44c5c8323c82964dce436e828dcb66d1c054b4c7cbba2dee147090e4313fccfb

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
Size

1.2MB
MD5

78bdcfdbda2c9a32ec0e685021e549e0
SHA1

9d6638d6aebf904cc7621840afc2eec02a45ee8d
SHA256

44c5c8323c82964dce436e828dcb66d1c054b4c7cbba2dee147090e4313fccfb
SHA512

8b5d8df9206dee8143796b5beb2457ae0f5e80864af71c90d9693c35e81e13993858101a162d414b133443feb06886070275370dc7534c8c26bdc583b4bdbc2a
SSDEEP

24576:wvj+cktriK2PVboYTicnT1SBb//wDKULTrhSFkOTu+FMz:waSPVboYTVABjRGtSFruNz

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2088	explorer.exe
2856	spoolsv.exe
2556	svchost.exe
3032	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2088	explorer.exe
2088	explorer.exe
2856	spoolsv.exe
2856	spoolsv.exe
2556	svchost.exe
2556	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs

pid	Process
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2088	explorer.exe
2856	spoolsv.exe
2556	svchost.exe
3032	spoolsv.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2960	schtasks.exe
540	schtasks.exe
1772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2556	svchost.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe
2556	svchost.exe
2088	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2088	explorer.exe
2556	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2856	spoolsv.exe
2856	spoolsv.exe
2856	spoolsv.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
3032	spoolsv.exe
3032	spoolsv.exe
3032	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2088	2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 2088	2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 2088	2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe	28
PID 2104 wrote to memory of 2088	2104	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe	28
PID 2088 wrote to memory of 2856	2088	explorer.exe	29
PID 2088 wrote to memory of 2856	2088	explorer.exe	29
PID 2088 wrote to memory of 2856	2088	explorer.exe	29
PID 2088 wrote to memory of 2856	2088	explorer.exe	29
PID 2856 wrote to memory of 2556	2856	spoolsv.exe	30
PID 2856 wrote to memory of 2556	2856	spoolsv.exe	30
PID 2856 wrote to memory of 2556	2856	spoolsv.exe	30
PID 2856 wrote to memory of 2556	2856	spoolsv.exe	30
PID 2556 wrote to memory of 3032	2556	svchost.exe	31
PID 2556 wrote to memory of 3032	2556	svchost.exe	31
PID 2556 wrote to memory of 3032	2556	svchost.exe	31
PID 2556 wrote to memory of 3032	2556	svchost.exe	31
PID 2088 wrote to memory of 2468	2088	explorer.exe	32
PID 2088 wrote to memory of 2468	2088	explorer.exe	32
PID 2088 wrote to memory of 2468	2088	explorer.exe	32
PID 2088 wrote to memory of 2468	2088	explorer.exe	32
PID 2556 wrote to memory of 2960	2556	svchost.exe	33
PID 2556 wrote to memory of 2960	2556	svchost.exe	33
PID 2556 wrote to memory of 2960	2556	svchost.exe	33
PID 2556 wrote to memory of 2960	2556	svchost.exe	33
PID 2556 wrote to memory of 540	2556	svchost.exe	38
PID 2556 wrote to memory of 540	2556	svchost.exe	38
PID 2556 wrote to memory of 540	2556	svchost.exe	38
PID 2556 wrote to memory of 540	2556	svchost.exe	38
PID 2556 wrote to memory of 1772	2556	svchost.exe	40
PID 2556 wrote to memory of 1772	2556	svchost.exe	40
PID 2556 wrote to memory of 1772	2556	svchost.exe	40
PID 2556 wrote to memory of 1772	2556	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2088
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2556
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3032
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:20 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2960
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:21 /f
        5⤵
        Creates scheduled task(s)
        
        PID:540
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:22 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1772
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
1.2MB

MD5
c488a2baca895f41691c4e1a756abc78

SHA1
ec2aeec2727d26dce0cca5f36f2f89b23d0bb653

SHA256
7df0e27e3691f0151365b44e2bee1a8840f10c0a251e0826dd7718b973000913

SHA512
9d2e009df9ade67d5a150d603c98e96341f11b53fbe6117a0c1c9df4f479061d33a9a371be6a02eceb30491e3f1c693f4d8d4075ae532126d74ce910dd8e4dbd

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
1.2MB

MD5
f66292fe1db1564ae06311bdefa65885

SHA1
0830dddfc8c813cddb3096a918cbfe9af796f842

SHA256
250925f0f691205fe2eb3af24c2ef7bacd5d8b9701419c99d32615431f86a893

SHA512
23bafba5534702295b88b7e18897a766d8bbea0b9f13b78d4ea47261a01cd3f152a87f8561a61063102fd1cc9ec4d0c976b9b008f75703162856a7913a36b4f5

Download Submit
\Windows\Resources\svchost.exe

Filesize
1.2MB

MD5
e1e5a367764bcaff31a015394ec58124

SHA1
e6d85c6a360dc75859d4babe26e5f9a4070f41f8

SHA256
f0b4adeb8c789f0f3042c28d2a5791cb191895bc274f8b24b9b48a9434513e6d

SHA512
89ae8ceea9b81cea7d863b0f83e40b6e412380d1a828f21026d15f930fe017e7b1f5cb9f930ef0fb659525c2cef83120cd3a18bb3b76500bcb5ab69487c01085

Download Submit
memory/2088-88-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2088-84-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2088-29-0x0000000003A90000-0x0000000003E23000-memory.dmp

Filesize
3.6MB

Download
memory/2088-68-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2088-94-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2088-92-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2088-90-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2088-72-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2088-86-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2088-69-0x0000000003A90000-0x0000000003E23000-memory.dmp

Filesize
3.6MB

Download
memory/2088-80-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2088-78-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2088-76-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2088-67-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2088-65-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2088-74-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2104-64-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2104-12-0x0000000003AA0000-0x0000000003E33000-memory.dmp

Filesize
3.6MB

Download
memory/2104-13-0x0000000003AA0000-0x0000000003E33000-memory.dmp

Filesize
3.6MB

Download
memory/2104-0-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-70-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-81-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-66-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-75-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-95-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-77-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-93-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-79-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-53-0x00000000038D0000-0x0000000003C63000-memory.dmp

Filesize
3.6MB

Download
memory/2556-91-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-83-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-45-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-85-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-54-0x00000000038D0000-0x0000000003C63000-memory.dmp

Filesize
3.6MB

Download
memory/2556-87-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-89-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2556-73-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-42-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-43-0x0000000003760000-0x0000000003AF3000-memory.dmp

Filesize
3.6MB

Download
memory/2856-62-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-46-0x0000000003760000-0x0000000003AF3000-memory.dmp

Filesize
3.6MB

Download
memory/3032-55-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3032-60-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download