Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:24
Static task
static1
Behavioral task
behavioral1
Sample
6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe
-
Size
8.5MB
-
MD5
6c9399a87e0672b66fa26a39fcddaad0
-
SHA1
3e6c7d6330948aec97e7f2e62b776d84c0ccee09
-
SHA256
e8ba0fe4c967dce850222941594ee24a54497b6c5faa745ba5a923c5870783b3
-
SHA512
6c17741b6f055f0a42e45bcded53edd8f6b548e61549bbe97cb0dfc2d1188329644f55143d519f38a6dff630bf7836a7f2e7e82463b66b502a28e8ee5679d512
-
SSDEEP
196608:eIVCzv5nF2CoAKQ5/X5bEN2tm5pOuU3TcLWGO7djZkrC5RQe:eIVCT5UJAKQNX5bENYm5IV3TcLWGO7t/
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
Processes:
6c9399a87e0672b66fa26a39fcddaad0_neikianalytics.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2076 6c9399a87e0672b66fa26a39fcddaad0_neikianalytics.exe 2744 icsys.icn.exe 2916 explorer.exe 2600 spoolsv.exe 2392 svchost.exe 2612 spoolsv.exe -
Loads dropped DLL 5 IoCs
Processes:
6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exepid process 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2744 icsys.icn.exe 2916 explorer.exe 2600 spoolsv.exe 2392 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
Processes:
6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2416 schtasks.exe 2296 schtasks.exe 568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exeicsys.icn.exeexplorer.exesvchost.exepid process 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2916 explorer.exe 2392 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe 2744 icsys.icn.exe 2744 icsys.icn.exe 2916 explorer.exe 2916 explorer.exe 2600 spoolsv.exe 2600 spoolsv.exe 2392 svchost.exe 2392 svchost.exe 2612 spoolsv.exe 2612 spoolsv.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2464 wrote to memory of 2744 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe icsys.icn.exe PID 2464 wrote to memory of 2744 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe icsys.icn.exe PID 2464 wrote to memory of 2744 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe icsys.icn.exe PID 2464 wrote to memory of 2744 2464 6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe icsys.icn.exe PID 2744 wrote to memory of 2916 2744 icsys.icn.exe explorer.exe PID 2744 wrote to memory of 2916 2744 icsys.icn.exe explorer.exe PID 2744 wrote to memory of 2916 2744 icsys.icn.exe explorer.exe PID 2744 wrote to memory of 2916 2744 icsys.icn.exe explorer.exe PID 2916 wrote to memory of 2600 2916 explorer.exe spoolsv.exe PID 2916 wrote to memory of 2600 2916 explorer.exe spoolsv.exe PID 2916 wrote to memory of 2600 2916 explorer.exe spoolsv.exe PID 2916 wrote to memory of 2600 2916 explorer.exe spoolsv.exe PID 2600 wrote to memory of 2392 2600 spoolsv.exe svchost.exe PID 2600 wrote to memory of 2392 2600 spoolsv.exe svchost.exe PID 2600 wrote to memory of 2392 2600 spoolsv.exe svchost.exe PID 2600 wrote to memory of 2392 2600 spoolsv.exe svchost.exe PID 2392 wrote to memory of 2612 2392 svchost.exe spoolsv.exe PID 2392 wrote to memory of 2612 2392 svchost.exe spoolsv.exe PID 2392 wrote to memory of 2612 2392 svchost.exe spoolsv.exe PID 2392 wrote to memory of 2612 2392 svchost.exe spoolsv.exe PID 2916 wrote to memory of 2552 2916 explorer.exe Explorer.exe