Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 13:04
Static task
static1
Behavioral task
behavioral1
Sample
6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe
-
Size
89KB
-
MD5
6e69ce42995c67a7d08e5beb171a0b60
-
SHA1
92ef26c42433f3360a00dfaddebb88f8d5f883ec
-
SHA256
79db5ee51b3e04f6d56b27a9305c39331e803e363994b0ab6ed64b0e1aa4701c
-
SHA512
1a1043d69c51a8c9408f57bde5017bf4a6cb14849a6a534d42b497a212f50c7358847bea8cccd7224fa5a3294f5f9ecd11f87186c80d0cf9174280bbf9d74ec0
-
SSDEEP
1536:71sMveb4lR0daHy9v7Zc86y9U4AFRfBWAEnn:BDeb4T0daHy9DZc86yGUtnn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe," 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SPOOLSV.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SVCHOST.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SPOOLSV.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SVCHOST.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe -
Executes dropped EXE 12 IoCs
pid Process 2472 SVCHOST.EXE 2076 SVCHOST.EXE 3036 SVCHOST.EXE 2760 SVCHOST.EXE 2272 SVCHOST.EXE 2804 SPOOLSV.EXE 1664 SVCHOST.EXE 2688 SVCHOST.EXE 2548 SPOOLSV.EXE 2968 SPOOLSV.EXE 1316 SVCHOST.EXE 2720 SPOOLSV.EXE -
Loads dropped DLL 20 IoCs
pid Process 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2472 SVCHOST.EXE 2472 SVCHOST.EXE 2472 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2472 SVCHOST.EXE 2472 SVCHOST.EXE 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Recycled\desktop.ini 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened for modification F:\Recycled\desktop.ini 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\E: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\G: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\I: SPOOLSV.EXE File opened (read-only) \??\W: SPOOLSV.EXE File opened (read-only) \??\Z: SVCHOST.EXE File opened (read-only) \??\M: SPOOLSV.EXE File opened (read-only) \??\N: SPOOLSV.EXE File opened (read-only) \??\I: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\Z: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\M: SVCHOST.EXE File opened (read-only) \??\H: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\Q: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\P: SVCHOST.EXE File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\T: SVCHOST.EXE File opened (read-only) \??\E: SPOOLSV.EXE File opened (read-only) \??\Q: SPOOLSV.EXE File opened (read-only) \??\V: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\G: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\J: SPOOLSV.EXE File opened (read-only) \??\O: SPOOLSV.EXE File opened (read-only) \??\U: SPOOLSV.EXE File opened (read-only) \??\R: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\Y: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\R: SPOOLSV.EXE File opened (read-only) \??\S: SPOOLSV.EXE File opened (read-only) \??\G: SPOOLSV.EXE File opened (read-only) \??\Z: SPOOLSV.EXE File opened (read-only) \??\K: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\U: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\X: SVCHOST.EXE File opened (read-only) \??\T: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\K: SVCHOST.EXE File opened (read-only) \??\Y: SVCHOST.EXE File opened (read-only) \??\E: SVCHOST.EXE File opened (read-only) \??\I: SVCHOST.EXE File opened (read-only) \??\J: SVCHOST.EXE File opened (read-only) \??\J: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\O: SVCHOST.EXE File opened (read-only) \??\S: SVCHOST.EXE File opened (read-only) \??\U: SVCHOST.EXE File opened (read-only) \??\W: SVCHOST.EXE File opened (read-only) \??\N: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\W: 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened (read-only) \??\L: SVCHOST.EXE File opened (read-only) \??\H: SPOOLSV.EXE File opened (read-only) \??\T: SPOOLSV.EXE File opened (read-only) \??\H: SVCHOST.EXE File opened (read-only) \??\L: SPOOLSV.EXE File opened (read-only) \??\P: SPOOLSV.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" SPOOLSV.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\SHELL\INSTALL 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size" SVCHOST.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size" SVCHOST.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1980 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 2472 SVCHOST.EXE 2472 SVCHOST.EXE 2472 SVCHOST.EXE 2472 SVCHOST.EXE 2472 SVCHOST.EXE 2472 SVCHOST.EXE 2472 SVCHOST.EXE 2472 SVCHOST.EXE 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 2804 SPOOLSV.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE 3036 SVCHOST.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 2472 SVCHOST.EXE 2076 SVCHOST.EXE 3036 SVCHOST.EXE 2760 SVCHOST.EXE 2272 SVCHOST.EXE 2804 SPOOLSV.EXE 1664 SVCHOST.EXE 2688 SVCHOST.EXE 2548 SPOOLSV.EXE 2968 SPOOLSV.EXE 1316 SVCHOST.EXE 2720 SPOOLSV.EXE 1980 WINWORD.EXE 1980 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2472 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 28 PID 2128 wrote to memory of 2472 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 28 PID 2128 wrote to memory of 2472 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 28 PID 2128 wrote to memory of 2472 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 28 PID 2472 wrote to memory of 2076 2472 SVCHOST.EXE 29 PID 2472 wrote to memory of 2076 2472 SVCHOST.EXE 29 PID 2472 wrote to memory of 2076 2472 SVCHOST.EXE 29 PID 2472 wrote to memory of 2076 2472 SVCHOST.EXE 29 PID 2472 wrote to memory of 3036 2472 SVCHOST.EXE 30 PID 2472 wrote to memory of 3036 2472 SVCHOST.EXE 30 PID 2472 wrote to memory of 3036 2472 SVCHOST.EXE 30 PID 2472 wrote to memory of 3036 2472 SVCHOST.EXE 30 PID 3036 wrote to memory of 2760 3036 SVCHOST.EXE 31 PID 3036 wrote to memory of 2760 3036 SVCHOST.EXE 31 PID 3036 wrote to memory of 2760 3036 SVCHOST.EXE 31 PID 3036 wrote to memory of 2760 3036 SVCHOST.EXE 31 PID 3036 wrote to memory of 2272 3036 SVCHOST.EXE 32 PID 3036 wrote to memory of 2272 3036 SVCHOST.EXE 32 PID 3036 wrote to memory of 2272 3036 SVCHOST.EXE 32 PID 3036 wrote to memory of 2272 3036 SVCHOST.EXE 32 PID 3036 wrote to memory of 2804 3036 SVCHOST.EXE 33 PID 3036 wrote to memory of 2804 3036 SVCHOST.EXE 33 PID 3036 wrote to memory of 2804 3036 SVCHOST.EXE 33 PID 3036 wrote to memory of 2804 3036 SVCHOST.EXE 33 PID 2804 wrote to memory of 1664 2804 SPOOLSV.EXE 34 PID 2804 wrote to memory of 1664 2804 SPOOLSV.EXE 34 PID 2804 wrote to memory of 1664 2804 SPOOLSV.EXE 34 PID 2804 wrote to memory of 1664 2804 SPOOLSV.EXE 34 PID 2804 wrote to memory of 2688 2804 SPOOLSV.EXE 35 PID 2804 wrote to memory of 2688 2804 SPOOLSV.EXE 35 PID 2804 wrote to memory of 2688 2804 SPOOLSV.EXE 35 PID 2804 wrote to memory of 2688 2804 SPOOLSV.EXE 35 PID 2804 wrote to memory of 2548 2804 SPOOLSV.EXE 36 PID 2804 wrote to memory of 2548 2804 SPOOLSV.EXE 36 PID 2804 wrote to memory of 2548 2804 SPOOLSV.EXE 36 PID 2804 wrote to memory of 2548 2804 SPOOLSV.EXE 36 PID 2472 wrote to memory of 2968 2472 SVCHOST.EXE 37 PID 2472 wrote to memory of 2968 2472 SVCHOST.EXE 37 PID 2472 wrote to memory of 2968 2472 SVCHOST.EXE 37 PID 2472 wrote to memory of 2968 2472 SVCHOST.EXE 37 PID 2128 wrote to memory of 1316 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 39 PID 2128 wrote to memory of 1316 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 39 PID 2128 wrote to memory of 1316 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 39 PID 2128 wrote to memory of 1316 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 39 PID 2472 wrote to memory of 2724 2472 SVCHOST.EXE 38 PID 2472 wrote to memory of 2724 2472 SVCHOST.EXE 38 PID 2472 wrote to memory of 2724 2472 SVCHOST.EXE 38 PID 2472 wrote to memory of 2724 2472 SVCHOST.EXE 38 PID 2128 wrote to memory of 2720 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 40 PID 2128 wrote to memory of 2720 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 40 PID 2128 wrote to memory of 2720 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 40 PID 2128 wrote to memory of 2720 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 40 PID 2724 wrote to memory of 1956 2724 userinit.exe 41 PID 2724 wrote to memory of 1956 2724 userinit.exe 41 PID 2724 wrote to memory of 1956 2724 userinit.exe 41 PID 2724 wrote to memory of 1956 2724 userinit.exe 41 PID 2128 wrote to memory of 1980 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 42 PID 2128 wrote to memory of 1980 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 42 PID 2128 wrote to memory of 1980 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 42 PID 2128 wrote to memory of 1980 2128 6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe 42 PID 1980 wrote to memory of 1652 1980 WINWORD.EXE 47 PID 1980 wrote to memory of 1652 1980 WINWORD.EXE 47 PID 1980 wrote to memory of 1652 1980 WINWORD.EXE 47 PID 1980 wrote to memory of 1652 1980 WINWORD.EXE 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2076
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2760
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2272
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1664
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2688
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2968
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE4⤵PID:1956
-
-
-
-
F:\recycled\SVCHOST.EXEF:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1316
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6e69ce42995c67a7d08e5beb171a0b60_NeikiAnalytics.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1652
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
2B
MD52b9d4fa85c8e82132bde46b143040142
SHA1a02431cf7c501a5b368c91e41283419d8fa9fb03
SHA2564658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142
SHA512c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be
-
Filesize
89KB
MD57ff93d0514eceb0211c206844b2b204f
SHA10f8bc74dacdedae1dc02110543c05da5560193c6
SHA25696153b57662b2aa88878017d93673d50d6b15f3fd43b6c5c4162a71e946b60dd
SHA5129166940ac2baace0af590a552cbee442a14395a55c7561704bc8acff06cc3d972de85f45c668c730131637bb748408c9dd4e149df39e18c8e10434af248a00e7
-
Filesize
89KB
MD58922b4a060f7e5fbe2cf31e16338dc4d
SHA172a177373b1cef99dc66fa28e33dd6f27be8a48d
SHA25651dc0f633b62680165b82ee2931d98f5fb856ed02ee32dded77e635b5324523b
SHA5127c78ff85774c4c4500608d6022fda8a42e4172c8ba95aad7887d7777e41fcbe17ffef0bfb65321d6bd8200ce48cdba01fe1b2fc813e4be30d0c05d377a17df6f
-
Filesize
89KB
MD5bd239d379298357d6d38d90cd991ac69
SHA134446066ddea9afbc4e9c71c24c21a0bae4359ad
SHA25633a78d4f55b3a62d3d63675a2b8a353e9e5d98fa5bbfb0a123517ee506515352
SHA51273ec09f27d89272ee4a7fcc40f64f796f617ccc5f84a35f7e923e89d18034e65fb801eccbaaffa4825e3ce346e009b1978c45809c2ed3b5bde317205f3335f58