Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 03:47
Static task
static1
Behavioral task
behavioral1
Sample
5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe
-
Size
1.4MB
-
MD5
5e5f9d40e9306bf5adaaadd7d4cd7b30
-
SHA1
9f88e814478f8f6cb5e36f7edad2521a626d971c
-
SHA256
9d69a686fa761a2d7eae16ec8a6e09984e2ce5e5f1d69c24a60c10a260abea35
-
SHA512
0bfa145eda550e37f0168ae77d23ed9737527f374183b59791a06739e89f04ec4de54ba0c2f2103fda4febea243b761b70700c85738fc7678db0612893a905d8
-
SSDEEP
24576:S9cdOqX1uuMliQzd4mNy9Sh5hJgpiwVQLJaOSZ4LehoZza9gNWmAO5ehlMh:S9UX1uBx4mYo83vOSeyeaKrP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2316 explorer.exe 1992 spoolsv.exe 2728 svchost.exe 2588 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2008 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 2008 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 2316 explorer.exe 2316 explorer.exe 1992 spoolsv.exe 1992 spoolsv.exe 2728 svchost.exe 2728 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs
pid Process 2008 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 2316 explorer.exe 1992 spoolsv.exe 2728 svchost.exe 2316 explorer.exe 2588 spoolsv.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2008 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 2728 svchost.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2316 explorer.exe 2728 svchost.exe 2316 explorer.exe 2728 svchost.exe 2728 svchost.exe 2316 explorer.exe 2316 explorer.exe 2728 svchost.exe 2728 svchost.exe 2316 explorer.exe 2316 explorer.exe 2728 svchost.exe 2728 svchost.exe 2316 explorer.exe 2316 explorer.exe 2728 svchost.exe 2728 svchost.exe 2316 explorer.exe 2316 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2316 explorer.exe 2728 svchost.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 2008 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 2008 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 2008 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 2316 explorer.exe 2316 explorer.exe 2316 explorer.exe 1992 spoolsv.exe 1992 spoolsv.exe 1992 spoolsv.exe 2728 svchost.exe 2728 svchost.exe 2728 svchost.exe 2588 spoolsv.exe 2588 spoolsv.exe 2588 spoolsv.exe 2316 explorer.exe 2316 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2316 2008 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 28 PID 2008 wrote to memory of 2316 2008 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 28 PID 2008 wrote to memory of 2316 2008 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 28 PID 2008 wrote to memory of 2316 2008 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 28 PID 2316 wrote to memory of 1992 2316 explorer.exe 29 PID 2316 wrote to memory of 1992 2316 explorer.exe 29 PID 2316 wrote to memory of 1992 2316 explorer.exe 29 PID 2316 wrote to memory of 1992 2316 explorer.exe 29 PID 1992 wrote to memory of 2728 1992 spoolsv.exe 30 PID 1992 wrote to memory of 2728 1992 spoolsv.exe 30 PID 1992 wrote to memory of 2728 1992 spoolsv.exe 30 PID 1992 wrote to memory of 2728 1992 spoolsv.exe 30 PID 2728 wrote to memory of 2588 2728 svchost.exe 31 PID 2728 wrote to memory of 2588 2728 svchost.exe 31 PID 2728 wrote to memory of 2588 2728 svchost.exe 31 PID 2728 wrote to memory of 2588 2728 svchost.exe 31 PID 2728 wrote to memory of 2412 2728 svchost.exe 32 PID 2728 wrote to memory of 2412 2728 svchost.exe 32 PID 2728 wrote to memory of 2412 2728 svchost.exe 32 PID 2728 wrote to memory of 2412 2728 svchost.exe 32 PID 2728 wrote to memory of 1536 2728 svchost.exe 36 PID 2728 wrote to memory of 1536 2728 svchost.exe 36 PID 2728 wrote to memory of 1536 2728 svchost.exe 36 PID 2728 wrote to memory of 1536 2728 svchost.exe 36 PID 2728 wrote to memory of 440 2728 svchost.exe 38 PID 2728 wrote to memory of 440 2728 svchost.exe 38 PID 2728 wrote to memory of 440 2728 svchost.exe 38 PID 2728 wrote to memory of 440 2728 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2588
-
-
C:\Windows\SysWOW64\at.exeat 03:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2412
-
-
C:\Windows\SysWOW64\at.exeat 03:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1536
-
-
C:\Windows\SysWOW64\at.exeat 03:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:440
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5321f1a447de668efc3557491c998e8ef
SHA19789c0ae06ec121a7c67f553362083fdb649ec7d
SHA25684c9526b25f02f18890b79c2f721b080f0fcf6d26c8b01b270b5f2b0010dd1d8
SHA512ccb1e3b997c9c9480c82c3c74ebb1e4b388d5603af6b020bde0b881bf890aca6158cfb10070caa32de5f3e53b22da5a1a4fee9c3cf0076a3e7b2cc1a63fc7f13
-
Filesize
1.4MB
MD56bc1dd6dc3e635e82613c47862b04d69
SHA179f7e50ba56d18979279a5a2b04a82128f77c85a
SHA256868836515be7f499f4d3e9b643d223348ecae2c23ec10cd0f012273e26177110
SHA5129645f7df6f5494d7a48615338150d813d29c44f47f02721b1923548d9a2823132c7b3b3c1cba32ec320909eb1a94e6cf6bd03810f5b1e81487c8ed5dbf27e11e
-
Filesize
1.4MB
MD5d6a92b8a3eafd79da8e1556141a388f4
SHA11efcdb754db70da3cde18a1f851639f13a7a81f8
SHA256004797910ab716a2d987756851c43acb3ce3b84dfe6c6e77bd77778a4c439381
SHA5127d70167b3787b7f81bb64684de24d521a824e461fb4dc0f4777361f9256f3001ce70f4d664eb5077331eca322951f25e2c78c87216e410478202514f62af10ea
-
Filesize
1.4MB
MD54ac9fa1be402ec22175f0e82ca130615
SHA1555214d110114ae88ad38035aed9c2cd6d736b23
SHA256a6ca38d0bd9a8284fecf4f1709b22ced9b2382825f7f4aab50fc9c80f5edd413
SHA512fc11498d23b41114655697797a5506f8707cf1d34a87cb1ea5333d80425c56552f3a0b5085537203e19cd9ce37d75a5d979e84d8796686af28570da13c1604dd