Malware Analysis Report

2025-01-06 07:47

Sample ID 240530-qd1jmshf6v
Target de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe
SHA256 58db54e0af022ae3e759e7fbe74ceca33853f81ad09d6af4ecc231e6aa844681
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58db54e0af022ae3e759e7fbe74ceca33853f81ad09d6af4ecc231e6aa844681

Threat Level: Known bad

The file de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Detects BazaLoader malware

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 13:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 13:09

Reported

2024-05-30 13:12

Platform

win7-20240220-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2872 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2872 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2872 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2492 wrote to memory of 2556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 2556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 2556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2492 wrote to memory of 2556 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2556 wrote to memory of 2728 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2556 wrote to memory of 2728 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2556 wrote to memory of 2728 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2556 wrote to memory of 2728 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2728 wrote to memory of 2392 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2728 wrote to memory of 2392 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2728 wrote to memory of 2392 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2728 wrote to memory of 2392 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2728 wrote to memory of 1564 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 1564 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 1564 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 1564 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 2004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 2004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 2004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 2004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 612 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 612 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 612 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2728 wrote to memory of 612 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 13:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 13:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 13:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2872-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2872-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2872-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2872-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2872-4-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 0dc58a0eece5a30d4f35a301f10b63ba
SHA1 e2f4df7c84d0b5db68faa262833afec56cf6eb8b
SHA256 90b664c594607be3c713323cb37c683b43b97fe8e7b06139ac5a7f1fb9f0ca0d
SHA512 0d80c6369263fc9cc19823aaf6a76783e7bfadfc687c6c131bfd1ae8a69010979e9d26af35d06ace93ba7bbde287755345ba7ff9d8ec02b2d8058ecdd6fbcdf4

memory/2872-16-0x0000000002BD0000-0x0000000002C01000-memory.dmp

memory/2492-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2492-18-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\spoolsv.exe

MD5 526de2939fd4f65eb2278e3a65f49652
SHA1 afe9fa4ee2a92b3f23504ca70cc08ccdf82bbef9
SHA256 96da65dc0fa461714ea3aa81a4b9f71ef9dd70d88bced0282c01aced9ae13f6f
SHA512 9d6d11e5031dd372145d4e6c25f3b173bccb354800739a2ec424a3de72dce2ab9da38a19a0aba02958e16ad706f2649be001915c86dbc464f6a771a689b017a5

memory/2492-34-0x00000000024C0000-0x00000000024F1000-memory.dmp

memory/2556-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2556-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2556-37-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2556-41-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 8e8ff15eff63b0d91a394365ea891517
SHA1 f3ce6f2c386747f71293a366e78d5c9767427c08
SHA256 4e72f4f99e4f6d6dbddb7ca281fbe36d48ec10d72b322c4490549793dfe7cf42
SHA512 8c764842f5c0dba7c43cfe18f9907b1f010ebc2715c1f6b7f52c6af56d851576e202cfa9f140221e31f3fcfa1cd9eae7a5140657b1d6fa7d7bb9c79986943623

memory/2728-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2728-54-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2728-63-0x0000000001D40000-0x0000000001D71000-memory.dmp

memory/2728-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2872-65-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2392-66-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2392-72-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2556-76-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2872-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2872-78-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 83201eb93e5217604f3e3fbb7ba38f02
SHA1 e761f2ef90e68a49e18eab3719fd8e63a46a5492
SHA256 f4ff6e5e7ceebd2660b8cf375fa32e07fa0b029c2fb61618e66d4e39d048e692
SHA512 befbae43aa78c1f59961b3025d8a3f842ee4a90c6f3103e2aa376220a0b6f592f23533b7c5b36bc75eabe154325514adaaba24bf3778ca783f228b9f2a8e139d

memory/2492-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2728-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2492-91-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 13:09

Reported

2024-05-30 13:12

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3956 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3956 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3956 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1420 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1420 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1420 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2512 wrote to memory of 4896 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2512 wrote to memory of 4896 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2512 wrote to memory of 4896 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4896 wrote to memory of 1936 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4896 wrote to memory of 1936 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4896 wrote to memory of 1936 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4896 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4896 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4896 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4896 wrote to memory of 2400 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4896 wrote to memory of 2400 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4896 wrote to memory of 2400 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4896 wrote to memory of 848 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4896 wrote to memory of 848 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4896 wrote to memory of 848 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\de39c54c503bffd2d9dd6827d3b128a0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 13:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 13:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 13:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3956-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3956-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3956-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3956-5-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3956-2-0x0000000074F20000-0x000000007507D000-memory.dmp

memory/1420-12-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\explorer.exe

MD5 48d432e3bf4ab60a623168ea7d592bf5
SHA1 a585897d8f67cee0d2590b962b9fb0f0bfd44dc9
SHA256 aa51a55cddb8c3f777feeb2aef4ca92a3d758df50cfe516cee3d353b88a53f54
SHA512 c08cf54e23ae501b7b16c7acf97e23245ca7572b0f2f092927af83f97a38bae78a55684a9e8a76d4435b39cae2b01c19a1f197a1926b1c879c4670708a4987f1

memory/1420-14-0x0000000074F20000-0x000000007507D000-memory.dmp

memory/1420-16-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 74cd80c9ec33a0a3673a9cf4605d951f
SHA1 f998ce9b3a27057e9240e4db808a0f40be11d624
SHA256 15f5c9a24e84e78155fe91223f38ba02ea562328ca6e140cf96fec93321233d7
SHA512 b865de7c5233f14b9904992f66cb15f883c82e6bc16612948e4838f8816abd669286d417d63c92dea9ebf78c4c3603e209dcc3e165b94adbe4f7346b4074f2e7

memory/2512-27-0x0000000074F20000-0x000000007507D000-memory.dmp

memory/2512-26-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2512-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2512-31-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 6bc9b2beebaf611918edcd5b3541bc96
SHA1 8a0dfc9d52a6605dbc81bbf5d7fc318f7245ae29
SHA256 66d4ada375cfbc5f8e9bd489858c48f7816bffb9af8e8b6b2a019ab7f7db31a9
SHA512 1f0c2e42f906b329822b6d46a20518565d770dadf6968de602c8e478fefdda03cee5d5e8e0f1a20c4ea007d3e781bb73352f22fa0a6b41ba550dd7f4f446fdb9

memory/4896-44-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4896-43-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4896-38-0x0000000074F20000-0x000000007507D000-memory.dmp

memory/1936-46-0x0000000074F20000-0x000000007507D000-memory.dmp

memory/1936-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2512-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3956-58-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3956-59-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3956-57-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 d405202312f8a11914f2e39d42ec2f15
SHA1 1dc6d4cac791a1f0dd65fc6c0600a0830db3d125
SHA256 ac5c4acce1d5f73a4581b2f808bf3487fec6050dea5c92a23c611d9c20b27af1
SHA512 274da7ec11622c06889b9beb940e1c4245d3753fe18fb9a77c1b145fa4f44973310657622ab3eaa6cd31c3f7123a7d0706eea34b77761f1fde52b5be472e92df

memory/4896-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1420-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1420-71-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e