Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 23:43
Static task
static1
Behavioral task
behavioral1
Sample
5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe
-
Size
206KB
-
MD5
5a461478355d0222aecd672945f071c0
-
SHA1
814d798d0852f16438480008fbdcfb130cc63824
-
SHA256
b02c658ce93141e260567a42948aa91acf1071ebcbc971852c566593a1cec4d0
-
SHA512
09a81860d9bd6da4c92b430e3b650c289f58fb13bb43dd2243c4957c842a32f55faa50f3bf056d2c8d48434ebc1ca1a9068c1760585af5dd2bf7d8e7351d9c4e
-
SSDEEP
3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6un6:zvEN2U+T6i5LirrllHy4HUcMQY69
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2944 explorer.exe 2992 spoolsv.exe 2668 svchost.exe 2528 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
5a461478355d0222aecd672945f071c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 2304 5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe 2304 5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe 2944 explorer.exe 2944 explorer.exe 2992 spoolsv.exe 2992 spoolsv.exe 2668 svchost.exe 2668 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
5a461478355d0222aecd672945f071c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe 5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5a461478355d0222aecd672945f071c0_NeikiAnalytics.exeexplorer.exesvchost.exepid process 2304 5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe 2944 explorer.exe 2944 explorer.exe 2944 explorer.exe 2668 svchost.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe 2944 explorer.exe 2668 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2944 explorer.exe 2668 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
5a461478355d0222aecd672945f071c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2304 5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe 2304 5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe 2944 explorer.exe 2944 explorer.exe 2992 spoolsv.exe 2992 spoolsv.exe 2668 svchost.exe 2668 svchost.exe 2528 spoolsv.exe 2528 spoolsv.exe 2944 explorer.exe 2944 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
5a461478355d0222aecd672945f071c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2304 wrote to memory of 2944 2304 5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe explorer.exe PID 2304 wrote to memory of 2944 2304 5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe explorer.exe PID 2304 wrote to memory of 2944 2304 5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe explorer.exe PID 2304 wrote to memory of 2944 2304 5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe explorer.exe PID 2944 wrote to memory of 2992 2944 explorer.exe spoolsv.exe PID 2944 wrote to memory of 2992 2944 explorer.exe spoolsv.exe PID 2944 wrote to memory of 2992 2944 explorer.exe spoolsv.exe PID 2944 wrote to memory of 2992 2944 explorer.exe spoolsv.exe PID 2992 wrote to memory of 2668 2992 spoolsv.exe svchost.exe PID 2992 wrote to memory of 2668 2992 spoolsv.exe svchost.exe PID 2992 wrote to memory of 2668 2992 spoolsv.exe svchost.exe PID 2992 wrote to memory of 2668 2992 spoolsv.exe svchost.exe PID 2668 wrote to memory of 2528 2668 svchost.exe spoolsv.exe PID 2668 wrote to memory of 2528 2668 svchost.exe spoolsv.exe PID 2668 wrote to memory of 2528 2668 svchost.exe spoolsv.exe PID 2668 wrote to memory of 2528 2668 svchost.exe spoolsv.exe PID 2668 wrote to memory of 2424 2668 svchost.exe at.exe PID 2668 wrote to memory of 2424 2668 svchost.exe at.exe PID 2668 wrote to memory of 2424 2668 svchost.exe at.exe PID 2668 wrote to memory of 2424 2668 svchost.exe at.exe PID 2668 wrote to memory of 1596 2668 svchost.exe at.exe PID 2668 wrote to memory of 1596 2668 svchost.exe at.exe PID 2668 wrote to memory of 1596 2668 svchost.exe at.exe PID 2668 wrote to memory of 1596 2668 svchost.exe at.exe PID 2668 wrote to memory of 2248 2668 svchost.exe at.exe PID 2668 wrote to memory of 2248 2668 svchost.exe at.exe PID 2668 wrote to memory of 2248 2668 svchost.exe at.exe PID 2668 wrote to memory of 2248 2668 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5a461478355d0222aecd672945f071c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 23:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 23:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 23:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
206KB
MD5e058baf1095e9b62a30bd56843b815d9
SHA14e12db5732b06791c2a5e48ed043570a23764081
SHA256b02fcb9864ef4cd2842f38d9371bbef86abde02dcd6b1d4b6610fce231d867a5
SHA51288724ef2ac15d524c31c8e4b6cbfecc2f091bbc691d3d718a6d6c433375865a8f0c1148c15cbf02305eb0db17ad6ba7f63e99666f4dc71d900a730d8fe004ed4
-
\??\PIPE\atsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\system\explorer.exeFilesize
206KB
MD57aa558a3fdbfdee13e16fdb953fea6f6
SHA1f145a87d9afb438ff6040ae32d896d6b66c8fc5a
SHA25650dec6b2091a12c5a2f8741036f9c820ba013670f04e80402c4715b04ec00614
SHA512852b95de29c5a7dae0c8e7346267b545d1ecebdf4998aee46d2bd9bdfc6351334bc0072baef453d0faf2d1fec1ac02d69a5193ff6e7283f8fce82dbc66b6c39d
-
\Windows\system\spoolsv.exeFilesize
206KB
MD5648ee1880e1d20897558eb7ca18cbcac
SHA1cc42cb8afc21e921227d259c51da4966318a5865
SHA256b887e515b4178d816b4221595cf2f3ceae1b1e2f95770ef1f8aec9697d6a01b3
SHA5120b2cf1ead13ff15335de6f99a5544e406a1b0973d085d401e33810f3c2b8682327607235a32eea33ebf5ec839acdfe1c6472deff5d492466235d196cabfbc8ff
-
\Windows\system\svchost.exeFilesize
206KB
MD5d9a9989a3b9fe332a00bf4b52fe8c0f9
SHA133a7ef3548a1d619ea6d89c1ac369707ec6e3858
SHA256672894dacbab8c2a7bad72ca683145e6f62998ced8de26cbffadf84fc9696d48
SHA5126e80555582d2db37aecde5e1bbd16baa87de0761a9d864ceebac65400108c3c28105a439962bce4fdc7b17556b468066a625b0e3897a61333876e6cbb266ee6a