e8ba0fe4c967dce850222941594ee24a54497b6c5faa745ba5a923c5870783b3

General

Target

6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
Size

8.5MB
MD5

6c9399a87e0672b66fa26a39fcddaad0
SHA1

3e6c7d6330948aec97e7f2e62b776d84c0ccee09
SHA256

e8ba0fe4c967dce850222941594ee24a54497b6c5faa745ba5a923c5870783b3
SHA512

6c17741b6f055f0a42e45bcded53edd8f6b548e61549bbe97cb0dfc2d1188329644f55143d519f38a6dff630bf7836a7f2e7e82463b66b502a28e8ee5679d512
SSDEEP

196608:eIVCzv5nF2CoAKQ5/X5bEN2tm5pOuU3TcLWGO7djZkrC5RQe:eIVCT5UJAKQNX5bENYm5IV3TcLWGO7t/

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

6c9399a87e0672b66fa26a39fcddaad0_neikianalytics.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

2076 6c9399a87e0672b66fa26a39fcddaad0_neikianalytics.exe
2744 icsys.icn.exe
2916 explorer.exe
2600 spoolsv.exe
2392 svchost.exe
2612 spoolsv.exe
Loads dropped DLL 5 IoCs

Processes:

6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid process

2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2744 icsys.icn.exe
2916 explorer.exe
2600 spoolsv.exe
2392 svchost.exe

pid	process
2076	6c9399a87e0672b66fa26a39fcddaad0_neikianalytics.exe
2744	icsys.icn.exe
2916	explorer.exe
2600	spoolsv.exe
2392	svchost.exe
2612	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2416 schtasks.exe
2296 schtasks.exe
568 schtasks.exe

pid	process
2416	schtasks.exe
2296	schtasks.exe
568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2392	svchost.exe
2392	svchost.exe
2392	svchost.exe
2392	svchost.exe
2392	svchost.exe
2392	svchost.exe
2392	svchost.exe
2392	svchost.exe
2392	svchost.exe
2392	svchost.exe
2392	svchost.exe
2392	svchost.exe
2392	svchost.exe
2392	svchost.exe
2392	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2916 explorer.exe
2392 svchost.exe

pid	process
2916	explorer.exe
2392	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
2744	icsys.icn.exe
2744	icsys.icn.exe
2916	explorer.exe
2916	explorer.exe
2600	spoolsv.exe
2600	spoolsv.exe
2392	svchost.exe
2392	svchost.exe
2612	spoolsv.exe
2612	spoolsv.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2464 wrote to memory of 2744	2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe	icsys.icn.exe
PID 2464 wrote to memory of 2744	2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe	icsys.icn.exe
PID 2464 wrote to memory of 2744	2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe	icsys.icn.exe
PID 2464 wrote to memory of 2744	2464	6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe	icsys.icn.exe
PID 2744 wrote to memory of 2916	2744	icsys.icn.exe	explorer.exe
PID 2744 wrote to memory of 2916	2744	icsys.icn.exe	explorer.exe
PID 2744 wrote to memory of 2916	2744	icsys.icn.exe	explorer.exe
PID 2744 wrote to memory of 2916	2744	icsys.icn.exe	explorer.exe
PID 2916 wrote to memory of 2600	2916	explorer.exe	spoolsv.exe
PID 2916 wrote to memory of 2600	2916	explorer.exe	spoolsv.exe
PID 2916 wrote to memory of 2600	2916	explorer.exe	spoolsv.exe
PID 2916 wrote to memory of 2600	2916	explorer.exe	spoolsv.exe
PID 2600 wrote to memory of 2392	2600	spoolsv.exe	svchost.exe
PID 2600 wrote to memory of 2392	2600	spoolsv.exe	svchost.exe
PID 2600 wrote to memory of 2392	2600	spoolsv.exe	svchost.exe
PID 2600 wrote to memory of 2392	2600	spoolsv.exe	svchost.exe
PID 2392 wrote to memory of 2612	2392	svchost.exe	spoolsv.exe
PID 2392 wrote to memory of 2612	2392	svchost.exe	spoolsv.exe
PID 2392 wrote to memory of 2612	2392	svchost.exe	spoolsv.exe
PID 2392 wrote to memory of 2612	2392	svchost.exe	spoolsv.exe
PID 2916 wrote to memory of 2552	2916	explorer.exe	Explorer.exe
PID 2916 wrote to memory of 2552	2916	explorer.exe	Explorer.exe
PID 2916 wrote to memory of 2552	2916	explorer.exe	Explorer.exe
PID 2916 wrote to memory of 2552	2916	explorer.exe	Explorer.exe
PID 2392 wrote to memory of 2416	2392	svchost.exe	schtasks.exe
PID 2392 wrote to memory of 2416	2392	svchost.exe	schtasks.exe
PID 2392 wrote to memory of 2416	2392	svchost.exe	schtasks.exe
PID 2392 wrote to memory of 2416	2392	svchost.exe	schtasks.exe
PID 2392 wrote to memory of 2296	2392	svchost.exe	schtasks.exe
PID 2392 wrote to memory of 2296	2392	svchost.exe	schtasks.exe
PID 2392 wrote to memory of 2296	2392	svchost.exe	schtasks.exe
PID 2392 wrote to memory of 2296	2392	svchost.exe	schtasks.exe
PID 2392 wrote to memory of 568	2392	svchost.exe	schtasks.exe
PID 2392 wrote to memory of 568	2392	svchost.exe	schtasks.exe
PID 2392 wrote to memory of 568	2392	svchost.exe	schtasks.exe
PID 2392 wrote to memory of 568	2392	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464

