148ba3d681e09f236fe3c1ee1ef42bd1c3346809fa526e816618234e68923920

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
Size

135KB
MD5

1221382ec69cbaa3de3f013bc9083400
SHA1

b81742a7d0f6d21c3065e156563f129a75e67350
SHA256

148ba3d681e09f236fe3c1ee1ef42bd1c3346809fa526e816618234e68923920
SHA512

0061756259188a59630616b2a7fb9cf80d5b42dac8f148f171436052e7756ba0c668dda59ecea96ee6802fa7e670e64ba20f019bfd6f16322b4cc45cea4c6a6a
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVO9:UVqoCl/YgjxEufVU0TbTyDDalg9

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1928	explorer.exe
1836	spoolsv.exe
2384	svchost.exe
2268	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1928	explorer.exe
1836	spoolsv.exe
2384	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2416	schtasks.exe
2460	schtasks.exe
2768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
1928	explorer.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
1928	explorer.exe
2384	svchost.exe
1928	explorer.exe
1928	explorer.exe
2384	svchost.exe
2384	svchost.exe
1928	explorer.exe
2384	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1928	explorer.exe
2384	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
1928	explorer.exe
1928	explorer.exe
1836	spoolsv.exe
1836	spoolsv.exe
2384	svchost.exe
2384	svchost.exe
2268	spoolsv.exe
2268	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1928	1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe	28
PID 1512 wrote to memory of 1928	1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe	28
PID 1512 wrote to memory of 1928	1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe	28
PID 1512 wrote to memory of 1928	1512	1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe	28
PID 1928 wrote to memory of 1836	1928	explorer.exe	29
PID 1928 wrote to memory of 1836	1928	explorer.exe	29
PID 1928 wrote to memory of 1836	1928	explorer.exe	29
PID 1928 wrote to memory of 1836	1928	explorer.exe	29
PID 1836 wrote to memory of 2384	1836	spoolsv.exe	30
PID 1836 wrote to memory of 2384	1836	spoolsv.exe	30
PID 1836 wrote to memory of 2384	1836	spoolsv.exe	30
PID 1836 wrote to memory of 2384	1836	spoolsv.exe	30
PID 2384 wrote to memory of 2268	2384	svchost.exe	31
PID 2384 wrote to memory of 2268	2384	svchost.exe	31
PID 2384 wrote to memory of 2268	2384	svchost.exe	31
PID 2384 wrote to memory of 2268	2384	svchost.exe	31
PID 1928 wrote to memory of 2648	1928	explorer.exe	32
PID 1928 wrote to memory of 2648	1928	explorer.exe	32
PID 1928 wrote to memory of 2648	1928	explorer.exe	32
PID 1928 wrote to memory of 2648	1928	explorer.exe	32
PID 2384 wrote to memory of 2460	2384	svchost.exe	33
PID 2384 wrote to memory of 2460	2384	svchost.exe	33
PID 2384 wrote to memory of 2460	2384	svchost.exe	33
PID 2384 wrote to memory of 2460	2384	svchost.exe	33
PID 2384 wrote to memory of 2768	2384	svchost.exe	38
PID 2384 wrote to memory of 2768	2384	svchost.exe	38
PID 2384 wrote to memory of 2768	2384	svchost.exe	38
PID 2384 wrote to memory of 2768	2384	svchost.exe	38
PID 2384 wrote to memory of 2416	2384	svchost.exe	40
PID 2384 wrote to memory of 2416	2384	svchost.exe	40
PID 2384 wrote to memory of 2416	2384	svchost.exe	40
PID 2384 wrote to memory of 2416	2384	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1221382ec69cbaa3de3f013bc9083400_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1928
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2384
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:49 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2460
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:50 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2768
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:51 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2416
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
e66a82e1d3c2b9c6a104e97ec4920672

SHA1
babe9bda551c9b450d7beb2ff3c33623ae30236f

SHA256
f4de6f6b067cd3b3661eea68d1c46c421c40e1549c90195e44d1074de13a99f7

SHA512
156eca04899d854a00e21c6edfd4770f1581fca46547bf515715ec2f10028ca7ccb785610c43a308ac7ddf5e6362ec75e2bec06077ecdfe4b88cd07bb8fdb590

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
8722ead3a99b14d8c9a0e5078f4a9d1a

SHA1
1861d15bffa3dcce076d5834638566e38ba43d98

SHA256
f7795478bdc5fd37d6cb72f6da3d6b3c95b94eddffb11dfe4743bbbbec520fd8

SHA512
8348119cac0f684d6bad411b905ddcadb7ff82ec3b83462795bf7b45d4de8d3e2d62ec1eb4543d55a5607e9bee29da846337bea09411a2b0cc69053cef94fd94

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
f8413a531528368dcbde47819314a4ba

SHA1
cf503ed7569a7bbc4c619aa03c8f5bdcd9b8968b

SHA256
5769a9d19b889ec199754ea74e19724a27bdf2abc9c9c522eb3eab8a601472aa

SHA512
4c154c6cb578bc584e0b6d486e7bcdced8aa441078ddf849f3fe208b92d15d08be33d32b67b4a17dbd58245aa8fed5b2d5c5b9d9aa840a056e14dfe99b48fbb8

Download Submit
memory/1512-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1512-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1836-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2268-39-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download