47a2288cf341996b27f3abd4a7568848fc960f3071809ee1f929c4ded9af4a9e

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 22:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
Size

1.2MB
MD5

580135050f5fb4f161ec49ccbcff3af0
SHA1

09c2aa5d7e00f6ccc0f0ed03d36af45c55c9312f
SHA256

47a2288cf341996b27f3abd4a7568848fc960f3071809ee1f929c4ded9af4a9e
SHA512

f35302492f54300172c8bf11b2601e95b9ead0d3ee8fe8191039e8d7da1d4b4a821356b85575e43691dc015ae656beff7ab768f1621143ac9059a63b77006569
SSDEEP

24576:hj+cktriK2PVboYTicnT1SBb//wDKULTrhSFkOTu+FMb:4SPVboYTVABjRGtSFruNb

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2708	explorer.exe
464	spoolsv.exe
3520	svchost.exe
4776	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

pid	Process
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2708	explorer.exe
464	spoolsv.exe
3520	svchost.exe
4776	spoolsv.exe
2708	explorer.exe
3520	svchost.exe
2708	explorer.exe
3520	svchost.exe
2708	explorer.exe
3520	svchost.exe
2708	explorer.exe
3520	svchost.exe
2708	explorer.exe
3520	svchost.exe
2708	explorer.exe
3520	svchost.exe
2708	explorer.exe
3520	svchost.exe
2708	explorer.exe
3520	svchost.exe
2708	explorer.exe
3520	svchost.exe
2708	explorer.exe
3520	svchost.exe
2708	explorer.exe
3520	svchost.exe
2708	explorer.exe
3520	svchost.exe
2708	explorer.exe
3520	svchost.exe
2708	explorer.exe
3520	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2708	explorer.exe
3520	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
2708	explorer.exe
2708	explorer.exe
2708	explorer.exe
464	spoolsv.exe
464	spoolsv.exe
464	spoolsv.exe
3520	svchost.exe
3520	svchost.exe
3520	svchost.exe
4776	spoolsv.exe
4776	spoolsv.exe
4776	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2708	2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe	83
PID 2012 wrote to memory of 2708	2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe	83
PID 2012 wrote to memory of 2708	2012	580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe	83
PID 2708 wrote to memory of 464	2708	explorer.exe	85
PID 2708 wrote to memory of 464	2708	explorer.exe	85
PID 2708 wrote to memory of 464	2708	explorer.exe	85
PID 464 wrote to memory of 3520	464	spoolsv.exe	87
PID 464 wrote to memory of 3520	464	spoolsv.exe	87
PID 464 wrote to memory of 3520	464	spoolsv.exe	87
PID 3520 wrote to memory of 4776	3520	svchost.exe	88
PID 3520 wrote to memory of 4776	3520	svchost.exe	88
PID 3520 wrote to memory of 4776	3520	svchost.exe	88

C:\Users\Admin\AppData\Local\Temp\580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\580135050f5fb4f161ec49ccbcff3af0_NeikiAnalytics.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2708
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:464
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3520
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
1.2MB

MD5
cd8e5168fd7f679e244be0fffd42cb44

SHA1
e55ee27e42e9dd027e0b81fe4daaa67ce0e7e63b

SHA256
2a27e67d533e908cf51270d344685803f43314e35af82486b3c49401809bf083

SHA512
dbaab817b1214ce8561e73fe7cc451974652c0e1bb45733ce66a97c8f286f48442d76e6bdd833bc26b75f03d81a6bd147d93e51a7b717e794ce2b44069569569

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
1.2MB

MD5
c0d9a97d04a5a671590813e8c447f992

SHA1
24b52b5ebbe3a523a7dfca6d1ad659198819ff5e

SHA256
a56a6f1538cf28822a5dd511a57f29040db5c6542e2c644458827c44eaf6bef9

SHA512
4a31d8a2e6836f0cd3fe2f73dc7cccae3c3b82339b43ceb667ff4c3baca60326f7c50fa908c5d83b9a10018b911f8a0aa5869215e14dd8dc9b30fc48be2d9e06

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
1.2MB

MD5
eb7653baf5924272421e38de9c91c3b8

SHA1
6f9b583b9d9b57bcc5fbe43f0a90a9fa790a670d

SHA256
309cfff0c85438c3a5d588df142e0bf382a1d0db32875cdb8b523eedd16f0b74

SHA512
0cb033ec2c4548e9f115f8f495f183c60a5711ba49b0ecd7201971fe9bedf49478a5a24dbb48d836f3d1244748fba4af8b3b65fcfe407c7079ed6d3c1b05b17a

Download Submit
memory/464-39-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/464-18-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2012-41-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2012-0-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-45-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-48-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-66-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-56-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-42-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-64-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-9-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-44-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-62-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-70-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-60-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-50-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-68-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-52-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-58-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2708-54-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-59-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-47-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-57-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-53-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-51-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-49-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-61-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-55-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-63-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-43-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-65-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-27-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-67-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3520-69-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4776-32-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4776-37-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download