0d87e90c444a51e1679f88f36ab1b12d649789d9dae4fb7be9637118acbe3914

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
Size

4.4MB
MD5

70e3178ce200e4cf30e994ee546c10a0
SHA1

7fda422e769619faaaa7845f58b0f86ced17bd48
SHA256

0d87e90c444a51e1679f88f36ab1b12d649789d9dae4fb7be9637118acbe3914
SHA512

a961802941e5af2f34d3a6c964e42a6226805f63d096518a507975543be011a14d11f47b747a8183fc45e91155f7811fb1bf8b076b12a0720811c6ad67b5bead
SSDEEP

98304:VT4tlQ0aeY51XNURYxaA6qjEb9tRuPmBmWBDLTMTtbslyzRt9cuISY6Qu:VKlhE9U6476itR+mLPw6lyZY63

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 7 IoCs

Processes:

70e3178ce200e4cf30e994ee546c10a0_neikianalytics.exe install.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1676	70e3178ce200e4cf30e994ee546c10a0_neikianalytics.exe
5060	install.exe
536	icsys.icn.exe
3424	explorer.exe
3380	spoolsv.exe
3612	svchost.exe
1720	spoolsv.exe

Loads dropped DLL 1 IoCs

Processes:

install.exe

pid process

5060 install.exe

pid	process
5060	install.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exeicsys.icn.exe

pid	process
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe
536	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

3424 explorer.exe
3612 svchost.exe

pid	process
3424	explorer.exe
3612	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
536	icsys.icn.exe
536	icsys.icn.exe
3424	explorer.exe
3424	explorer.exe
3380	spoolsv.exe
3380	spoolsv.exe
3612	svchost.exe
3612	svchost.exe
1720	spoolsv.exe
1720	spoolsv.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe70e3178ce200e4cf30e994ee546c10a0_neikianalytics.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1908 wrote to memory of 1676	1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe	70e3178ce200e4cf30e994ee546c10a0_neikianalytics.exe
PID 1908 wrote to memory of 1676	1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe	70e3178ce200e4cf30e994ee546c10a0_neikianalytics.exe
PID 1908 wrote to memory of 1676	1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe	70e3178ce200e4cf30e994ee546c10a0_neikianalytics.exe
PID 1676 wrote to memory of 5060	1676	70e3178ce200e4cf30e994ee546c10a0_neikianalytics.exe	install.exe
PID 1676 wrote to memory of 5060	1676	70e3178ce200e4cf30e994ee546c10a0_neikianalytics.exe	install.exe
PID 1676 wrote to memory of 5060	1676	70e3178ce200e4cf30e994ee546c10a0_neikianalytics.exe	install.exe
PID 1908 wrote to memory of 536	1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe	icsys.icn.exe
PID 1908 wrote to memory of 536	1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe	icsys.icn.exe
PID 1908 wrote to memory of 536	1908	70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe	icsys.icn.exe
PID 536 wrote to memory of 3424	536	icsys.icn.exe	explorer.exe
PID 536 wrote to memory of 3424	536	icsys.icn.exe	explorer.exe
PID 536 wrote to memory of 3424	536	icsys.icn.exe	explorer.exe
PID 3424 wrote to memory of 3380	3424	explorer.exe	spoolsv.exe
PID 3424 wrote to memory of 3380	3424	explorer.exe	spoolsv.exe
PID 3424 wrote to memory of 3380	3424	explorer.exe	spoolsv.exe
PID 3380 wrote to memory of 3612	3380	spoolsv.exe	svchost.exe
PID 3380 wrote to memory of 3612	3380	spoolsv.exe	svchost.exe
PID 3380 wrote to memory of 3612	3380	spoolsv.exe	svchost.exe
PID 3612 wrote to memory of 1720	3612	svchost.exe	spoolsv.exe
PID 3612 wrote to memory of 1720	3612	svchost.exe	spoolsv.exe
PID 3612 wrote to memory of 1720	3612	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\70e3178ce200e4cf30e994ee546c10a0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

\??\c:\users\admin\appdata\local\temp\70e3178ce200e4cf30e994ee546c10a0_neikianalytics.exe
c:\users\admin\appdata\local\temp\70e3178ce200e4cf30e994ee546c10a0_neikianalytics.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676

\??\c:\b145d245e313380069ef\install.exe
c:\b145d245e313380069ef\.\install.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5060

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3380

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3612

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
dc63cb677f2d39ec1d712768c936c1aa

SHA1
df3c7bc2ed628328640ea9f442ff2dde4680abc5

SHA256
9c4ad4a0d6f2c23e702f8419229a8243c8da304962d92081790825c008d3cf6b

SHA512
627d2235defd7bd5107e6f406a8624a6dd553c72201a2dd8c0759f52ad54a0bc322d46b71f6990d56e3fa458fd00bb959a91b0ef4ed2d20771d9fefab10691c3

