f30f2535f291ab5f472136803ff3c04f6553eb9fe252a551450ea3f7c147dff4

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 06:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
Size

4.1MB
MD5

22ed2457fdc794abfb08fa92b19606d0
SHA1

254ba2c1e5d176e4b7d8f511407d696ac6fd1a7d
SHA256

f30f2535f291ab5f472136803ff3c04f6553eb9fe252a551450ea3f7c147dff4
SHA512

a447bf1811236c3de601df3cd4470948772be7f369a86868682d6b159cbd85bcc095db8b47e5932809349b8fcba2c3bee53ba006bccf87ac7763adc51b9efb46
SSDEEP

98304:JIFT3aZ0m6b0GL3vdHLu5UMEyz4IL+ox9frfixLdRT:J03aZ030MdecaCqNOx5RT

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation	22ed2457fdc794abfb08fa92b19606d0_neikianalytics.exe

Executes dropped EXE 6 IoCs

pid	Process
2308	22ed2457fdc794abfb08fa92b19606d0_neikianalytics.exe
1992	icsys.icn.exe
1744	explorer.exe
2972	spoolsv.exe
2608	svchost.exe
2772	spoolsv.exe

Loads dropped DLL 10 IoCs

pid	Process
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2308	22ed2457fdc794abfb08fa92b19606d0_neikianalytics.exe
2308	22ed2457fdc794abfb08fa92b19606d0_neikianalytics.exe
2308	22ed2457fdc794abfb08fa92b19606d0_neikianalytics.exe
2308	22ed2457fdc794abfb08fa92b19606d0_neikianalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
1992	icsys.icn.exe
1744	explorer.exe
2972	spoolsv.exe
2608	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000014e3d-6.dat	nsis_installer_1
behavioral1/files/0x0008000000014e3d-6.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2736	schtasks.exe
1212	schtasks.exe
1064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1744	explorer.exe
2608	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
1992	icsys.icn.exe
1992	icsys.icn.exe
1744	explorer.exe
1744	explorer.exe
2972	spoolsv.exe
2972	spoolsv.exe
2608	svchost.exe
2608	svchost.exe
2772	spoolsv.exe
2772	spoolsv.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2308	2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2308	2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2308	2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2308	2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2308	2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2308	2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2308	2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 1992	2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe	29
PID 2188 wrote to memory of 1992	2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe	29
PID 2188 wrote to memory of 1992	2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe	29
PID 2188 wrote to memory of 1992	2188	22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe	29
PID 1992 wrote to memory of 1744	1992	icsys.icn.exe	30
PID 1992 wrote to memory of 1744	1992	icsys.icn.exe	30
PID 1992 wrote to memory of 1744	1992	icsys.icn.exe	30
PID 1992 wrote to memory of 1744	1992	icsys.icn.exe	30
PID 1744 wrote to memory of 2972	1744	explorer.exe	31
PID 1744 wrote to memory of 2972	1744	explorer.exe	31
PID 1744 wrote to memory of 2972	1744	explorer.exe	31
PID 1744 wrote to memory of 2972	1744	explorer.exe	31
PID 2972 wrote to memory of 2608	2972	spoolsv.exe	32
PID 2972 wrote to memory of 2608	2972	spoolsv.exe	32
PID 2972 wrote to memory of 2608	2972	spoolsv.exe	32
PID 2972 wrote to memory of 2608	2972	spoolsv.exe	32
PID 2608 wrote to memory of 2772	2608	svchost.exe	33
PID 2608 wrote to memory of 2772	2608	svchost.exe	33
PID 2608 wrote to memory of 2772	2608	svchost.exe	33
PID 2608 wrote to memory of 2772	2608	svchost.exe	33
PID 1744 wrote to memory of 2496	1744	explorer.exe	34
PID 1744 wrote to memory of 2496	1744	explorer.exe	34
PID 1744 wrote to memory of 2496	1744	explorer.exe	34
PID 1744 wrote to memory of 2496	1744	explorer.exe	34
PID 2608 wrote to memory of 2736	2608	svchost.exe	35
PID 2608 wrote to memory of 2736	2608	svchost.exe	35
PID 2608 wrote to memory of 2736	2608	svchost.exe	35
PID 2608 wrote to memory of 2736	2608	svchost.exe	35
PID 2608 wrote to memory of 1212	2608	svchost.exe	40
PID 2608 wrote to memory of 1212	2608	svchost.exe	40
PID 2608 wrote to memory of 1212	2608	svchost.exe	40
PID 2608 wrote to memory of 1212	2608	svchost.exe	40
PID 2608 wrote to memory of 1064	2608	svchost.exe	42
PID 2608 wrote to memory of 1064	2608	svchost.exe	42
PID 2608 wrote to memory of 1064	2608	svchost.exe	42
PID 2608 wrote to memory of 1064	2608	svchost.exe	42