\??\c:\users\admin\appdata\local\temp\6c9399a87e0672b66fa26a39fcddaad0_neikianalytics.exe
c:\users\admin\appdata\local\temp\6c9399a87e0672b66fa26a39fcddaad0_neikianalytics.exe
2⤵
- Executes dropped EXE
PID:2076

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2612

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:26 /f
6⤵
- Creates scheduled task(s)
PID:2416

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:27 /f
6⤵
- Creates scheduled task(s)
PID:2296

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:28 /f
6⤵
- Creates scheduled task(s)
PID:568

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6c9399a87e0672b66fa26a39fcddaad0_neikianalytics.exe

Filesize
8.3MB

MD5
96c68607df3fca21a1c3e8686c5eb9c5

SHA1
902cc5c653810df5f4a484e1b4b8ea7e9b45d763

SHA256
b72bba5e11d761104bb218359180739f443881bcea06e55f860556e60705399e

SHA512
4fd7fbef26edcea97c380f31169986521f677f81c92ae6e2a3fd304a9c3fc2b325d9e203bdf793ecec9c5a1ed96a4b59dbc847b948a7774250651b93f90ae321

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
d8e886cab42dfd2fc393478f96ab7a8b

SHA1
2340d8e6ecfa21984e4552874a3164096e15e9e8

SHA256
d15c9cc0cac339d305b26da55bbd2f2d81436a0c77053ac7da11fdc33d124b79

SHA512
e01b575f784c0b319c1fb72d00c9475ee73f876ef3342d2ef99c0be0eea1087c7146db91b74840c07ec4040554771f40a1e2192f0863834fd4da6c5b25a64c51

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
4d8b41532f724399cbad05db215f5d3a

SHA1
1c2d10cb047f123b21bd11e7259dbd0d99370708

SHA256
87f289b0dc81884e72950d9eb8ea729f44389b2d5d7d6f7c810d61a64098204c

SHA512
c80e4861d58f572363c9bfbac1044e439917439a907bd80958e88485a94e81046c751a5ae2c9d8aeeb664d263c943c42d542602cd26326339fe68e241d63db5d

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
dec49a24703cc3cc9a9dc910b3329f31

SHA1
cf8d12b9e64b0c0c701a304ecaadc07a17bfce68

SHA256
ae7adbadc72796cf8ddf4743ddb09d08bc291c5e60ee6b916a246226adbd8334

SHA512
8d49b92c7b0710443b7fecb93cfd6f1ec40d7c41f4b833e4a434d30013b5e1e8f4331731a78ec4e4b0e05f33fd7acf643d50e29015716fe17f0c99cb2a9c1ddf

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
9dec09c889f83f795f51ee9e8ae1bc5e

SHA1
2ecfb4b8b27962019cba4178f1e76e2ddc514ba6

SHA256
18eb1f5db33afd75ad50809796ba7c6731f70d987b74d6c986b27f96edf77040

SHA512
d9c3309a9de6f550cb76f048b6d0254b9d0c6284805c67caab69515bd95587b40c631c1497918f22a1fc1722f32457f2198c09e5659467fe713f0481b293007c

Download Submit
memory/2464-10-0x00000000005B0000-0x00000000005CF000-memory.dmp

Filesize
124KB

Download
memory/2464-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2464-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2600-45-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2600-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2612-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-21-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/2916-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads