5e220a1aa1c5b178729c38ca9b705b3e81925fd194594b1d3282f3f59fbfb393

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 16:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
Size

2.6MB
MD5

7db8021ebcc4499fb05ba10a8cc1bdf0
SHA1

7b0f25dbd730e4c22b510e427871da99c208782d
SHA256

5e220a1aa1c5b178729c38ca9b705b3e81925fd194594b1d3282f3f59fbfb393
SHA512

4b564771442e6ac5bc449bdc7ed44a16f34a6a27f491282cd9dd71d53c1b96bb522b42c206f006c19db150aa712fe5f7df0adb2bd524a8925e86ae708cdf7338
SSDEEP

49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/q:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/q

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
1040	explorer.exe
4376	spoolsv.exe
688	svchost.exe
1300	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs

pid	Process
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1040	explorer.exe
4376	spoolsv.exe
688	svchost.exe
1300	spoolsv.exe
1040	explorer.exe
688	svchost.exe
1040	explorer.exe
688	svchost.exe
1040	explorer.exe
688	svchost.exe
1040	explorer.exe
688	svchost.exe
1040	explorer.exe
688	svchost.exe
1040	explorer.exe
688	svchost.exe
1040	explorer.exe
688	svchost.exe
1040	explorer.exe
688	svchost.exe
1040	explorer.exe
688	svchost.exe
1040	explorer.exe
688	svchost.exe
1040	explorer.exe
688	svchost.exe
1040	explorer.exe
688	svchost.exe
1040	explorer.exe
688	svchost.exe
1040	explorer.exe
688	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1040	explorer.exe
688	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
1040	explorer.exe
1040	explorer.exe
1040	explorer.exe
4376	spoolsv.exe
4376	spoolsv.exe
4376	spoolsv.exe
688	svchost.exe
688	svchost.exe
688	svchost.exe
1300	spoolsv.exe
1300	spoolsv.exe
1300	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1040	1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe	83
PID 1296 wrote to memory of 1040	1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe	83
PID 1296 wrote to memory of 1040	1296	7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe	83
PID 1040 wrote to memory of 4376	1040	explorer.exe	85
PID 1040 wrote to memory of 4376	1040	explorer.exe	85
PID 1040 wrote to memory of 4376	1040	explorer.exe	85
PID 4376 wrote to memory of 688	4376	spoolsv.exe	87
PID 4376 wrote to memory of 688	4376	spoolsv.exe	87
PID 4376 wrote to memory of 688	4376	spoolsv.exe	87
PID 688 wrote to memory of 1300	688	svchost.exe	89
PID 688 wrote to memory of 1300	688	svchost.exe	89
PID 688 wrote to memory of 1300	688	svchost.exe	89

C:\Users\Admin\AppData\Local\Temp\7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7db8021ebcc4499fb05ba10a8cc1bdf0_NeikiAnalytics.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1040
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:688
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
c177915065f539deb27ca301f748c1f3

SHA1
f4afd5efb9efadef6ffa119383b103e4561aa83d

SHA256
7d92fbdb296bb9da95891aa7a240ed8117b4a1ae473a9eab710b1531e4bec30f

SHA512
ee6ce8360596efe0bf481866400f0fc8f2e73da48f9a3dee741489df226eac13d41bbfd7e7e5889aaab5144196b2a4b44d4cb7467f8c82457728f32c3de5387d

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
ac2c640ae9d4c52266d9d350264175f8

SHA1
9844d9c5f2d975606c4c3449f0c912b7d2ce328c

SHA256
db5b11edb1becf9b1613ce2c0e5c13ba93f486cc79408bb8720f8d6d01525efd

SHA512
ebc76f97e6dd5728485597ef57998617e7b60e74f6c934e250268bd163f764679851127572913617a7ed3d699117733044b89d11a316d26495487979b758f075

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
a97298c5304c6d8e84734697617b3fec

SHA1
c16b705799413e2b5745f744a2d3cbc3cd901415

SHA256
516c96e86f71b805873713091a7ef0e820b42de81490eb3409c4514ed60018d9

SHA512
4f068e2116b2916486ff1478f6229ef63efc29471b622d593d32adc3e9a175909354428f47a0301c281e5624a2cb96d858335d829c29d9d6b63a53cab010c27b

Download Submit
memory/688-67-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/688-61-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/688-69-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/688-65-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/688-63-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/688-71-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/688-30-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/688-47-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/688-59-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/688-57-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/688-55-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/688-51-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/688-49-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/688-44-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-48-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-66-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-45-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1040-70-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-43-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-50-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-10-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-52-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-68-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-56-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-11-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1040-58-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-46-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-64-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-60-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1040-62-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1296-41-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1296-42-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1296-0-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/1296-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1300-38-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4376-21-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4376-20-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4376-40-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4376-39-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download