Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21/05/2024, 06:53
Static task
static1
Behavioral task
behavioral1
Sample
1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
-
Size
135KB
-
MD5
5cbab93cd47c2f95ac9fd8045514f039
-
SHA1
b0926376cf2fae189476d8dfd76281dcbca87c76
-
SHA256
1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504
-
SHA512
7ac0932721ced4a7205eac499632a6200128c897f1ede91f9140bd6828fa68f1b78e12f0aa6f29b6ac9b8fc0b417a3c36773e7d30986e9e7b040d02d748f742c
-
SSDEEP
1536:4fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVBcjjjjjjjjjjjjZ:4VqoCl/YgjxEufVU0TbTyDDal7g
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2412 explorer.exe 1780 spoolsv.exe 2264 svchost.exe 4800 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe 2412 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2264 svchost.exe 2412 explorer.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 2412 explorer.exe 2412 explorer.exe 1780 spoolsv.exe 1780 spoolsv.exe 2264 svchost.exe 2264 svchost.exe 4800 spoolsv.exe 4800 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1484 wrote to memory of 2412 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 81 PID 1484 wrote to memory of 2412 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 81 PID 1484 wrote to memory of 2412 1484 1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe 81 PID 2412 wrote to memory of 1780 2412 explorer.exe 82 PID 2412 wrote to memory of 1780 2412 explorer.exe 82 PID 2412 wrote to memory of 1780 2412 explorer.exe 82 PID 1780 wrote to memory of 2264 1780 spoolsv.exe 83 PID 1780 wrote to memory of 2264 1780 spoolsv.exe 83 PID 1780 wrote to memory of 2264 1780 spoolsv.exe 83 PID 2264 wrote to memory of 4800 2264 svchost.exe 84 PID 2264 wrote to memory of 4800 2264 svchost.exe 84 PID 2264 wrote to memory of 4800 2264 svchost.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4800
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5c181cfc67871edc5fbe801e647cb579c
SHA1215d6cbca7c418a8e4da029069ea63bb9fde3bfd
SHA256ddc50124cec3f4e57372b5eecf22260d9fd0d8d3ed4b32a554dae096ddc75131
SHA512ca308140de93a7e0303be76427368f7bad873f59ff83bb4d49c0731a78fa194ee93d38bbbf0a4fc8983acf5b7714edb86f3ea4b4cb80cb0ee130e61d16c4f2aa
-
Filesize
135KB
MD539a0293230a619d02a2fd90bf6fdb342
SHA1972c20c519d046dec594b7159e349ae2e0e68993
SHA2563c699d82425ab951a0ac5993c7dc71aa723debb3f84e9e220d9466d572286f73
SHA51247cf81d66034be80a2d1fbb281338076b8b471ef1a93efff823f25428be420f36f542906b843333dace1fb1a6a00d8e2c78dba2b80d41653724f6504b3067fda
-
Filesize
135KB
MD5d29a63ae37e5765bba8c12ae79d03f22
SHA1a49df5d31fc9b4335166ba37cedef5bb3505ade6
SHA2560aa59772183f4fb8c4ca8491d05e829a162bd05807c7e5961d0d0bea227d6f5e
SHA5129bec6a073c15b035754bbd7a4324d37474b6e65d1b86e96ad65829e089d1323a3db21996b1a4e8436dd4a5e265499c208f052d6ec51cf008af527d46684c96fc