6aa3a52d6548cb3fce4b99edb274eef6458aae53888924f6861f55e29347768d

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 14:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe
Size

243KB
MD5

642f606c1fb317098b0054df2e901810
SHA1

58dbc386321b786e38dd8ede310f3009a99754b9
SHA256

6aa3a52d6548cb3fce4b99edb274eef6458aae53888924f6861f55e29347768d
SHA512

09865e26535bf61e47a0c605a02546065dd82f2663b8f75af0b22088f15c7187c81956b216d117d7aa32d0879b125685bef3fdb6ac72f12c50d89e51bf329484
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unvrBkfkTJR36m:5vEN2U+T6i5LirrllHy4HUcMQY6gasdL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2064	642f606c1fb317098b0054df2e901810_neikianalytics.exe
2860	icsys.icn.exe
2620	explorer.exe
2720	spoolsv.exe
2448	svchost.exe
2432	spoolsv.exe

Loads dropped DLL 11 IoCs

pid	Process
2924	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe
2924	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe
2924	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe
2860	icsys.icn.exe
2860	icsys.icn.exe
2620	explorer.exe
2620	explorer.exe
2720	spoolsv.exe
2720	spoolsv.exe
2448	svchost.exe
2448	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	icsys.icn.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2620	explorer.exe
2448	svchost.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe
2448	svchost.exe
2620	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2620	explorer.exe
2448	svchost.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2924	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe
2924	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe
2860	icsys.icn.exe
2860	icsys.icn.exe
2620	explorer.exe
2620	explorer.exe
2720	spoolsv.exe
2720	spoolsv.exe
2448	svchost.exe
2448	svchost.exe
2432	spoolsv.exe
2432	spoolsv.exe
2620	explorer.exe
2620	explorer.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2064	2924	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 2064	2924	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 2064	2924	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 2064	2924	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 2860	2924	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe	29
PID 2924 wrote to memory of 2860	2924	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe	29
PID 2924 wrote to memory of 2860	2924	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe	29
PID 2924 wrote to memory of 2860	2924	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe	29
PID 2860 wrote to memory of 2620	2860	icsys.icn.exe	30
PID 2860 wrote to memory of 2620	2860	icsys.icn.exe	30
PID 2860 wrote to memory of 2620	2860	icsys.icn.exe	30
PID 2860 wrote to memory of 2620	2860	icsys.icn.exe	30
PID 2620 wrote to memory of 2720	2620	explorer.exe	31
PID 2620 wrote to memory of 2720	2620	explorer.exe	31
PID 2620 wrote to memory of 2720	2620	explorer.exe	31
PID 2620 wrote to memory of 2720	2620	explorer.exe	31
PID 2720 wrote to memory of 2448	2720	spoolsv.exe	32
PID 2720 wrote to memory of 2448	2720	spoolsv.exe	32
PID 2720 wrote to memory of 2448	2720	spoolsv.exe	32
PID 2720 wrote to memory of 2448	2720	spoolsv.exe	32
PID 2448 wrote to memory of 2432	2448	svchost.exe	33
PID 2448 wrote to memory of 2432	2448	svchost.exe	33
PID 2448 wrote to memory of 2432	2448	svchost.exe	33
PID 2448 wrote to memory of 2432	2448	svchost.exe	33
PID 2448 wrote to memory of 1792	2448	svchost.exe	34
PID 2448 wrote to memory of 1792	2448	svchost.exe	34
PID 2448 wrote to memory of 1792	2448	svchost.exe	34
PID 2448 wrote to memory of 1792	2448	svchost.exe	34
PID 2448 wrote to memory of 2760	2448	svchost.exe	38
PID 2448 wrote to memory of 2760	2448	svchost.exe	38
PID 2448 wrote to memory of 2760	2448	svchost.exe	38
PID 2448 wrote to memory of 2760	2448	svchost.exe	38
PID 2448 wrote to memory of 884	2448	svchost.exe	40
PID 2448 wrote to memory of 884	2448	svchost.exe	40
PID 2448 wrote to memory of 884	2448	svchost.exe	40
PID 2448 wrote to memory of 884	2448	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924
- \??\c:\users\admin\appdata\local\temp\642f606c1fb317098b0054df2e901810_neikianalytics.exe
  c:\users\admin\appdata\local\temp\642f606c1fb317098b0054df2e901810_neikianalytics.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2860
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2720
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2432
      - C:\Windows\SysWOW64\at.exe
        
