Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:47
Static task
static1
Behavioral task
behavioral1
Sample
5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe
-
Size
1.4MB
-
MD5
5e5f9d40e9306bf5adaaadd7d4cd7b30
-
SHA1
9f88e814478f8f6cb5e36f7edad2521a626d971c
-
SHA256
9d69a686fa761a2d7eae16ec8a6e09984e2ce5e5f1d69c24a60c10a260abea35
-
SHA512
0bfa145eda550e37f0168ae77d23ed9737527f374183b59791a06739e89f04ec4de54ba0c2f2103fda4febea243b761b70700c85738fc7678db0612893a905d8
-
SSDEEP
24576:S9cdOqX1uuMliQzd4mNy9Sh5hJgpiwVQLJaOSZ4LehoZza9gNWmAO5ehlMh:S9UX1uBx4mYo83vOSeyeaKrP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2248 explorer.exe 2152 spoolsv.exe 2776 svchost.exe 1828 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs
pid Process 640 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 2248 explorer.exe 2152 spoolsv.exe 2776 svchost.exe 1828 spoolsv.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 640 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 640 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 2248 explorer.exe 2248 explorer.exe 2248 explorer.exe 2248 explorer.exe 2248 explorer.exe 2248 explorer.exe 2248 explorer.exe 2248 explorer.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 2248 explorer.exe 2248 explorer.exe 2776 svchost.exe 2776 svchost.exe 2248 explorer.exe 2248 explorer.exe 2776 svchost.exe 2776 svchost.exe 2248 explorer.exe 2248 explorer.exe 2776 svchost.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2776 svchost.exe 2248 explorer.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe 2776 svchost.exe 2248 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2248 explorer.exe 2776 svchost.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 640 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 640 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 640 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 2248 explorer.exe 2248 explorer.exe 2248 explorer.exe 2152 spoolsv.exe 2152 spoolsv.exe 2152 spoolsv.exe 2776 svchost.exe 2776 svchost.exe 2776 svchost.exe 1828 spoolsv.exe 1828 spoolsv.exe 1828 spoolsv.exe 2248 explorer.exe 2248 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 640 wrote to memory of 2248 640 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 82 PID 640 wrote to memory of 2248 640 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 82 PID 640 wrote to memory of 2248 640 5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe 82 PID 2248 wrote to memory of 2152 2248 explorer.exe 83 PID 2248 wrote to memory of 2152 2248 explorer.exe 83 PID 2248 wrote to memory of 2152 2248 explorer.exe 83 PID 2152 wrote to memory of 2776 2152 spoolsv.exe 84 PID 2152 wrote to memory of 2776 2152 spoolsv.exe 84 PID 2152 wrote to memory of 2776 2152 spoolsv.exe 84 PID 2776 wrote to memory of 1828 2776 svchost.exe 85 PID 2776 wrote to memory of 1828 2776 svchost.exe 85 PID 2776 wrote to memory of 1828 2776 svchost.exe 85 PID 2776 wrote to memory of 1436 2776 svchost.exe 86 PID 2776 wrote to memory of 1436 2776 svchost.exe 86 PID 2776 wrote to memory of 1436 2776 svchost.exe 86 PID 2776 wrote to memory of 388 2776 svchost.exe 96 PID 2776 wrote to memory of 388 2776 svchost.exe 96 PID 2776 wrote to memory of 388 2776 svchost.exe 96 PID 2776 wrote to memory of 3116 2776 svchost.exe 98 PID 2776 wrote to memory of 3116 2776 svchost.exe 98 PID 2776 wrote to memory of 3116 2776 svchost.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5e5f9d40e9306bf5adaaadd7d4cd7b30_NeikiAnalytics.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1828
-
-
C:\Windows\SysWOW64\at.exeat 03:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1436
-
-
C:\Windows\SysWOW64\at.exeat 03:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:388
-
-
C:\Windows\SysWOW64\at.exeat 03:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3116
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5ac67bb74cfef053718671663c638e56c
SHA1d21600825503a6c8f46b6f1ee423698dde78d2ca
SHA256402854af65692637af6d861b6169f86b1461487971a196dd8e2a9c4fb9c49c74
SHA512b3248926e32e9ee1f1a11f52dcdaa05eedcd3dd9f20b976994d2bf3bb17d4acd552d22d859ddcd0d45d09f8ca21d46a190e2fda6237faf54a3aa7978df8becdc
-
Filesize
1.4MB
MD5901088484360b9558f18a297571224fb
SHA19924881fe53431ce0cec83b9484f053c374b9261
SHA256908102441fa0b010cdb727e87662724b197a653d1c059b1ff4554768b24b20bf
SHA5121e9512894404e33508bcaca1ad8be8b3d701f858d15030b05f4cf17150874fe943d260dfe65b3bb935654109a2c3d22f15db081e53b9e102a6f8550e0d7bbe7b
-
Filesize
1.4MB
MD5f5fef16332824dfe77ace4a098006a41
SHA19d8860c65775614db0244509883dcd245a9052c8
SHA25613c5aea2bc6d35e440b1b9547306dd5429f817a3639737eaeea189b6c19bc346
SHA512bfcab0602020fd11b8e137308d0fbf9ed9417ec02497e90d0b0e471d26ff66c15460a8a1cf5b6137615ba4144c8e1e9293e5d9122ff1f9a9d27567cc417d1b54
-
Filesize
1.4MB
MD5323b77580b41b567d0177fa85858e7c9
SHA14bc761ca3c4d8f5c98b2957e8720c2ab65ae2ca6
SHA2563067a2ced9b3991d5f76a324e7428f4b1e36d405a52dc083fc6ed0c2371ef4a4
SHA512f8e19db42f6d81c57381ae9f3b11bbba5b225cda4bd498e80301390e3396f877ee252f81ec6403d8d0553166db08eb2dba509b25030be36748d9af9e2195ae06