766f32e90c48d8508f021a0be6a037f620f88cf0464eb6220bb110a22e14ca51

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
Size

206KB
MD5

2a79ed53f978040b7a2122648c6a5180
SHA1

10afe47239a95cad433e86c26ca485070ecfefb8
SHA256

766f32e90c48d8508f021a0be6a037f620f88cf0464eb6220bb110a22e14ca51
SHA512

3ca73f5b189b98971c2668ecc8568adf632174bc450098b9d91ab47f85727ab350b21935da9d2ca487b1c81af5ba5543a93b27384c07c8a3ec080fd775d6946e
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unF:5vEN2U+T6i5LirrllHy4HUcMQY6S

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1632	explorer.exe
3620	spoolsv.exe
3356	svchost.exe
2684	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4460	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
4460	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe
1632	explorer.exe
1632	explorer.exe
3356	svchost.exe
3356	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1632	explorer.exe
3356	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4460	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
4460	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
1632	explorer.exe
1632	explorer.exe
3620	spoolsv.exe
3620	spoolsv.exe
3356	svchost.exe
3356	svchost.exe
2684	spoolsv.exe
2684	spoolsv.exe
1632	explorer.exe
1632	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 1632	4460	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe	82
PID 4460 wrote to memory of 1632	4460	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe	82
PID 4460 wrote to memory of 1632	4460	2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe	82
PID 1632 wrote to memory of 3620	1632	explorer.exe	83
PID 1632 wrote to memory of 3620	1632	explorer.exe	83
PID 1632 wrote to memory of 3620	1632	explorer.exe	83
PID 3620 wrote to memory of 3356	3620	spoolsv.exe	84
PID 3620 wrote to memory of 3356	3620	spoolsv.exe	84
PID 3620 wrote to memory of 3356	3620	spoolsv.exe	84
PID 3356 wrote to memory of 2684	3356	svchost.exe	85
PID 3356 wrote to memory of 2684	3356	svchost.exe	85
PID 3356 wrote to memory of 2684	3356	svchost.exe	85
PID 3356 wrote to memory of 2864	3356	svchost.exe	86
PID 3356 wrote to memory of 2864	3356	svchost.exe	86
PID 3356 wrote to memory of 2864	3356	svchost.exe	86
PID 3356 wrote to memory of 4904	3356	svchost.exe	102
PID 3356 wrote to memory of 4904	3356	svchost.exe	102
PID 3356 wrote to memory of 4904	3356	svchost.exe	102
PID 3356 wrote to memory of 212	3356	svchost.exe	110
PID 3356 wrote to memory of 212	3356	svchost.exe	110
PID 3356 wrote to memory of 212	3356	svchost.exe	110

C:\Users\Admin\AppData\Local\Temp\2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2a79ed53f978040b7a2122648c6a5180_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1632
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2684
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4904
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
cb9f7c9ae2cf04352437dd3f596fce33

SHA1
c4fb84c8afa6fe3898d21047eb63bd79aee1a98e

SHA256
202a682efebb134be855b16fee56765e1c6c005d87d60a646a92b383b728e979

SHA512
644b3cf1ec2e58e88d396b7157acbb25dbd0305d23cb4d8cbe8de9ab1b00ec0bc7d2e8e9b06e57481e05caa0ff9b9f8ccbac74c3914170674476be03eed3a1c3

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
4313ca2ee8ae9661749a862cc44a09d1

SHA1
11f4dbf4303d4439e738ff15fe220aeb48ed66d3

SHA256
0ab5c8a761765403e2641379ec094a8bc5dd1fcbc497947a14666e868776be47

SHA512
1ce5a35b23471df67e03dbadd66a2b2c8fc6d9fea8ea10090b189c14973eef3244e996d0deafb67ef3c24541a3b57dc21a0ab42e352f23eeac3d2b716028cf2e

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
51d6bd8311d8e0f645b26649be7df7f0

SHA1
fbf7ac84c4ecfff95183c5b00d1a49301aafb86b

SHA256
dbc3f2eeb7a8be212a9bbf2a04b441b6c91c0dab7bd481330ab662651febf171

SHA512
746c281d018a91a5f037257e848dcd3587aae213fe53db452a2d9ef2c10fc10f317df3c67e75452c3a2dd59a2927ce683a6aca1e4dbb8138030b8808f166d3dd

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
c2dbbb895c303c0a7ce1176570fbcc62

SHA1
3ce539120be963afce2e397937833b180f196262

SHA256
391d5cc4ec381be6bdafd6d817a5673a3f48b8cedb12f5ce81214515f385917d

SHA512
9b10fb28b687f1f3d659c5fb6407f1ceea22eeccc0c470f19bf2b214817d76aa04449f48037d2fa6b0a38a149d74a22d6e59bbdc1ea4c54fe4c9bb5caa30d7b9

Download Submit
memory/2684-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4460-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download