        at 14:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:1792
      - C:\Windows\SysWOW64\at.exe
        
        at 14:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2760
      - C:\Windows\SysWOW64\at.exe
        
        at 14:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\642f606c1fb317098b0054df2e901810_neikianalytics.exe

Filesize
36KB

MD5
99bbba77d9dc87fc0ddd6f8ec9d2b15a

SHA1
b44157e71ab8bb95d4267060ed5ae7203de2302a

SHA256
55636f93a18c3b8130559a436ad0e357e368f9c490a260d9dad7f924731b5150

SHA512
b92c829a3e77bd101e1c7adaaf8673420d4b75557a906406e980571cf05a2b2deeb7f647aa7b13fbe67456d8fcb54e08fab5df0c8e0905e5e285aaf6728e5611

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
cbdad00c12c39728439f074678535d9c

SHA1
eda2540677ab9295e166241b863a09eb26af9eb7

SHA256
01de3f4fc0083130eefcaa7119374cc44afd16a3d97a47a0a2b92fd3881b8567

SHA512
79b610c8cfc85dbcae288a94262ba214a3a2cfbb63060dc017d6f723f55db67320ca613dc7555d1450c1d18e07f1ea4cf436c09ac0705834170dcc6e9b51641c

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c51482c09b452bcde8f0253f6f6a523e

SHA1
5275aff5d91abfe914d3e6390eef7e087d701a58

SHA256
aa0705c51d1d1b0628eb0052fc6f8dc85ba43eec4edab5ea5fc0c952d7306e6e

SHA512
6b1fce927263e5ef19efe97f6298ddcec8b742120ec1935b61694a796df2085123edee7b240583fc41bbd2bc24f0663623faf87f0c7e8ac75d3f00d720634faf

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
137627bd9758a095ef5f29d805306bbe

SHA1
8a7dfbbc826aecb76b525e523537da79540db5bc

SHA256
f428fc5f3daf2cae7dec482a4da47013e91f84848e19d9efc07a175c4b61f974

SHA512
008736423346e5b65d1616887c6bd47a507a80775d3bfdba13cc8fcbf7a594b1a45c306179f5b642b5348c1913499585203db42317fb83d4f6ef94560c2fb87f

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
7c783e81f4a99aa142239e4d8be2fe74

SHA1
5b43d3004bb31eb534a50b13b8a1cd307af7c387

SHA256
fc1f520f4180cc0e8342d9018a1e711d72855ea70ecd4a80322dcabde0ba9053

SHA512
ca524a1c4b0bee067af4c8544fd69261bf4d0612f779b9be93adab6b92836a13262279c901b7f5b95def1e0cb904cf189c45bf2a0d8c17599ea49c74fb9f50d6

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
57d2695a354218e0c29ffc5554b6c0f7

SHA1
a37fb024c80250c658ccd640c3b220bed6554825

SHA256
125468e112911d134227091c9d73467faece0ad413c4fd29383583368d8a6d52

SHA512
a009f9adb4662687b4712a2462f98b6cfc199653a17aa0977d80578c1fb96272ad7e9a629d544f5d9ad8c298b23d7e94c0b49d11844e98896c3e1e58e1816632

Download Submit
memory/2432-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-38-0x0000000002C30000-0x0000000002C70000-memory.dmp

Filesize
256KB

Download
memory/2720-70-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-16-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download