHA512

cd48840d97092a2fbc251871dafce0e4822358d51cef966e6a619930c9c909ca854d750b68aeebfd2e4d199d678f46a698adc4afe2437cff77bdea6eaee45653
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVXZa7FZYk+aZP:UVqoCl/YgjxEufVU0TbTyDDalRZaJZP

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
2140	edcb14424d72d06061035647d7e4a6b0_neikianalytics.exe
2796	icsys.icn.exe
2688	explorer.exe
2660	spoolsv.exe
2788	svchost.exe
2528	spoolsv.exe

Loads dropped DLL 6 IoCs

pid	Process
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
2796	icsys.icn.exe
2688	explorer.exe
2660	spoolsv.exe
2788	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2532	schtasks.exe
1496	schtasks.exe
1476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2688	explorer.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe
2788	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2688	explorer.exe
2788	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
2796	icsys.icn.exe
2796	icsys.icn.exe
2688	explorer.exe
2688	explorer.exe
2660	spoolsv.exe
2660	spoolsv.exe
2788	svchost.exe
2788	svchost.exe
2528	spoolsv.exe
2528	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2140	1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe	28
PID 1916 wrote to memory of 2140	1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe	28
PID 1916 wrote to memory of 2140	1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe	28
PID 1916 wrote to memory of 2140	1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe	28
PID 1916 wrote to memory of 2796	1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe	30
PID 1916 wrote to memory of 2796	1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe	30
PID 1916 wrote to memory of 2796	1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe	30
PID 1916 wrote to memory of 2796	1916	edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe	30
PID 2796 wrote to memory of 2688	2796	icsys.icn.exe	31
PID 2796 wrote to memory of 2688	2796	icsys.icn.exe	31
PID 2796 wrote to memory of 2688	2796	icsys.icn.exe	31
PID 2796 wrote to memory of 2688	2796	icsys.icn.exe	31
PID 2688 wrote to memory of 2660	2688	explorer.exe	32
PID 2688 wrote to memory of 2660	2688	explorer.exe	32
PID 2688 wrote to memory of 2660	2688	explorer.exe	32
PID 2688 wrote to memory of 2660	2688	explorer.exe	32
PID 2660 wrote to memory of 2788	2660	spoolsv.exe	33
PID 2660 wrote to memory of 2788	2660	spoolsv.exe	33
PID 2660 wrote to memory of 2788	2660	spoolsv.exe	33
PID 2660 wrote to memory of 2788	2660	spoolsv.exe	33
PID 2788 wrote to memory of 2528	2788	svchost.exe	34
PID 2788 wrote to memory of 2528	2788	svchost.exe	34
PID 2788 wrote to memory of 2528	2788	svchost.exe	34
PID 2788 wrote to memory of 2528	2788	svchost.exe	34
PID 2688 wrote to memory of 2740	2688	explorer.exe	35
PID 2688 wrote to memory of 2740	2688	explorer.exe	35
PID 2688 wrote to memory of 2740	2688	explorer.exe	35
PID 2688 wrote to memory of 2740	2688	explorer.exe	35
PID 2788 wrote to memory of 2532	2788	svchost.exe	36
PID 2788 wrote to memory of 2532	2788	svchost.exe	36
PID 2788 wrote to memory of 2532	2788	svchost.exe	36
PID 2788 wrote to memory of 2532	2788	svchost.exe	36
PID 2788 wrote to memory of 1496	2788	svchost.exe	41
PID 2788 wrote to memory of 1496	2788	svchost.exe	41
PID 2788 wrote to memory of 1496	2788	svchost.exe	41
PID 2788 wrote to memory of 1496	2788	svchost.exe	41
PID 2788 wrote to memory of 1476	2788	svchost.exe	43
PID 2788 wrote to memory of 1476	2788	svchost.exe	43
PID 2788 wrote to memory of 1476	2788	svchost.exe	43
PID 2788 wrote to memory of 1476	2788	svchost.exe	43

C:\Users\Admin\AppData\Local\Temp\edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\edcb14424d72d06061035647d7e4a6b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916
- \??\c:\users\admin\appdata\local\temp\edcb14424d72d06061035647d7e4a6b0_neikianalytics.exe
  c:\users\admin\appdata\local\temp\edcb14424d72d06061035647d7e4a6b0_neikianalytics.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2796
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2660
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2528
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:22 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2532
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:23 /f
        6⤵
        Creates scheduled task(s)
        
        PID:1496
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:24 /f
        6⤵
        Creates scheduled task(s)
        
        PID:1476
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
c6ec89f5e03de04f389eaa3cd8649e29

SHA1
be1a7551e27202ca7018eb16057fdfbb1f068a8d

SHA256
3f669fd695c20ddfc45a7939bc919dff2d5c50910060df2470cdc9a64aafe461

SHA512
e75938883088934c142a04e765adef0ed162f7412881a6e415ae764a459530f579958be6b8cf8446b0870cde0cd73b9303f45307c2519ff916d74985bd9b4c77

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
d8788483cc2c1108dd2ba32a86c1a4ad

SHA1
952b64e648a7e773f185f20f5559870fe81a9963

SHA256
a2d4cbe4ac50a65268d3a41053d314abb2e1ab4abadbbba46f3ae560c543dc3e

SHA512
1ae96cac758533116e14f241cac55a9945bc588137cb8c999e05b2819dad089b5f75a1792cdcad4e53d47143c81f7cbca46da1d010fc3fa3f8b863dbd73df6d1

Download Submit
\Users\Admin\AppData\Local\Temp\edcb14424d72d06061035647d7e4a6b0_neikianalytics.exe

Filesize
18KB

MD5
8bf4e3ae3f1f0a920d32d4f36893be30

SHA1
f4814020aaf54aaf0958fe2a9ba30999d094f791

SHA256
e82e060875c61dfd362b16f3161371640bb530fd24882ab0a7309d66bb92422c

SHA512
95e8f4692ac36d64600014abc9b461441b47682ea42726985a0921268cceae254840b4e50582a20264fcbd3992807796b0aa4cd7d9962d0be3cb992f0c3c056e

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
3205c24680195d56b78a50611c71728b

SHA1
af834fb63f8189cc8ce9da24af3eaeffa2efb134

SHA256
d3bdc9dc1ab14ccda25758ffd6991adaf0c7e91b9c0136d56b2945e16f4d7456

SHA512
abbcf24e9d480b05cd9cdac9a3cf1c10a2f0253fc04c8eb491da5f90970c5baf47ad2176ab97d9ad2a9b74a203960b19d13ae187497091c1518956114af39618

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
cf626976660eeca78787a5ae284d4a9e

SHA1
3b0a1f77524544406bf5aad74267dd683fb3141e

SHA256
11bc9c0b79b7a291262810fa83146a4dcd2ba40a3993bfa64587bd06ed19047f

SHA512
9f96b5ff40dac5bdb725c45b581d16a9791df4c8a88357f0244ad557f62df84efc0c7e543e25e370449d12e5454100dc0f7fba1e41fe1ce21574bd5311b39e58

Download Submit
memory/1916-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1916-14-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/1916-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1916-60-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/2528-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-37-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2788-52-0x0000000000420000-0x000000000043F000-memory.dmp

Filesize
124KB

Download
memory/2796-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download