a9f287a5300275613e46a6d937492627c40d2578d52a794215bce3f5ee3c7311

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c65fb8c84b6e6ba1c2f4e9998db0ee90_NeikiAnalytics.exe
Size

207KB
MD5

c65fb8c84b6e6ba1c2f4e9998db0ee90
SHA1

3ddcff24c77cbcbe35388d24ddf002036e150df1
SHA256

a9f287a5300275613e46a6d937492627c40d2578d52a794215bce3f5ee3c7311
SHA512

f26c69714e31a19172de1c6c6421d5984c88aed7471b670f619ce0562a967fdb59cd31245014521aeb9d18c6bc2951986afc94a8438287dbb7972be7ab78a34a
SSDEEP

3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6un02:zvEN2U+T6i5LirrllHy4HUcMQY6h2

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2016	explorer.exe
2668	spoolsv.exe
2648	svchost.exe
2632	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1936	c65fb8c84b6e6ba1c2f4e9998db0ee90_NeikiAnalytics.exe
1936	c65fb8c84b6e6ba1c2f4e9998db0ee90_NeikiAnalytics.exe
2016	explorer.exe
2016	explorer.exe
2668	spoolsv.exe
2668	spoolsv.exe
2648	svchost.exe
2648	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	c65fb8c84b6e6ba1c2f4e9998db0ee90_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	c65fb8c84b6e6ba1c2f4e9998db0ee90_NeikiAnalytics.exe
2016	explorer.exe
2016	explorer.exe
2016	explorer.exe
2648	svchost.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe
2016	explorer.exe
2648	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2016	explorer.exe
2648	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1936	c65fb8c84b6e6ba1c2f4e9998db0ee90_NeikiAnalytics.exe
1936	c65fb8c84b6e6ba1c2f4e9998db0ee90_NeikiAnalytics.exe
2016	explorer.exe
2016	explorer.exe
2668	spoolsv.exe
2668	spoolsv.exe
2648	svchost.exe
2648	svchost.exe
2632	spoolsv.exe
2632	spoolsv.exe
2016	explorer.exe
2016	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2016	1936	c65fb8c84b6e6ba1c2f4e9998db0ee90_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2016	1936	c65fb8c84b6e6ba1c2f4e9998db0ee90_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2016	1936	c65fb8c84b6e6ba1c2f4e9998db0ee90_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2016	1936	c65fb8c84b6e6ba1c2f4e9998db0ee90_NeikiAnalytics.exe	28
PID 2016 wrote to memory of 2668	2016	explorer.exe	29
PID 2016 wrote to memory of 2668	2016	explorer.exe	29
PID 2016 wrote to memory of 2668	2016	explorer.exe	29
PID 2016 wrote to memory of 2668	2016	explorer.exe	29
PID 2668 wrote to memory of 2648	2668	spoolsv.exe	30
PID 2668 wrote to memory of 2648	2668	spoolsv.exe	30
PID 2668 wrote to memory of 2648	2668	spoolsv.exe	30
PID 2668 wrote to memory of 2648	2668	spoolsv.exe	30
PID 2648 wrote to memory of 2632	2648	svchost.exe	31
PID 2648 wrote to memory of 2632	2648	svchost.exe	31
PID 2648 wrote to memory of 2632	2648	svchost.exe	31
PID 2648 wrote to memory of 2632	2648	svchost.exe	31
PID 2648 wrote to memory of 2484	2648	svchost.exe	32
PID 2648 wrote to memory of 2484	2648	svchost.exe	32
PID 2648 wrote to memory of 2484	2648	svchost.exe	32
PID 2648 wrote to memory of 2484	2648	svchost.exe	32
PID 2648 wrote to memory of 1968	2648	svchost.exe	36
PID 2648 wrote to memory of 1968	2648	svchost.exe	36
PID 2648 wrote to memory of 1968	2648	svchost.exe	36
PID 2648 wrote to memory of 1968	2648	svchost.exe	36
PID 2648 wrote to memory of 2396	2648	svchost.exe	38
PID 2648 wrote to memory of 2396	2648	svchost.exe	38
PID 2648 wrote to memory of 2396	2648	svchost.exe	38
PID 2648 wrote to memory of 2396	2648	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\c65fb8c84b6e6ba1c2f4e9998db0ee90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c65fb8c84b6e6ba1c2f4e9998db0ee90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2016
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2632
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2484
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1968
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
3cbf8aa296ef6c612aac83b5b82055fe

SHA1
5c13b3a5e9160454e30fdb36886ad8f1284a168b

SHA256
1760edb4e9281e7997567bb18fa46bfbf8143e731974c85ef4f290d9d30454e0

SHA512
491603ce03bdd84c900eab4d526b104a74fa179d3c346541b3756b3b9872498bff76e2367c5de34cf9237cae459d8ebd0eebd305a9a272a71f342e207844f83f

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
144f6c4996df5f1b97cbe1ec7ca47d5c

SHA1
b80b69de138bf50473c7805b435b053df340a09b

SHA256
f6270b8e8d276fd7cf08cfaf3d16c6e5d4fd86304522ce1c12f22c168f6764ff

SHA512
6d97ea94ba5a5c2ade68e4426fe31cf84c0d965c1e3fa122d2f03102917629a1a6c7b2907bf522e444f0542613dd30d65e079b872a6870c909049e06f5e00b0b

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
462d53d7a9aac306d99590b31554f89b

SHA1
2e088ac65d8cb64daa9295865290edf9fdbaa99c

SHA256
23694d1fe14049715880606349eed82f6433748fd04edcd52712c4479dd829a5

SHA512
94a17e7f030b6cc407ecc8f04ea3663198ef7043ea69447404361eb702c843048c1e05b6561d519f978561b2d7ca7cd2fd3794cc020beca0e76941661b623189

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
f336ef3fdf26b81f841fd2549ed01555

SHA1
0eeaec267fd2eed6c7c20979e73c28f9721d068d

SHA256
b9dbac77dfea119d37c6ddac7a65373d4d1b232d1d07ac0f633dbb0694bb8276

SHA512
03e49231c59238c688ff243522b012165c1ba15b72c7fce0170736f17bc5f3f438365a82de08ed4244ba7ee0ae3f7e63535656eb87b63bf8b132b563c08c2661

Download Submit