Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe
-
Size
135KB
-
MD5
2a475f8958f2f7239411bfa116c2ab30
-
SHA1
5b8630d34cbd02e4c0a087582884bbbe53e54f75
-
SHA256
58c93c5f18b71c84c4de32d19c42a40490183ae9447764894fb5597487795d44
-
SHA512
3b4b2fa34c0d8ef473dea49a6042fa42c97d4fbaa0e15f405014babc46ccc13c22940ffff2e713293640c694dff8b56be087779ceacd5e7f4a684dc031ef56a7
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVXW8O8O8O8O8O8O3:UVqoCl/YgjxEufVU0TbTyDDalRW
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2448 explorer.exe 2104 spoolsv.exe 2744 svchost.exe 2684 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 2448 explorer.exe 2104 spoolsv.exe 2744 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2908 schtasks.exe 1516 schtasks.exe 2260 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2744 svchost.exe 2744 svchost.exe 2448 explorer.exe 2744 svchost.exe 2448 explorer.exe 2744 svchost.exe 2448 explorer.exe 2744 svchost.exe 2448 explorer.exe 2744 svchost.exe 2448 explorer.exe 2744 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2448 explorer.exe 2744 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 2448 explorer.exe 2448 explorer.exe 2104 spoolsv.exe 2104 spoolsv.exe 2744 svchost.exe 2744 svchost.exe 2684 spoolsv.exe 2684 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1752 wrote to memory of 2448 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 28 PID 1752 wrote to memory of 2448 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 28 PID 1752 wrote to memory of 2448 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 28 PID 1752 wrote to memory of 2448 1752 2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe 28 PID 2448 wrote to memory of 2104 2448 explorer.exe 29 PID 2448 wrote to memory of 2104 2448 explorer.exe 29 PID 2448 wrote to memory of 2104 2448 explorer.exe 29 PID 2448 wrote to memory of 2104 2448 explorer.exe 29 PID 2104 wrote to memory of 2744 2104 spoolsv.exe 30 PID 2104 wrote to memory of 2744 2104 spoolsv.exe 30 PID 2104 wrote to memory of 2744 2104 spoolsv.exe 30 PID 2104 wrote to memory of 2744 2104 spoolsv.exe 30 PID 2744 wrote to memory of 2684 2744 svchost.exe 31 PID 2744 wrote to memory of 2684 2744 svchost.exe 31 PID 2744 wrote to memory of 2684 2744 svchost.exe 31 PID 2744 wrote to memory of 2684 2744 svchost.exe 31 PID 2448 wrote to memory of 2568 2448 explorer.exe 32 PID 2448 wrote to memory of 2568 2448 explorer.exe 32 PID 2448 wrote to memory of 2568 2448 explorer.exe 32 PID 2448 wrote to memory of 2568 2448 explorer.exe 32 PID 2744 wrote to memory of 2908 2744 svchost.exe 33 PID 2744 wrote to memory of 2908 2744 svchost.exe 33 PID 2744 wrote to memory of 2908 2744 svchost.exe 33 PID 2744 wrote to memory of 2908 2744 svchost.exe 33 PID 2744 wrote to memory of 1516 2744 svchost.exe 38 PID 2744 wrote to memory of 1516 2744 svchost.exe 38 PID 2744 wrote to memory of 1516 2744 svchost.exe 38 PID 2744 wrote to memory of 1516 2744 svchost.exe 38 PID 2744 wrote to memory of 2260 2744 svchost.exe 40 PID 2744 wrote to memory of 2260 2744 svchost.exe 40 PID 2744 wrote to memory of 2260 2744 svchost.exe 40 PID 2744 wrote to memory of 2260 2744 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2a475f8958f2f7239411bfa116c2ab30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:27 /f5⤵
- Creates scheduled task(s)
PID:2908
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:28 /f5⤵
- Creates scheduled task(s)
PID:1516
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:29 /f5⤵
- Creates scheduled task(s)
PID:2260
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2568
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD58c9238ae39a94ddadf71b00d26c663d0
SHA1355ea612afdbdb2dad44c5280e2080f92b8c0ec3
SHA2569aebf52e260fa5331757661729dba00e38c675b2beae0f8dfeccf81e992b9aa8
SHA512a3b183ab0ebe8f4734c9c60c0b62843ae5445c31e01b3967f70e0fac360aa4c0f5b3b2b859fea465b9094bbc6cb97332b4cfb44859c3925f4d33a70ace4c25a8
-
Filesize
135KB
MD5e77bf0d20839dbe55bd62c97085b9a38
SHA147ab95025e6f9e1121c503218c8c92e751b7028d
SHA2560460feaf0485972e0304790fd585138c72cba61f1cd040873d3a5c7806dc761a
SHA5121c0f4be9e60f64d94272ec1b8bfae342914253f502019a5a3cb02bed7e7e30929771c4ef9a471c2f70b92473b3e785b84a34d45b10f58e7a361ee124f27d198a
-
Filesize
135KB
MD5bf8a9547ff8f5173ff9bd965bace2c9f
SHA19bb2a0bf09346ebbf7b755673bb23128be2d0523
SHA25666fb1c5b5c343093ed796fef59094833f1bdd682a994d05eda01a9621249f348
SHA5129c6d601b07a92f062ac8467b494c63190178573a34345051b73c1c9850942ac5cb9c40688a5cd3531f64ec93f4e86e9b8fc83207754f92a996de904c64f68828