C:\Users\Admin\AppData\Local\Temp\22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\22ed2457fdc794abfb08fa92b19606d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- \??\c:\users\admin\appdata\local\temp\22ed2457fdc794abfb08fa92b19606d0_neikianalytics.exe
  c:\users\admin\appdata\local\temp\22ed2457fdc794abfb08fa92b19606d0_neikianalytics.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2308
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1992
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2972
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2772
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:36 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2736
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:37 /f
        6⤵
        Creates scheduled task(s)
        
        PID:1212
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:38 /f
        6⤵
        Creates scheduled task(s)
        
        PID:1064
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoB2BD.tmp\UserInfo.dll

Filesize
4KB

MD5
c22c9d7b6937b8960fba4c8a145076b2

SHA1
2e45c2dd6e5132a942fe940dccdaf771e0f9e81e

SHA256
510e466a715933499fb9d5a1753b483826b2bf89161b9d466dd2ad7e52ede2fc

SHA512
b3b93fb97bc0d16ac35a1f0e877bcf42324e19d21839b025329d1b27d8e96bc9c0cbde0a8d60b23fd0c864f62e3c287461108c6abecf53ac488de1fc16b47d6e

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
33f6a5b052bed607014aa88e9cbd2944

SHA1
e1b51fa95a0cfc49c0a3d84a5c78e7e78936fac8

SHA256
29a3bde6ed4df9957d4f8cd21a6f63629a08bb0d674ffaabb18b161cb9735b44

SHA512
5cb2422135fb5db4b288c617d6edddced149f6fec3123fd7f18731e8a84ec985307220a9cce53b5f44ec7558ad6ba09f3f28ee060ec2bf8bb74745dc951a510c

Download Submit
\Users\Admin\AppData\Local\Temp\22ed2457fdc794abfb08fa92b19606d0_neikianalytics.exe

Filesize
4.0MB

MD5
e27d92658cebb4eabea7e74125464023

SHA1
c8ca0643693fbca5cda17886f478666ff0d35cee

SHA256
bea2ca4c9d9abd1ff214166d638792be974ffad7907a8a8ed0370acba800e815

SHA512
77e261afda1eed9ab1fb38d446a08f58fb7c8546aac319565c61a36805c040637f69b20d91521d7f6ea4e8ca571ba372d7ace9f115c03c39d2f3c9131cfc8a57

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB2BD.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
2f99dea03326f361394e323a3874026a

SHA1
d8038df108b9ff5147453d8c88ca43614b374000

SHA256
28851db0766eb16e1b43e6a1caeb4c3f0761ebcacd5a802b1002f47c42e40535

SHA512
e229321fc266e44d142291e821d35ee8b62d5840d63705e726f9b2714202bcb94ae5d7600de26743d3321d256219cc1704c057c35d159de01df565bc414320b9

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
d17e637ca6424c9a0046386ea1b62b40

SHA1
4e5b6e88ea35eed6b4c556a5d4de37ae50bf15cc

SHA256
91f3b9a5084223f3cc0e12bfe6c305015a8efd21e3b365b74ebda14cb2b6b86f

SHA512
faf6417e358ba87ca08180a2e8c861c4ddd6c785e486dba171cc38d2dcf2aa6ce8ef559f3177daf1319d10832fff960c257557f1d7f3c91a64984dc983a91185

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
6d165c4fbf24d6a2276f55678f354634

SHA1
ad264cf398b36407310174ff6a635c84b911f872

SHA256
892250009a1e5b7ff4d888351f7256822e6faa96b71225bd588c80906e13200a

SHA512
fdb34e7a21fef1cef5a3a9a50253748650c9c69e05dbb96037131e523a72addb6373904b353444408c2d72fc2e0c39d557b19f2ccc1fd8f574e9e87da9a4f946

Download Submit
memory/1992-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2188-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2188-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2772-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2972-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download