80c33b51edf1dd587e33fb2bfa6d5075aab068d40c3bb583e8ed155c475dcfaa

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
Size

135KB
MD5

6f9789a1025a13b94f5ca7f776b6a760
SHA1

96157bfb75f3ef50b94c2d2d73ca72a4ec0de098
SHA256

80c33b51edf1dd587e33fb2bfa6d5075aab068d40c3bb583e8ed155c475dcfaa
SHA512

c613e8fc35b4c54a3c87392d321c521c6584cd1905d5ccae0a4771e992687b32cbebeaa3715bd990a23a9fcbb596afbc94390be857e47f7ba79dab0e8eb1d432
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVc/D:UVqoCl/YgjxEufVU0TbTyDDali/D

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
336	explorer.exe
244	spoolsv.exe
3292	svchost.exe
3480	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe
336	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
336	explorer.exe
3292	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
336	explorer.exe
336	explorer.exe
244	spoolsv.exe
244	spoolsv.exe
3292	svchost.exe
3292	svchost.exe
3480	spoolsv.exe
3480	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 336	4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe	82
PID 4388 wrote to memory of 336	4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe	82
PID 4388 wrote to memory of 336	4388	6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe	82
PID 336 wrote to memory of 244	336	explorer.exe	83
PID 336 wrote to memory of 244	336	explorer.exe	83
PID 336 wrote to memory of 244	336	explorer.exe	83
PID 244 wrote to memory of 3292	244	spoolsv.exe	84
PID 244 wrote to memory of 3292	244	spoolsv.exe	84
PID 244 wrote to memory of 3292	244	spoolsv.exe	84
PID 3292 wrote to memory of 3480	3292	svchost.exe	86
PID 3292 wrote to memory of 3480	3292	svchost.exe	86
PID 3292 wrote to memory of 3480	3292	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f9789a1025a13b94f5ca7f776b6a760_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:336
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:244
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3292
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
9b6ecb490057f99c57b69f8761613d8f

SHA1
51e93b234515a5d118ef166e934b168603348709

SHA256
cf978e9bff3dc15c14e0b93a80bdbc17249cc34022bfb00ec502b1936c7e8bca

SHA512
e0000089abc1716367f67691991cf076cd0225756979c0e659e5e05fe620a7546933d238e9ce0c3e44bc3b0a6479cdace6cfcc95a74704b194032a6ec2a6c03d

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
35648f4f933061f0cdf70b46a52a2501

SHA1
49b05ff664ba4281d619b753be33af7374f53273

SHA256
4953c60dceb181560041c6fb09859d888434deff51f08f420f1d1488792eeb14

SHA512
65d975219ccd6a2ecfb78b0013302808733a503883e55bb17d32b8f6cf243bac3cba011770c7094e97b53494994f1409dd166805120ce47ba8136afec8e8387f

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
a08aed6d610a7a1f80d6c51f1a769da1

SHA1
b2230d323360d29daeabc398dc2fb66dd6cd961e

SHA256
d2cc7bdd83787e18fc2417e9961a0e19c57354fd4b09b7ac554f381aa292b6b3

SHA512
bf5510bf3c20ef4d2d04d4f1d3949dbb08faee1054eb144fd9c02927a2cceaac22d614614438dd780341be15597e92e66288240ee8b215a7272e6a78fd819619

Download Submit
memory/244-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3292-25-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3480-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4388-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4388-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download