db9408e88931ad40814bd20ad689c773555d5f68f3798cf7ccf8f2bd112c01c3

General

Target

4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
Size

135KB
MD5

4a64ac48be953daf401e076c80d08a70
SHA1

a1414801920a264e150966ddca6d564ee1270c49
SHA256

db9408e88931ad40814bd20ad689c773555d5f68f3798cf7ccf8f2bd112c01c3
SHA512

79e418593da5144ea47181a807f21cec968fefc091666d6f57ca6cd7bd8c2735286ea8ae8a5ab3d825b4f459f0ee325c91b7860b25b134e970a9e9bb81c43a04
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVXF:UVqoCl/YgjxEufVU0TbTyDDalRF

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2968 explorer.exe
4624 spoolsv.exe
2488 svchost.exe
4632 spoolsv.exe

pid	process
2968	explorer.exe
4624	spoolsv.exe
2488	svchost.exe
4632	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exeexplorer.exe

pid	process
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe
2968	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2968 explorer.exe
2488 svchost.exe

pid	process
2968	explorer.exe
2488	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
2968	explorer.exe
2968	explorer.exe
4624	spoolsv.exe
4624	spoolsv.exe
2488	svchost.exe
2488	svchost.exe
4632	spoolsv.exe
4632	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1844 wrote to memory of 2968	1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe	explorer.exe
PID 1844 wrote to memory of 2968	1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe	explorer.exe
PID 1844 wrote to memory of 2968	1844	4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe	explorer.exe
PID 2968 wrote to memory of 4624	2968	explorer.exe	spoolsv.exe
PID 2968 wrote to memory of 4624	2968	explorer.exe	spoolsv.exe
PID 2968 wrote to memory of 4624	2968	explorer.exe	spoolsv.exe
PID 4624 wrote to memory of 2488	4624	spoolsv.exe	svchost.exe
PID 4624 wrote to memory of 2488	4624	spoolsv.exe	svchost.exe
PID 4624 wrote to memory of 2488	4624	spoolsv.exe	svchost.exe
PID 2488 wrote to memory of 4632	2488	svchost.exe	spoolsv.exe
PID 2488 wrote to memory of 4632	2488	svchost.exe	spoolsv.exe
PID 2488 wrote to memory of 4632	2488	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a64ac48be953daf401e076c80d08a70_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2968
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2488
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3776 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
c8dfe7fb22d39e441c117bebcfc3e7c7

SHA1
39a7e5cfdd1e8382f711f3fb5f302e231c917bc1

SHA256
396bf3067a57d624f5e7f5e4aeb0b2c2d99934f7ccaa4eca89468f8af43cfb41

SHA512
1e32c560ca385d9c4f4bb99af37662a0588a2292a89374c44a2e5060ba6f256f0a6eea36bba79e4e615d48ac45bd387c4147f2b4921da454c23d022ca6d581fc

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
150ecd141e8d81b06f3379a751c5c376

SHA1
4f129120bd99bfe7b383200ae1cc64fe9143d872

SHA256
ed734cfec34a1f394c58ae8e323caf4b349fdbce53819426eab146a4324c6b5f

SHA512
899f0be8b9917015e2d43a11e4340dd1f187da5e4e5b9f25230ad5cf888869832314fdb87db8cb8e983fc789e5ba0864420692618d3d9685dc87d0706e2fb334

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
f4805c8fb9765c9c7b5e2d9e53f6a60f

SHA1
5f73c6947bc5b4c6a1faa7af65f168b36bb7dfa1

SHA256
28da21c1862fb322f728fa4832027d3deebd412eb31c1728f67c1c5739e683ff

SHA512
c1c7f996b532c32fc2da362db598f28674dd0a42959d8e1dc2f2d83612d1cc05e472aa7c584e46c8a4e725d88b56d65c5ca68629b438ca0f7786d36c480704f6

Download Submit
memory/1844-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1844-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4624-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4632-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads