Malware Analysis Report

2025-08-05 19:16

Sample ID 240526-dx7e3sdg97
Target 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe
SHA256 758bbc9096cb3457ef3d5b5edf66e1644875abb9dfc1b5b296f4796226cdd751
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

758bbc9096cb3457ef3d5b5edf66e1644875abb9dfc1b5b296f4796226cdd751

Threat Level: Known bad

The file 5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Detects BazaLoader malware

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 03:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 03:24

Reported

2024-05-26 03:26

Platform

win7-20240221-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1312 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1312 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1312 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2640 wrote to memory of 2600 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2640 wrote to memory of 2600 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2640 wrote to memory of 2600 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2640 wrote to memory of 2600 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2600 wrote to memory of 2388 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2600 wrote to memory of 2388 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2600 wrote to memory of 2388 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2600 wrote to memory of 2388 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2388 wrote to memory of 2444 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2388 wrote to memory of 2444 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2388 wrote to memory of 2444 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2388 wrote to memory of 2444 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2388 wrote to memory of 1444 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2388 wrote to memory of 1444 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2388 wrote to memory of 1444 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2388 wrote to memory of 1444 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2388 wrote to memory of 2284 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2388 wrote to memory of 2284 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2388 wrote to memory of 2284 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2388 wrote to memory of 2284 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2388 wrote to memory of 2424 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2388 wrote to memory of 2424 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2388 wrote to memory of 2424 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2388 wrote to memory of 2424 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 03:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1312-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1312-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1312-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1312-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1312-6-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 212038753ac5bce5e19fa278448ff2e6
SHA1 238a2a08a849982c6af6e7740dda0c9d35366581
SHA256 880944fb51ececd983d10aab5674a555b13bce2db90cf1404185f3147094df35
SHA512 94dd9c1e70e24f75743cda2babcea3c4d7e87e27363562474d53bcc74a49d55e4429d3e5781415df3b76d4ffc01bf64f79409c2ed140e6bfe31476ebcced4edf

memory/2640-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1312-17-0x0000000002C40000-0x0000000002C71000-memory.dmp

memory/2640-19-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2640-23-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 523b8f39f0cf85c0335ca9e7b2a50c71
SHA1 ed0f15ccbf01762100323856fa6cb2f89becfd47
SHA256 cafea76e2c9edd3ba4d9348b4adfac5dab357b2416566f5e5380c35420fbc253
SHA512 17d169730d8f495ff63d5a5af8982aea9a4cdf784655cd92f2d0388f5ab3d6fed2d123e66e831ba4b405d10cf8cb8a969b8a0cc08275953ca7aff640fddc24ec

memory/2640-35-0x00000000025E0000-0x0000000002611000-memory.dmp

memory/2600-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2600-40-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\system\svchost.exe

MD5 8ac71da89956bf98916452a872c398a5
SHA1 305af6ad4463345ddf75ccf3a964e39f3a4be9e6
SHA256 066ee427677b4763b8bfee336a2baa26464e9d31e7619237451151702759d992
SHA512 a33967a0de627a17c85815775d3bca631470fbb8164e7222445e88420bd8a1a8af2374da9984b2035b8b7f2b0b448a4b3efbb54bfe299d9a418d96a257b62c6b

memory/2388-53-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2388-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2388-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2600-52-0x0000000002640000-0x0000000002671000-memory.dmp

memory/2444-67-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2388-66-0x0000000002580000-0x00000000025B1000-memory.dmp

memory/2388-65-0x0000000002580000-0x00000000025B1000-memory.dmp

memory/1312-64-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2444-68-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2444-74-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1312-81-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1312-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2600-78-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 3a97d677a2f3c44ace9c061a350d0d06
SHA1 c6af582cf6c2c8115da11cc530aaa2dcde666497
SHA256 4a2cdaa6cf0ddb6ee869de4ade9cca139078b2e65a52e3613147b7beddb6f42c
SHA512 882ab0e82d76c40bac1d39a25cc514ddf230634ab6b73bb75d9c3f7e3d314f9cadece3ab1e80f146c989d26becca225e426cc3f3b16220061866346c1e7e1916

memory/2640-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2388-85-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2640-94-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 03:24

