Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 00:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
-
Size
135KB
-
MD5
6f9789a1025a13b94f5ca7f776b6a760
-
SHA1
96157bfb75f3ef50b94c2d2d73ca72a4ec0de098
-
SHA256
80c33b51edf1dd587e33fb2bfa6d5075aab068d40c3bb583e8ed155c475dcfaa
-
SHA512
c613e8fc35b4c54a3c87392d321c521c6584cd1905d5ccae0a4771e992687b32cbebeaa3715bd990a23a9fcbb596afbc94390be857e47f7ba79dab0e8eb1d432
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVc/D:UVqoCl/YgjxEufVU0TbTyDDali/D
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2152 explorer.exe 2564 spoolsv.exe 2656 svchost.exe 2568 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 2152 explorer.exe 2564 spoolsv.exe 2656 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 932 schtasks.exe 2520 schtasks.exe 1724 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2656 svchost.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2656 svchost.exe 2656 svchost.exe 2152 explorer.exe 2656 svchost.exe 2152 explorer.exe 2656 svchost.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2152 explorer.exe 2656 svchost.exe 2152 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2152 explorer.exe 2656 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 2152 explorer.exe 2152 explorer.exe 2564 spoolsv.exe 2564 spoolsv.exe 2656 svchost.exe 2656 svchost.exe 2568 spoolsv.exe 2568 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2152 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 28 PID 3012 wrote to memory of 2152 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 28 PID 3012 wrote to memory of 2152 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 28 PID 3012 wrote to memory of 2152 3012 6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe 28 PID 2152 wrote to memory of 2564 2152 explorer.exe 29 PID 2152 wrote to memory of 2564 2152 explorer.exe 29 PID 2152 wrote to memory of 2564 2152 explorer.exe 29 PID 2152 wrote to memory of 2564 2152 explorer.exe 29 PID 2564 wrote to memory of 2656 2564 spoolsv.exe 30 PID 2564 wrote to memory of 2656 2564 spoolsv.exe 30 PID 2564 wrote to memory of 2656 2564 spoolsv.exe 30 PID 2564 wrote to memory of 2656 2564 spoolsv.exe 30 PID 2656 wrote to memory of 2568 2656 svchost.exe 31 PID 2656 wrote to memory of 2568 2656 svchost.exe 31 PID 2656 wrote to memory of 2568 2656 svchost.exe 31 PID 2656 wrote to memory of 2568 2656 svchost.exe 31 PID 2152 wrote to memory of 1712 2152 explorer.exe 32 PID 2152 wrote to memory of 1712 2152 explorer.exe 32 PID 2152 wrote to memory of 1712 2152 explorer.exe 32 PID 2152 wrote to memory of 1712 2152 explorer.exe 32 PID 2656 wrote to memory of 2520 2656 svchost.exe 33 PID 2656 wrote to memory of 2520 2656 svchost.exe 33 PID 2656 wrote to memory of 2520 2656 svchost.exe 33 PID 2656 wrote to memory of 2520 2656 svchost.exe 33 PID 2656 wrote to memory of 1724 2656 svchost.exe 38 PID 2656 wrote to memory of 1724 2656 svchost.exe 38 PID 2656 wrote to memory of 1724 2656 svchost.exe 38 PID 2656 wrote to memory of 1724 2656 svchost.exe 38 PID 2656 wrote to memory of 932 2656 svchost.exe 40 PID 2656 wrote to memory of 932 2656 svchost.exe 40 PID 2656 wrote to memory of 932 2656 svchost.exe 40 PID 2656 wrote to memory of 932 2656 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2568
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:40 /f5⤵
- Creates scheduled task(s)
PID:2520
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:41 /f5⤵
- Creates scheduled task(s)
PID:1724
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:42 /f5⤵
- Creates scheduled task(s)
PID:932
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:1712
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD598c0335f6a34c452f32efd08b215b108
SHA1c20f34991c0f864e64db930668ca713d0e9be60e
SHA25630829250cca518b2fc565874fb8a784e60c540a6544d177b8b0fda98d58fe538
SHA512eb1dbba6bbce7d4930d138e0a3d150a5e8c7d30621830baf17b580edfa37bb14e632ed2b2c255b0ac0aad07b3bf4cec3768aea52d3d4c6ab3bbfaabbd1e0a592
-
Filesize
135KB
MD52bdec5d83d27df53fb970bbf2aaebcf3
SHA1d0cc937475eafceba09579b8f13f0d53209a1cb1
SHA256a4ce8c8e0c0a997358e9b8f219a0323054b447530ae23182f292af8497915c1d
SHA512d3a09172173f3809eb049ebe02c2e4a3661dc589967b24573fde9af003c092d2b2c87eb905634fee4000df467f45f98d24c4767e1af6151f35b9d95debeff03f
-
Filesize
135KB
MD59dd7314012276044ee042e0ff2ddee75
SHA13a10c3c3f48cf954bfc6cd6848e54856a51f36de
SHA256156de7ba5548beafd547bc706155f596f7ce385bcd50068e42e241114c7a6a44
SHA512012553f2278770d0e7e011cd1131ca5ecaa5cd416212ea7f7f642e20819c515f950c200cab3ef8b5e67cc5b4b669c446a128a71feb792a8965869b814cf96b34