766f32e90c48d8508f021a0be6a037f620f88cf0464eb6220bb110a22e14ca51

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
Size

206KB
MD5

2a79ed53f978040b7a2122648c6a5180
SHA1

10afe47239a95cad433e86c26ca485070ecfefb8
SHA256

766f32e90c48d8508f021a0be6a037f620f88cf0464eb6220bb110a22e14ca51
SHA512

3ca73f5b189b98971c2668ecc8568adf632174bc450098b9d91ab47f85727ab350b21935da9d2ca487b1c81af5ba5543a93b27384c07c8a3ec080fd775d6946e
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unF:5vEN2U+T6i5LirrllHy4HUcMQY6S

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2996	explorer.exe
2556	spoolsv.exe
2104	svchost.exe
2676	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2648	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
2648	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
2996	explorer.exe
2996	explorer.exe
2556	spoolsv.exe
2556	spoolsv.exe
2104	svchost.exe
2104	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2996	explorer.exe
2104	svchost.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2996	explorer.exe
2104	svchost.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2104	svchost.exe
2996	explorer.exe
2996	explorer.exe
2104	svchost.exe
2104	svchost.exe
2996	explorer.exe
2996	explorer.exe
2104	svchost.exe
2996	explorer.exe
2104	svchost.exe
2104	svchost.exe
2996	explorer.exe
2996	explorer.exe
2104	svchost.exe
2104	svchost.exe
2996	explorer.exe
2996	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2996	explorer.exe
2104	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2648	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
2648	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
2996	explorer.exe
2996	explorer.exe
2556	spoolsv.exe
2556	spoolsv.exe
2104	svchost.exe
2104	svchost.exe
2676	spoolsv.exe
2676	spoolsv.exe
2996	explorer.exe
2996	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2996	2648	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe	28
PID 2648 wrote to memory of 2996	2648	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe	28
PID 2648 wrote to memory of 2996	2648	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe	28
PID 2648 wrote to memory of 2996	2648	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe	28
PID 2996 wrote to memory of 2556	2996	explorer.exe	29
PID 2996 wrote to memory of 2556	2996	explorer.exe	29
PID 2996 wrote to memory of 2556	2996	explorer.exe	29
PID 2996 wrote to memory of 2556	2996	explorer.exe	29
PID 2556 wrote to memory of 2104	2556	spoolsv.exe	30
PID 2556 wrote to memory of 2104	2556	spoolsv.exe	30
PID 2556 wrote to memory of 2104	2556	spoolsv.exe	30
PID 2556 wrote to memory of 2104	2556	spoolsv.exe	30
PID 2104 wrote to memory of 2676	2104	svchost.exe	31
PID 2104 wrote to memory of 2676	2104	svchost.exe	31
PID 2104 wrote to memory of 2676	2104	svchost.exe	31
PID 2104 wrote to memory of 2676	2104	svchost.exe	31
PID 2104 wrote to memory of 2356	2104	svchost.exe	32
PID 2104 wrote to memory of 2356	2104	svchost.exe	32
PID 2104 wrote to memory of 2356	2104	svchost.exe	32
PID 2104 wrote to memory of 2356	2104	svchost.exe	32
PID 2104 wrote to memory of 2116	2104	svchost.exe	36
PID 2104 wrote to memory of 2116	2104	svchost.exe	36
PID 2104 wrote to memory of 2116	2104	svchost.exe	36
PID 2104 wrote to memory of 2116	2104	svchost.exe	36
PID 2104 wrote to memory of 1332	2104	svchost.exe	38
PID 2104 wrote to memory of 1332	2104	svchost.exe	38
PID 2104 wrote to memory of 1332	2104	svchost.exe	38
PID 2104 wrote to memory of 1332	2104	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2996
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2676
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2356
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2116
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
bf89c773d63d09595e88870340ae94d8

SHA1
70b5c1a0a3cd3ddf014bfabfb88096de5c8ab79c

SHA256
52330cc725a457e53fa0c09f436cde2df867c008c4dd5be27180c2dfdfa0a51b

SHA512
84994714abc09614ebc9528d47be22896ba45882d359a9186593f6a599ae5edceab968ae639c74262dc7b8785a16e9b9c20995e7512558928491359677914296

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
d2ccd9ce255b363358284377c32b0ee5

SHA1
474ac15f80aeb41162799ed6dc102d61af9c08db

SHA256
b2d0641dab3f7cc2872c53a038a03e6b0e4abddc825b043754a60551f093fe80

SHA512
9bfbd6c86d20d69ee9bcce776d459b195a1b5c08851627c215d516e668e23fb09c0a54cd549cead99b942bf9de342bc367363098506d5e6aad47f290f4ab5970

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
c0c081d4efbd385c9fa8b1b7b9e7e8a5

SHA1
cd34465e39d7c3877eee8a5d48af0ecc0176b4d6

SHA256
c62f7fbc5b0f8110fd2c2128d323e18125af0fbda640c4a59d96f3aca7433e46

SHA512
a649cd95e4a2704fc7a9435023eb57b155ec87abea6d1a78a7473d92ef2543021f6ac745b3fa1cd240260071382a5c62fc552eb9c2d07d0987eca216684c5a9f

Download Submit
\Windows\system\svchost.exe

Filesize
207KB

MD5
54bd720d460d784ace4bde43f7519bdc

SHA1
2771460d71c6b6aa29c8284ef7817f7bac521ccc

SHA256
333f07ac2424dc6666114fcb1786886b90afae6153b794c33b46df1a5492a6cf

SHA512
3e53e8d1bd6debe66c2f72a429084963bc1e3b19d5c8477fcc06c7eedd2738c01a84515cd9fb1619912518f6eee2a9a517d52abec1347c6a28efc62060085b03

Download Submit
memory/2556-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-12-0x00000000025F0000-0x0000000002630000-memory.dmp

Filesize
256KB

Download
memory/2648-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-51-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2996-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download