71aa4e5b81d1bf6f84e1a89050896f7494caa06ec9f652b2bff3a2eaf6209c79

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 03:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

313b85d65f1cf136b66b885b9598f6d0_NeikiAnalytics.exe
Size

206KB
MD5

313b85d65f1cf136b66b885b9598f6d0
SHA1

26ee3c032a5285cdab9ee072a0f582481a6b4250
SHA256

71aa4e5b81d1bf6f84e1a89050896f7494caa06ec9f652b2bff3a2eaf6209c79
SHA512

2cc1287af07712dc850ce7a674264e129fbf09e3adf5c4600929319f09ee2237bb872a07c3654c354d28e932f8410da51ccf5c9fd81d69cc5d2fefc653886cc2
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6uns:5vEN2U+T6i5LirrllHy4HUcMQY6B

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1748	explorer.exe
3068	spoolsv.exe
2692	svchost.exe
2964	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1740	313b85d65f1cf136b66b885b9598f6d0_NeikiAnalytics.exe
1740	313b85d65f1cf136b66b885b9598f6d0_NeikiAnalytics.exe
1748	explorer.exe
1748	explorer.exe
3068	spoolsv.exe
3068	spoolsv.exe
2692	svchost.exe
2692	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	313b85d65f1cf136b66b885b9598f6d0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	313b85d65f1cf136b66b885b9598f6d0_NeikiAnalytics.exe
1748	explorer.exe
1748	explorer.exe
1748	explorer.exe
2692	svchost.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe
1748	explorer.exe
2692	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1748	explorer.exe
2692	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1740	313b85d65f1cf136b66b885b9598f6d0_NeikiAnalytics.exe
1740	313b85d65f1cf136b66b885b9598f6d0_NeikiAnalytics.exe
1748	explorer.exe
1748	explorer.exe
3068	spoolsv.exe
3068	spoolsv.exe
2692	svchost.exe
2692	svchost.exe
2964	spoolsv.exe
2964	spoolsv.exe
1748	explorer.exe
1748	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1748	1740	313b85d65f1cf136b66b885b9598f6d0_NeikiAnalytics.exe	28
PID 1740 wrote to memory of 1748	1740	313b85d65f1cf136b66b885b9598f6d0_NeikiAnalytics.exe	28
PID 1740 wrote to memory of 1748	1740	313b85d65f1cf136b66b885b9598f6d0_NeikiAnalytics.exe	28
PID 1740 wrote to memory of 1748	1740	313b85d65f1cf136b66b885b9598f6d0_NeikiAnalytics.exe	28
PID 1748 wrote to memory of 3068	1748	explorer.exe	29
PID 1748 wrote to memory of 3068	1748	explorer.exe	29
PID 1748 wrote to memory of 3068	1748	explorer.exe	29
PID 1748 wrote to memory of 3068	1748	explorer.exe	29
PID 3068 wrote to memory of 2692	3068	spoolsv.exe	30
PID 3068 wrote to memory of 2692	3068	spoolsv.exe	30
PID 3068 wrote to memory of 2692	3068	spoolsv.exe	30
PID 3068 wrote to memory of 2692	3068	spoolsv.exe	30
PID 2692 wrote to memory of 2964	2692	svchost.exe	31
PID 2692 wrote to memory of 2964	2692	svchost.exe	31
PID 2692 wrote to memory of 2964	2692	svchost.exe	31
PID 2692 wrote to memory of 2964	2692	svchost.exe	31
PID 2692 wrote to memory of 2484	2692	svchost.exe	32
PID 2692 wrote to memory of 2484	2692	svchost.exe	32
PID 2692 wrote to memory of 2484	2692	svchost.exe	32
PID 2692 wrote to memory of 2484	2692	svchost.exe	32
PID 2692 wrote to memory of 1448	2692	svchost.exe	36
PID 2692 wrote to memory of 1448	2692	svchost.exe	36
PID 2692 wrote to memory of 1448	2692	svchost.exe	36
PID 2692 wrote to memory of 1448	2692	svchost.exe	36
PID 2692 wrote to memory of 1928	2692	svchost.exe	38
PID 2692 wrote to memory of 1928	2692	svchost.exe	38
PID 2692 wrote to memory of 1928	2692	svchost.exe	38
PID 2692 wrote to memory of 1928	2692	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\313b85d65f1cf136b66b885b9598f6d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\313b85d65f1cf136b66b885b9598f6d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1748
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2964
    - - C:\Windows\SysWOW64\at.exe
        
        at 03:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2484
    - - C:\Windows\SysWOW64\at.exe
        
        at 03:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1448
    - - C:\Windows\SysWOW64\at.exe
        
        at 03:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
207KB

MD5
c291bd75a1ef467ab3fc806b0b52cfbb

SHA1
2a186efb136484ecc3d7b347eff3ed5444497f29

SHA256
7cd769978c62fd41fdbf3d11ead34af680b9711db0e91f80cd2d8bc835b1ec8d

SHA512
65c5d73d85840de4308b619def1fc64c9a8cfb7839ede182404c2f486beab7cf1f8c35726bbf19923869557683ab5e69ce3e2c720c1c1b54501d4424f833f305

Download Submit
C:\Windows\system\svchost.exe

Filesize
206KB

MD5
f557e232f6a8bf5c88e43ec28efefebb

SHA1
2938d39639445a22646442e195994d38a68d20c4

SHA256
cb71157c04f1ced8649eff75fee22a9d08aab6d16a6e624b65dd1a54a5781981

SHA512
e64043edc2fcd077f39b817fc7c70a7dbb4cdc82680e1b29b74a12e3acb66c94392b00a34827438d0b8e0bc2becfbe49d31bb85bb6cb115639e8540e1645e31b

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
2cfae96402261ba80c75762fc78eceae

SHA1
521087fac6052c652db4e90e33d7d359043beee4

SHA256
0a019ce6ed06070cf2a7da79d580bc022a0229a01533662aaa0e116aa73f0917

SHA512
9d239db96fb91c35cf2375015ba2c904a09dda90cd96393a1f9594f71beef9e6e2f06982e25e63ccbdbc5f275a816e411a654ecbd55f291b291a6ac912ddd62c

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
2b96e3078254d80d92d6a26f16e0b70e

SHA1
10cad4c4ab8e8f2f99a2a7fd0942a626b670ba19

SHA256
5717e489f4e84826d5f8c0ac6008f20f48cb136e6e25f1fed4839a4d850930ae

SHA512
b33fe266b9b03f0761597ba43136a7ee33278bd6c01da31c604b158e8ec02149ab85bac2cd7368c2cc83d4e0ee3aaf7dafd1113e65a1204505a37c98dda155e4

Download Submit
memory/1740-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1740-58-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1740-13-0x00000000025F0000-0x0000000002630000-memory.dmp

Filesize
256KB

Download
memory/1748-27-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/2692-49-0x0000000002B30000-0x0000000002B70000-memory.dmp

Filesize
256KB

Download
memory/2964-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-42-0x00000000024B0000-0x00000000024F0000-memory.dmp

Filesize
256KB

Download
memory/3068-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download