b02c658ce93141e260567a42948aa91acf1071ebcbc971852c566593a1cec4d0

General

Target

5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe
Size

206KB
MD5

5a461478355d0222aecd672945f071c0
SHA1

814d798d0852f16438480008fbdcfb130cc63824
SHA256

b02c658ce93141e260567a42948aa91acf1071ebcbc971852c566593a1cec4d0
SHA512

09a81860d9bd6da4c92b430e3b650c289f58fb13bb43dd2243c4957c842a32f55faa50f3bf056d2c8d48434ebc1ca1a9068c1760585af5dd2bf7d8e7351d9c4e
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6un6:zvEN2U+T6i5LirrllHy4HUcMQY69

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2944 explorer.exe
2992 spoolsv.exe
2668 svchost.exe
2528 spoolsv.exe

pid	process
2944	explorer.exe
2992	spoolsv.exe
2668	svchost.exe
2528	spoolsv.exe

Loads dropped DLL 8 IoCs

Processes:

5a461478355d0222aecd672945f071c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2304	5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe
2304	5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe
2944	explorer.exe
2944	explorer.exe
2992	spoolsv.exe
2992	spoolsv.exe
2668	svchost.exe
2668	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

5a461478355d0222aecd672945f071c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5a461478355d0222aecd672945f071c0_NeikiAnalytics.exeexplorer.exesvchost.exe

pid	process
2304	5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe
2944	explorer.exe
2944	explorer.exe
2944	explorer.exe
2668	svchost.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe
2944	explorer.exe
2668	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2944 explorer.exe
2668 svchost.exe

pid	process
2944	explorer.exe
2668	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

5a461478355d0222aecd672945f071c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2304	5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe
2304	5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe
2944	explorer.exe
2944	explorer.exe
2992	spoolsv.exe
2992	spoolsv.exe
2668	svchost.exe
2668	svchost.exe
2528	spoolsv.exe
2528	spoolsv.exe
2944	explorer.exe
2944	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

5a461478355d0222aecd672945f071c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2304 wrote to memory of 2944	2304	5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe	explorer.exe
PID 2304 wrote to memory of 2944	2304	5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe	explorer.exe
PID 2304 wrote to memory of 2944	2304	5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe	explorer.exe
PID 2304 wrote to memory of 2944	2304	5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe	explorer.exe
PID 2944 wrote to memory of 2992	2944	explorer.exe	spoolsv.exe
PID 2944 wrote to memory of 2992	2944	explorer.exe	spoolsv.exe
PID 2944 wrote to memory of 2992	2944	explorer.exe	spoolsv.exe
PID 2944 wrote to memory of 2992	2944	explorer.exe	spoolsv.exe
PID 2992 wrote to memory of 2668	2992	spoolsv.exe	svchost.exe
PID 2992 wrote to memory of 2668	2992	spoolsv.exe	svchost.exe
PID 2992 wrote to memory of 2668	2992	spoolsv.exe	svchost.exe
PID 2992 wrote to memory of 2668	2992	spoolsv.exe	svchost.exe
PID 2668 wrote to memory of 2528	2668	svchost.exe	spoolsv.exe
PID 2668 wrote to memory of 2528	2668	svchost.exe	spoolsv.exe
PID 2668 wrote to memory of 2528	2668	svchost.exe	spoolsv.exe
PID 2668 wrote to memory of 2528	2668	svchost.exe	spoolsv.exe
PID 2668 wrote to memory of 2424	2668	svchost.exe	at.exe
PID 2668 wrote to memory of 2424	2668	svchost.exe	at.exe
PID 2668 wrote to memory of 2424	2668	svchost.exe	at.exe
PID 2668 wrote to memory of 2424	2668	svchost.exe	at.exe
PID 2668 wrote to memory of 1596	2668	svchost.exe	at.exe
PID 2668 wrote to memory of 1596	2668	svchost.exe	at.exe
PID 2668 wrote to memory of 1596	2668	svchost.exe	at.exe
PID 2668 wrote to memory of 1596	2668	svchost.exe	at.exe
PID 2668 wrote to memory of 2248	2668	svchost.exe	at.exe
PID 2668 wrote to memory of 2248	2668	svchost.exe	at.exe
PID 2668 wrote to memory of 2248	2668	svchost.exe	at.exe
PID 2668 wrote to memory of 2248	2668	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\SysWOW64\at.exe
at 23:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2424

C:\Windows\SysWOW64\at.exe
at 23:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:1596

C:\Windows\SysWOW64\at.exe
at 23:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2248

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
206KB

MD5
e058baf1095e9b62a30bd56843b815d9

SHA1
4e12db5732b06791c2a5e48ed043570a23764081

SHA256
b02fcb9864ef4cd2842f38d9371bbef86abde02dcd6b1d4b6610fce231d867a5

SHA512
88724ef2ac15d524c31c8e4b6cbfecc2f091bbc691d3d718a6d6c433375865a8f0c1148c15cbf02305eb0db17ad6ba7f63e99666f4dc71d900a730d8fe004ed4

Download Submit
\??\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\system\explorer.exe
Filesize
206KB

MD5
7aa558a3fdbfdee13e16fdb953fea6f6

SHA1
f145a87d9afb438ff6040ae32d896d6b66c8fc5a

SHA256
50dec6b2091a12c5a2f8741036f9c820ba013670f04e80402c4715b04ec00614

SHA512
852b95de29c5a7dae0c8e7346267b545d1ecebdf4998aee46d2bd9bdfc6351334bc0072baef453d0faf2d1fec1ac02d69a5193ff6e7283f8fce82dbc66b6c39d

Download Submit
\Windows\system\spoolsv.exe
Filesize
206KB

MD5
648ee1880e1d20897558eb7ca18cbcac

SHA1
cc42cb8afc21e921227d259c51da4966318a5865

SHA256
b887e515b4178d816b4221595cf2f3ceae1b1e2f95770ef1f8aec9697d6a01b3

SHA512
0b2cf1ead13ff15335de6f99a5544e406a1b0973d085d401e33810f3c2b8682327607235a32eea33ebf5ec839acdfe1c6472deff5d492466235d196cabfbc8ff

Download Submit
\Windows\system\svchost.exe
Filesize
206KB

MD5
d9a9989a3b9fe332a00bf4b52fe8c0f9

SHA1
33a7ef3548a1d619ea6d89c1ac369707ec6e3858

SHA256
672894dacbab8c2a7bad72ca683145e6f62998ced8de26cbffadf84fc9696d48

SHA512
6e80555582d2db37aecde5e1bbd16baa87de0761a9d864ceebac65400108c3c28105a439962bce4fdc7b17556b468066a625b0e3897a61333876e6cbb266ee6a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads