6aa3a52d6548cb3fce4b99edb274eef6458aae53888924f6861f55e29347768d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 14:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe
Size

243KB
MD5

642f606c1fb317098b0054df2e901810
SHA1

58dbc386321b786e38dd8ede310f3009a99754b9
SHA256

6aa3a52d6548cb3fce4b99edb274eef6458aae53888924f6861f55e29347768d
SHA512

09865e26535bf61e47a0c605a02546065dd82f2663b8f75af0b22088f15c7187c81956b216d117d7aa32d0879b125685bef3fdb6ac72f12c50d89e51bf329484
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unvrBkfkTJR36m:5vEN2U+T6i5LirrllHy4HUcMQY6gasdL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2224	642f606c1fb317098b0054df2e901810_neikianalytics.exe
4604	icsys.icn.exe
3448	explorer.exe
1584	spoolsv.exe
772	svchost.exe
3324	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4604	icsys.icn.exe
4604	icsys.icn.exe
3448	explorer.exe
3448	explorer.exe
3448	explorer.exe
3448	explorer.exe
3448	explorer.exe
3448	explorer.exe
3448	explorer.exe
3448	explorer.exe
772	svchost.exe
772	svchost.exe
772	svchost.exe
772	svchost.exe
3448	explorer.exe
3448	explorer.exe
772	svchost.exe
772	svchost.exe
3448	explorer.exe
3448	explorer.exe
772	svchost.exe
772	svchost.exe
3448	explorer.exe
3448	explorer.exe
772	svchost.exe
772	svchost.exe
3448	explorer.exe
3448	explorer.exe
772	svchost.exe
772	svchost.exe
3448	explorer.exe
3448	explorer.exe
772	svchost.exe
772	svchost.exe
3448	explorer.exe
3448	explorer.exe
772	svchost.exe
772	svchost.exe
3448	explorer.exe
3448	explorer.exe
772	svchost.exe
772	svchost.exe
3448	explorer.exe
3448	explorer.exe
772	svchost.exe
772	svchost.exe
3448	explorer.exe
3448	explorer.exe
772	svchost.exe
772	svchost.exe
3448	explorer.exe
3448	explorer.exe
772	svchost.exe
772	svchost.exe
3448	explorer.exe
3448	explorer.exe
772	svchost.exe
772	svchost.exe
3448	explorer.exe
3448	explorer.exe
772	svchost.exe
772	svchost.exe
3448	explorer.exe
3448	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3448	explorer.exe
772	svchost.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1612	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe
1612	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe
4604	icsys.icn.exe
4604	icsys.icn.exe
3448	explorer.exe
3448	explorer.exe
1584	spoolsv.exe
1584	spoolsv.exe
772	svchost.exe
772	svchost.exe
3324	spoolsv.exe
3324	spoolsv.exe
3448	explorer.exe
3448	explorer.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2224	1612	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe	83
PID 1612 wrote to memory of 2224	1612	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe	83
PID 1612 wrote to memory of 4604	1612	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe	84
PID 1612 wrote to memory of 4604	1612	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe	84
PID 1612 wrote to memory of 4604	1612	642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe	84
PID 4604 wrote to memory of 3448	4604	icsys.icn.exe	85
PID 4604 wrote to memory of 3448	4604	icsys.icn.exe	85
PID 4604 wrote to memory of 3448	4604	icsys.icn.exe	85
PID 3448 wrote to memory of 1584	3448	explorer.exe	86
PID 3448 wrote to memory of 1584	3448	explorer.exe	86
PID 3448 wrote to memory of 1584	3448	explorer.exe	86
PID 1584 wrote to memory of 772	1584	spoolsv.exe	87
PID 1584 wrote to memory of 772	1584	spoolsv.exe	87
PID 1584 wrote to memory of 772	1584	spoolsv.exe	87
PID 772 wrote to memory of 3324	772	svchost.exe	88
PID 772 wrote to memory of 3324	772	svchost.exe	88
PID 772 wrote to memory of 3324	772	svchost.exe	88
PID 772 wrote to memory of 1008	772	svchost.exe	89
PID 772 wrote to memory of 1008	772	svchost.exe	89
PID 772 wrote to memory of 1008	772	svchost.exe	89
PID 772 wrote to memory of 3276	772	svchost.exe	107
PID 772 wrote to memory of 3276	772	svchost.exe	107
PID 772 wrote to memory of 3276	772	svchost.exe	107
PID 772 wrote to memory of 1580	772	svchost.exe	116
PID 772 wrote to memory of 1580	772	svchost.exe	116
PID 772 wrote to memory of 1580	772	svchost.exe	116

C:\Users\Admin\AppData\Local\Temp\642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\642f606c1fb317098b0054df2e901810_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- \??\c:\users\admin\appdata\local\temp\642f606c1fb317098b0054df2e901810_neikianalytics.exe
  c:\users\admin\appdata\local\temp\642f606c1fb317098b0054df2e901810_neikianalytics.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4604
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1584
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:772
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3324
      - C:\Windows\SysWOW64\at.exe
        
        at 14:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:1008
      - C:\Windows\SysWOW64\at.exe
        
        at 14:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:3276
      - C:\Windows\SysWOW64\at.exe
        
        at 14:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c51482c09b452bcde8f0253f6f6a523e

SHA1
5275aff5d91abfe914d3e6390eef7e087d701a58

SHA256
aa0705c51d1d1b0628eb0052fc6f8dc85ba43eec4edab5ea5fc0c952d7306e6e

SHA512
6b1fce927263e5ef19efe97f6298ddcec8b742120ec1935b61694a796df2085123edee7b240583fc41bbd2bc24f0663623faf87f0c7e8ac75d3f00d720634faf

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
4e0c351b77022dbc14b0fb64eed30789

SHA1
ea73ab436b80073a5351c0e4c08fe62981a597d5

SHA256
acd1a407fa552ae4e8f6ead2f17d106fe4bcebf29f6371bf5d272c1b80b603eb

SHA512
8aea797c72d49e040dc0dd0a5db19226d58d76bac81cfb4f0fb376d85d14d9c9a31dde210e1d6784279b9b58bcb3b3212e523ea872af16bb8c87cac5d80de1c7

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
3963ce463df02f1f109d464566c2e1bd

SHA1
62a6f7347870094cb4dbbd5aedab12419ec5d4d9

SHA256
81e5f24ca1e85ec286f228746c680000c96bad0b322985ac1533b02948b3201e

SHA512
2c10c3eda2ea3b6d658d6e174a028707a927978ec6adbe56a0924b8015c5d1d5b53d62be4f8147866face2c0fefd04a2759fb47627e4e19e1b4994fcf9e48eef

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
6e02cf247051c4f0213c6c159120d8e5

SHA1
51f14f8f1349c4d582f8d535ab182e58b6eefeb3

SHA256
3c7b17b2043b7f44042c8d8b27a9f0975650676ed5eb53959f4c2d259d7bf22b

SHA512
8dca0e1e1c7634c9a0184e17c4505169b363e5329992304d7b77641b4a8340c0fe65b2e6a4bbb865d8a7d2bf3a60e88efdfa170449bae95563607b93b6c1dc9f

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
83246219bf8bc1cba35fe222c3614dfb

SHA1
8c656462978411c951d32eed9e7de391059c4fe5

SHA256
3154a953f577ef765e410a68e408722180ee7a5127b927e85bfed56035412a63

SHA512
1e22455f527b34c8d42a8506f5756729324818cbe796815636f7ff42f79ddb0dec58dea69370b89843bed282f505795d3184844b4331d9f784155d873ac113d1

Download Submit
\??\c:\users\admin\appdata\local\temp\642f606c1fb317098b0054df2e901810_neikianalytics.exe

Filesize
36KB

MD5
99bbba77d9dc87fc0ddd6f8ec9d2b15a

SHA1
b44157e71ab8bb95d4267060ed5ae7203de2302a

SHA256
55636f93a18c3b8130559a436ad0e357e368f9c490a260d9dad7f924731b5150

SHA512
b92c829a3e77bd101e1c7adaaf8673420d4b75557a906406e980571cf05a2b2deeb7f647aa7b13fbe67456d8fcb54e08fab5df0c8e0905e5e285aaf6728e5611

Download Submit
memory/1584-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3324-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download