b1fc0e3b5fe6484985b78cd93d7424c375f5e210760182c6c0971b7cb763bc8b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
Size

135KB
MD5

06b8bc69117c1776c98b14da0a894650
SHA1

fbeb617381d41f63f0b78b09d2b77de9350bc5c1
SHA256

b1fc0e3b5fe6484985b78cd93d7424c375f5e210760182c6c0971b7cb763bc8b
SHA512

d77162217f93b88ed3e3517b7367a17740ef021038cd93adfdec2bf55c7972dfa7f154170609fe73be7bf156c61042eb1ea95e7a816ff40cec3b47a1463e66b3
SSDEEP

1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbgtWd:XVqoCl/YgjxEufVU0TbTyDDalbd

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1652	explorer.exe
2148	spoolsv.exe
2020	svchost.exe
1368	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1652	explorer.exe
2020	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
1652	explorer.exe
1652	explorer.exe
2148	spoolsv.exe
2148	spoolsv.exe
2020	svchost.exe
2020	svchost.exe
1368	spoolsv.exe
1368	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 1652	4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe	82
PID 4688 wrote to memory of 1652	4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe	82
PID 4688 wrote to memory of 1652	4688	06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe	82
PID 1652 wrote to memory of 2148	1652	explorer.exe	83
PID 1652 wrote to memory of 2148	1652	explorer.exe	83
PID 1652 wrote to memory of 2148	1652	explorer.exe	83
PID 2148 wrote to memory of 2020	2148	spoolsv.exe	84
PID 2148 wrote to memory of 2020	2148	spoolsv.exe	84
PID 2148 wrote to memory of 2020	2148	spoolsv.exe	84
PID 2020 wrote to memory of 1368	2020	svchost.exe	85
PID 2020 wrote to memory of 1368	2020	svchost.exe	85
PID 2020 wrote to memory of 1368	2020	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\06b8bc69117c1776c98b14da0a894650_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1652
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2020
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
fdbc1f9c24c95079b568bdd5f28578b6

SHA1
102a893fedb36712eb8690387222629115774b84

SHA256
b135e17aa55ce4cb8c4813afef69230a2429c0389f0a016dd2a68f0ca7ae6092

SHA512
bf190c1bcd5df59572c3ec51ad8279df81fecefa31d1eeffae2904bf65a9fb320424ae0b8aab15820242ff98fbc06a2ec92d2b09b6043b0e38d9a795d564def6

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
f06f510a98bdc29910a0236e4ffd81c1

SHA1
a2b5edaeb4b334ca22d5a6aa923eab6b148e63fd

SHA256
7a623253bfc2e0ce2d39e37386aa68804e8ad1a0b96e43af592f7fa3b4715c9f

SHA512
c97d32f3ed0494f51a21d726877563a9926d9c89453429d3e3cc08cd88023fd0d89ec30de5dd0f63591ed5c886ceb592ead9a6c5baa1f39baeccc92d563bc28a

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
62e6d6d9023e2b1389e67df5c2b654a5

SHA1
8e5b8bbb2501eedf4476a4c8b726fe46d454786a

SHA256
d4a54f328647e050517bb4c9488225c8a6becbca1a3191351732491b3c343d20

SHA512
d319ddd4423269831c226fa1ca33276e3f1faaf1531876a9fd97d40d928e3eb1b8fbe022c96d77846a714cde97f7fb8cd52979ef37eedc4fb8df817469d8b919

Download Submit
memory/1368-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1652-9-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2148-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4688-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4688-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download