Reported

2024-05-26 03:26

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 744 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 744 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 744 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 372 wrote to memory of 3772 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 372 wrote to memory of 3772 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 372 wrote to memory of 3772 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3772 wrote to memory of 3928 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3772 wrote to memory of 3928 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3772 wrote to memory of 3928 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3928 wrote to memory of 2456 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3928 wrote to memory of 2456 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3928 wrote to memory of 2456 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3928 wrote to memory of 4924 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3928 wrote to memory of 4924 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3928 wrote to memory of 4924 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3928 wrote to memory of 4232 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3928 wrote to memory of 4232 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3928 wrote to memory of 4232 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3928 wrote to memory of 1496 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3928 wrote to memory of 1496 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3928 wrote to memory of 1496 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5af5800767fdad8ab5a0828193493180_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 03:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp

Files

memory/744-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/744-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/744-2-0x0000000075700000-0x000000007585D000-memory.dmp

memory/744-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/744-4-0x0000000000401000-0x000000000042E000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 e9ebeeae8b9ebb686d876b96181e3be4
SHA1 0047c0b2f52bd272856ab568f98a2731ef61da70
SHA256 01026b44620f2aab629f0c64be58baa2e4b1efe58d3dc8ce1620abfa72f2e19d
SHA512 864e3211d6e794f9441992e4ea7823ad09fc041ea3adcecb34c87d4d4739a1e1d5b5b74fe0164fe97ebc8902cf594f8be87bcdd923e59fb659c76e11ecf65925

memory/372-14-0x0000000000400000-0x0000000000431000-memory.dmp

memory/372-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/372-15-0x0000000075700000-0x000000007585D000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 5a1b544f2130b87f4e1282f201616434
SHA1 f7a577780e9de834f9d94f3881acec9c0a835189
SHA256 b4cbe98cf3175fb7a22394814887e2c9f26a6e12f00ec834f659c0a9c63e2628
SHA512 cda8468a8b0f3c86cf7d7186c9dd9fae0123e748b6329c42383abe6f286e08d0a0b2d153a085b46540cff329c0ccd83555b078cbabbbdaf4ff0b161d0d10173d

memory/3772-26-0x0000000075700000-0x000000007585D000-memory.dmp

memory/3772-28-0x0000000000400000-0x0000000000431000-memory.dmp

memory/372-22-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 52d318c44b01635dffac492850dd7678
SHA1 8ce6c5a956005a57e88b696e5cdf6fe1e1e51fb6
SHA256 e0eb91505325cd0630bcbcee976567dc87f175c447b414badf60506381e7db76
SHA512 744361d1a33e025d2236edc25a92a393f2a33b42ba87e2f002392395a12d83ead9816628a7cd810e0d9df918f6ceaed84d9c9ab99dd79d9e32779fabe048d913

memory/3928-37-0x0000000075700000-0x000000007585D000-memory.dmp

memory/2456-43-0x0000000075700000-0x000000007585D000-memory.dmp

memory/2456-49-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3772-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/744-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/744-55-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 b5fdfa0322ba70a9a2ce2546e0619932
SHA1 66a61d606e08a2851d8c1b23ef421731f9b6f351
SHA256 e67e002ccf588b500f2e3bab3cc49a4f310043d9b5449d283ccead4db450585b
SHA512 7a37eccefdc8bf23ec3d9d4522cd8b5f4491a6f8754138b72ef56df0f6ae33a8c065cd2d7e397395385a58ad69fc6aa35fb82b98a82ead187b9823681c24e8a2

memory/372-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3928-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/372-68-0x0000000000400000-0x0000000000431000-memory.dmp