PID 2916 wrote to memory of 2552 2916 explorer.exe Explorer.exe PID 2916 wrote to memory of 2552 2916 explorer.exe Explorer.exe PID 2916 wrote to memory of 2552 2916 explorer.exe Explorer.exe PID 2392 wrote to memory of 2416 2392 svchost.exe schtasks.exe PID 2392 wrote to memory of 2416 2392 svchost.exe schtasks.exe PID 2392 wrote to memory of 2416 2392 svchost.exe schtasks.exe PID 2392 wrote to memory of 2416 2392 svchost.exe schtasks.exe PID 2392 wrote to memory of 2296 2392 svchost.exe schtasks.exe PID 2392 wrote to memory of 2296 2392 svchost.exe schtasks.exe PID 2392 wrote to memory of 2296 2392 svchost.exe schtasks.exe PID 2392 wrote to memory of 2296 2392 svchost.exe schtasks.exe PID 2392 wrote to memory of 568 2392 svchost.exe schtasks.exe PID 2392 wrote to memory of 568 2392 svchost.exe schtasks.exe PID 2392 wrote to memory of 568 2392 svchost.exe schtasks.exe PID 2392 wrote to memory of 568 2392 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6c9399a87e0672b66fa26a39fcddaad0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\users\admin\appdata\local\temp\6c9399a87e0672b66fa26a39fcddaad0_neikianalytics.exec:\users\admin\appdata\local\temp\6c9399a87e0672b66fa26a39fcddaad0_neikianalytics.exe2⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2612 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:26 /f6⤵
- Creates scheduled task(s)
PID:2416 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:27 /f6⤵
- Creates scheduled task(s)
PID:2296 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:28 /f6⤵
- Creates scheduled task(s)
PID:568 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2552
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.3MB
MD596c68607df3fca21a1c3e8686c5eb9c5
SHA1902cc5c653810df5f4a484e1b4b8ea7e9b45d763
SHA256b72bba5e11d761104bb218359180739f443881bcea06e55f860556e60705399e
SHA5124fd7fbef26edcea97c380f31169986521f677f81c92ae6e2a3fd304a9c3fc2b325d9e203bdf793ecec9c5a1ed96a4b59dbc847b948a7774250651b93f90ae321
-
Filesize
135KB
MD5d8e886cab42dfd2fc393478f96ab7a8b
SHA12340d8e6ecfa21984e4552874a3164096e15e9e8
SHA256d15c9cc0cac339d305b26da55bbd2f2d81436a0c77053ac7da11fdc33d124b79
SHA512e01b575f784c0b319c1fb72d00c9475ee73f876ef3342d2ef99c0be0eea1087c7146db91b74840c07ec4040554771f40a1e2192f0863834fd4da6c5b25a64c51
-
Filesize
135KB
MD54d8b41532f724399cbad05db215f5d3a
SHA11c2d10cb047f123b21bd11e7259dbd0d99370708
SHA25687f289b0dc81884e72950d9eb8ea729f44389b2d5d7d6f7c810d61a64098204c
SHA512c80e4861d58f572363c9bfbac1044e439917439a907bd80958e88485a94e81046c751a5ae2c9d8aeeb664d263c943c42d542602cd26326339fe68e241d63db5d
-
Filesize
135KB
MD5dec49a24703cc3cc9a9dc910b3329f31
SHA1cf8d12b9e64b0c0c701a304ecaadc07a17bfce68
SHA256ae7adbadc72796cf8ddf4743ddb09d08bc291c5e60ee6b916a246226adbd8334
SHA5128d49b92c7b0710443b7fecb93cfd6f1ec40d7c41f4b833e4a434d30013b5e1e8f4331731a78ec4e4b0e05f33fd7acf643d50e29015716fe17f0c99cb2a9c1ddf
-
Filesize
135KB
MD59dec09c889f83f795f51ee9e8ae1bc5e
SHA12ecfb4b8b27962019cba4178f1e76e2ddc514ba6
SHA25618eb1f5db33afd75ad50809796ba7c6731f70d987b74d6c986b27f96edf77040
SHA512d9c3309a9de6f550cb76f048b6d0254b9d0c6284805c67caab69515bd95587b40c631c1497918f22a1fc1722f32457f2198c09e5659467fe713f0481b293007c