1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
Size

135KB
MD5

5cbab93cd47c2f95ac9fd8045514f039
SHA1

b0926376cf2fae189476d8dfd76281dcbca87c76
SHA256

1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504
SHA512

7ac0932721ced4a7205eac499632a6200128c897f1ede91f9140bd6828fa68f1b78e12f0aa6f29b6ac9b8fc0b417a3c36773e7d30986e9e7b040d02d748f742c
SSDEEP

1536:4fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVBcjjjjjjjjjjjjZ:4VqoCl/YgjxEufVU0TbTyDDal7g

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2412	explorer.exe
1780	spoolsv.exe
2264	svchost.exe
4800	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe
2412	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2264	svchost.exe
2412	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
2412	explorer.exe
2412	explorer.exe
1780	spoolsv.exe
1780	spoolsv.exe
2264	svchost.exe
2264	svchost.exe
4800	spoolsv.exe
4800	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2412	1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe	81
PID 1484 wrote to memory of 2412	1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe	81
PID 1484 wrote to memory of 2412	1484	1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe	81
PID 2412 wrote to memory of 1780	2412	explorer.exe	82
PID 2412 wrote to memory of 1780	2412	explorer.exe	82
PID 2412 wrote to memory of 1780	2412	explorer.exe	82
PID 1780 wrote to memory of 2264	1780	spoolsv.exe	83
PID 1780 wrote to memory of 2264	1780	spoolsv.exe	83
PID 1780 wrote to memory of 2264	1780	spoolsv.exe	83
PID 2264 wrote to memory of 4800	2264	svchost.exe	84
PID 2264 wrote to memory of 4800	2264	svchost.exe	84
PID 2264 wrote to memory of 4800	2264	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1461203a29d11512ea7aa494520f8f06887a75875bd4f16add9f0c84dfd3e504_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2412
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2264
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
c181cfc67871edc5fbe801e647cb579c

SHA1
215d6cbca7c418a8e4da029069ea63bb9fde3bfd

SHA256
ddc50124cec3f4e57372b5eecf22260d9fd0d8d3ed4b32a554dae096ddc75131

SHA512
ca308140de93a7e0303be76427368f7bad873f59ff83bb4d49c0731a78fa194ee93d38bbbf0a4fc8983acf5b7714edb86f3ea4b4cb80cb0ee130e61d16c4f2aa

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
39a0293230a619d02a2fd90bf6fdb342

SHA1
972c20c519d046dec594b7159e349ae2e0e68993

SHA256
3c699d82425ab951a0ac5993c7dc71aa723debb3f84e9e220d9466d572286f73

SHA512
47cf81d66034be80a2d1fbb281338076b8b471ef1a93efff823f25428be420f36f542906b843333dace1fb1a6a00d8e2c78dba2b80d41653724f6504b3067fda

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
d29a63ae37e5765bba8c12ae79d03f22

SHA1
a49df5d31fc9b4335166ba37cedef5bb3505ade6

SHA256
0aa59772183f4fb8c4ca8491d05e829a162bd05807c7e5961d0d0bea227d6f5e

SHA512
9bec6a073c15b035754bbd7a4324d37474b6e65d1b86e96ad65829e089d1323a3db21996b1a4e8436dd4a5e265499c208f052d6ec51cf008af527d46684c96fc

Download Submit
memory/1484-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1484-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1780-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2412-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4800-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download