Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23/05/2024, 20:49
Behavioral task
behavioral1
Sample
85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe
-
Size
71KB
-
MD5
85a2f3e1bbba2dee5f48b736b9c58110
-
SHA1
d3689b7dab0bf9973fa339308d8e17a3d9e15a42
-
SHA256
dfb251be37c23f16b9a73eebc3eb338926993d0dcf70578fd31c79105836d377
-
SHA512
5c201d6800e5c816b54a9e614910c90290970ab962454fda5a36af5b6e0d582f48aaf346704270ba9e2d4c96b1e6cccec3bfb11a2ca683062486d20e4822e2b7
-
SSDEEP
768:EXKeT2Si83nLt8tkGX8uxOHgRrW5YLKG9Y/HrSNm0kmG7xMsVAnc3yy85SBiLFMR:EFrmh0HgB3LKrL9AcnQFMc9zwR6i+B+
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3000 explorer.exe 2856 spoolsv.exe 2740 svchost.exe 2620 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 3044 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 3044 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 3000 explorer.exe 3000 explorer.exe 2856 spoolsv.exe 2856 spoolsv.exe 2740 svchost.exe 2740 svchost.exe -
resource yara_rule behavioral1/memory/3044-0-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/files/0x000b0000000143ec-6.dat upx behavioral1/memory/3000-15-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/files/0x000a0000000146b8-43.dat upx behavioral1/files/0x0008000000014667-50.dat upx behavioral1/files/0x000d0000000146a2-60.dat upx behavioral1/memory/3044-59-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2856-56-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2620-54-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2856-36-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/3000-24-0x0000000000560000-0x0000000000595000-memory.dmp upx behavioral1/memory/3000-61-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2740-63-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/3000-72-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3044 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 3000 explorer.exe 3000 explorer.exe 3000 explorer.exe 2740 svchost.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe 3000 explorer.exe 2740 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3000 explorer.exe 2740 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3044 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 3044 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 3000 explorer.exe 3000 explorer.exe 2856 spoolsv.exe 2856 spoolsv.exe 2740 svchost.exe 2740 svchost.exe 2620 spoolsv.exe 2620 spoolsv.exe 3000 explorer.exe 3000 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3044 wrote to memory of 3000 3044 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 28 PID 3044 wrote to memory of 3000 3044 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 28 PID 3044 wrote to memory of 3000 3044 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 28 PID 3044 wrote to memory of 3000 3044 85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe 28 PID 3000 wrote to memory of 2856 3000 explorer.exe 29 PID 3000 wrote to memory of 2856 3000 explorer.exe 29 PID 3000 wrote to memory of 2856 3000 explorer.exe 29 PID 3000 wrote to memory of 2856 3000 explorer.exe 29 PID 2856 wrote to memory of 2740 2856 spoolsv.exe 30 PID 2856 wrote to memory of 2740 2856 spoolsv.exe 30 PID 2856 wrote to memory of 2740 2856 spoolsv.exe 30 PID 2856 wrote to memory of 2740 2856 spoolsv.exe 30 PID 2740 wrote to memory of 2620 2740 svchost.exe 31 PID 2740 wrote to memory of 2620 2740 svchost.exe 31 PID 2740 wrote to memory of 2620 2740 svchost.exe 31 PID 2740 wrote to memory of 2620 2740 svchost.exe 31 PID 2740 wrote to memory of 2508 2740 svchost.exe 32 PID 2740 wrote to memory of 2508 2740 svchost.exe 32 PID 2740 wrote to memory of 2508 2740 svchost.exe 32 PID 2740 wrote to memory of 2508 2740 svchost.exe 32 PID 2740 wrote to memory of 2972 2740 svchost.exe 36 PID 2740 wrote to memory of 2972 2740 svchost.exe 36 PID 2740 wrote to memory of 2972 2740 svchost.exe 36 PID 2740 wrote to memory of 2972 2740 svchost.exe 36 PID 2740 wrote to memory of 1652 2740 svchost.exe 38 PID 2740 wrote to memory of 1652 2740 svchost.exe 38 PID 2740 wrote to memory of 1652 2740 svchost.exe 38 PID 2740 wrote to memory of 1652 2740 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\85a2f3e1bbba2dee5f48b736b9c58110_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2620
-
-
C:\Windows\SysWOW64\at.exeat 20:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2508
-
-
C:\Windows\SysWOW64\at.exeat 20:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2972
-
-
C:\Windows\SysWOW64\at.exeat 20:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1652
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5065ee5fc13aa8f95627eb57fc264f0d7
SHA139f8276188ce2c2164ca0baa71068ccc810fef63
SHA25629323517eb194e34b662092e2a94bfe6636e104c46b093e64f298c8b206c8ffe
SHA5128ae941e71d106260de63c64161c5458870aeb47199333e2e46976e1831127135fa86b22185e9f9dde5bcc6248d85fe1f5616be6626826b8f9d0a47755cc754e4
-
Filesize
71KB
MD566f476a7878d45a47696f9f421ea1150
SHA160e58e307b1263101061b3349461f50362764af3
SHA25665f7b4026142a3a833c9c3b16f5fd5511db8b7e6762f3cdcd0c298c9b6b44de0
SHA51276f22c1e561bccb2d5a13373dd03c4a9aab6d157b64f9894b72788fb8a8fc1bd13b03ce72d127bfa18cd249161e83086d51eb33d9a6280e3b8c6ec2d5b14ecae
-
Filesize
71KB
MD5a84b65ad7ed5696a0823c0db6dc3f84b
SHA1f4e17d167eb3fa489deddf84dbeb682fa902ae5f
SHA25635d8d0e5acccfe83fe592c363b00e3e0ab64e71575af87b7fe2e59b4b5fa2dde
SHA51216c5577ea1e33dfc391a92f65ca1821b7c3fbcb649dd9830e5d60f05ab6cd37d1552991bc9a3e012892ce9e65121da52c09fe684be5c4795f37e3adaf33254b9
-
Filesize
71KB
MD5c18a1db52d462fce9e868e0cecf0f37d
SHA1cdf2aedcdea9248c74642dfe9226392f95e4ee29
SHA2568947da797684af5a5b2e33a7c7239c23b905b174688e0bc839ea44dfc4a0da2c
SHA512011f1bd922e9aaeb77a2677a2d250cb2db64fa21a673528e4b8922c49755d73998254219585f105dbf68eddabc6f5ac1d15082b42e29a648f3753cee183451f2