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
eebdacc94978c92d88bd4d85a58f6e11

SHA1
1edebdc4c9b984202842f453ebc3d6ff71755339

SHA256
c24e58be35c9e11a4821036b10ced5d4e5cf2d4eca40520135a3aa50c29ba1ef

SHA512
f83efe0265601cfe96faf794a0f91c97dd682b2ef8d4c555cc9a790fa1bd08715f37ea637f4bf2e74e5b7e4d4c633923977d1899933a704acc3ca4cc78691eb7

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
773e65667e659020e463601c87d55299

SHA1
b89aa921182e0b234cc1cd1f864b254bbc0b2bc8

SHA256
338ce6b1d4d58baed0bf8555c287b61cc86c63c98fd7c255860ec11f5424dd3b

SHA512
eaa4483f1fec0936ba560b4cd1993da4c289b2a2e4adffc43af4752e86613efe176574b386bf53be35a0b8735e512fa8127faf9344867be6e3b0117ea3c74b1c

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
3cee595b5bb49e99ae111f6d146e5927

SHA1
bd7ed5376b4bec94b2d3aeae10c483850a34b95a

SHA256
5a823c5e909d4f5138056cfcde19ec0782122cab8758880653974daee0d6311b

SHA512
7acd066113dc9b3b8d6200dd657d6e316aeabe0bcfa89de4c2068b9401e2e1d43199292a9b3e9a2b5dfb7b7cd1797d1028616da2068f843233209e0e179ca299

Download Submit
C:\b145d245e313380069ef\install.exe

Filesize
547KB

MD5
4138c31964fbcb3b7418e086933324c3

SHA1
97cc6f58fb064ab6c4a2f02fb665fef77d30532f

SHA256
b72056fc3df6f46069294c243fe5006879bf4a9d8eef388369a590ca41745f29

SHA512
40cf2f35c3a944fca93d58d66465f0308197f5485381ff07d3065e0f59e94fc3834313068e4e5e5da395413ff2d3d1c3ff6fa050f2256e118972bf21a5643557

Download Submit
\??\c:\b145d245e313380069ef\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\b145d245e313380069ef\install.ini

Filesize
841B

MD5
f8f6c0e030cb622f065fe47d61da91d7

SHA1
cf6fa99747de8f35c6aea52df234c9c57583baa3

SHA256
c16727881c47a40077dc5a1f1ea71cbb28e3f4e156c0ae7074c6d7f5ecece21d

SHA512
b70c6d67dac5e6a0dbd17e3bcf570a95914482abad20d0304c02da22231070b4bc887720dbae972bc5066457e1273b68fde0805f1c1791e9466a5ca343485cde

Download Submit
\??\c:\b145d245e313380069ef\install.res.1033.dll

Filesize
85KB

MD5
ff6003014eefc9c30abe20e3e1f5fbe8

SHA1
4a5bd05f94545f01efc10232385b8fecad300678

SHA256
a522c5ea3250cdd538a9ce7b4a06dfd5123e7eb05eef67509f2b975a8e1d3067

SHA512
3adc5c705bab7fa7b50517a5eb3301491f5150b56e1088ed436590458e963da204cd1875af75db89742403476a56a94c3f425c05327767bdb4bbee4859667ac2

Download Submit
\??\c:\b145d245e313380069ef\vc_red.msi

Filesize
222KB

MD5
7e641e6a0b456271745c20c3bb8a18f9

SHA1
ae6cedcb81dc443611a310140ae4671789dbbf3a

SHA256
34c5e7d7ea270ee67f92d34843d89603d6d3b6d9ef5247b43ae3c59c909d380d

SHA512
f67d6bf69d094edcc93541332f31b326131ff89672edb30fd349def6952ad8bfd07dc2f0ca5967b48a7589eee5b7a14b9a2c1ebe0cba4ae2324f7957090ea903

Download Submit
\??\c:\b145d245e313380069ef\vcredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
\??\c:\users\admin\appdata\local\temp\70e3178ce200e4cf30e994ee546c10a0_neikianalytics.exe

Filesize
4.3MB

MD5
35da2bf2befd998980a495b6f4f55e60

SHA1
470640aa4bb7db8e69196b5edb0010933569e98d

SHA256
6b3e4c51c6c0e5f68c8a72b497445af3dbf976394cbb62aa23569065c28deeb6

SHA512
bf630667c87b8f10ef85b61f2f379d7ce24124618b999babfec8e2df424eb494b8f1bf0977580810dff5124d4dbdec9539ff53e0dc14625c076fa34dfe44e3f2

Download Submit
memory/536-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/536-82-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1720-80-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1908-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1908-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3380-81-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5060-43-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/5060-84-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download