44c5c8323c82964dce436e828dcb66d1c054b4c7cbba2dee147090e4313fccfb

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
Size

1.2MB
MD5

78bdcfdbda2c9a32ec0e685021e549e0
SHA1

9d6638d6aebf904cc7621840afc2eec02a45ee8d
SHA256

44c5c8323c82964dce436e828dcb66d1c054b4c7cbba2dee147090e4313fccfb
SHA512

8b5d8df9206dee8143796b5beb2457ae0f5e80864af71c90d9693c35e81e13993858101a162d414b133443feb06886070275370dc7534c8c26bdc583b4bdbc2a
SSDEEP

24576:wvj+cktriK2PVboYTicnT1SBb//wDKULTrhSFkOTu+FMz:waSPVboYTVABjRGtSFruNz

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2856	explorer.exe
1980	spoolsv.exe
2000	svchost.exe
4616	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

pid	Process
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2856	explorer.exe
1980	spoolsv.exe
2000	svchost.exe
4616	spoolsv.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe
2856	explorer.exe
2000	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2856	explorer.exe
2000	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
1980	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
2000	svchost.exe
2000	svchost.exe
2000	svchost.exe
4616	spoolsv.exe
4616	spoolsv.exe
4616	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2856	4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe	82
PID 4636 wrote to memory of 2856	4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe	82
PID 4636 wrote to memory of 2856	4636	78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe	82
PID 2856 wrote to memory of 1980	2856	explorer.exe	84
PID 2856 wrote to memory of 1980	2856	explorer.exe	84
PID 2856 wrote to memory of 1980	2856	explorer.exe	84
PID 1980 wrote to memory of 2000	1980	spoolsv.exe	86
PID 1980 wrote to memory of 2000	1980	spoolsv.exe	86
PID 1980 wrote to memory of 2000	1980	spoolsv.exe	86
PID 2000 wrote to memory of 4616	2000	svchost.exe	88
PID 2000 wrote to memory of 4616	2000	svchost.exe	88
PID 2000 wrote to memory of 4616	2000	svchost.exe	88

C:\Users\Admin\AppData\Local\Temp\78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\78bdcfdbda2c9a32ec0e685021e549e0_NeikiAnalytics.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2856
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2000
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
1.2MB

MD5
0fb571c4e40ea4511008e6d7603e24f2

SHA1
feae722b9be4979c72f67be6e4b233d1d1adc68c

SHA256
163c51e74d787c70e409304a3a019f430f6fe754bbcde2712fd7ee82df9b4edf

SHA512
46bc07f6f43bff442880c8bed87ece81a667e305481801cd7afd559514cc057bcae8f5e2805442853c9cb1b463e10fc3dc442a6e05e17635994eb371ea5dfd00

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
1.2MB

MD5
0fb1135fec94fb31481f36cd9a8a418f

SHA1
9e0e2f0f03dd79de2417f9864c025366110bc90d

SHA256
1644905dfdc660f66791a17dee32ffd121f4854baf34bae480c9429d9a33a32e

SHA512
41e2cefa7036397860f9fced55076bf4a48ce87803a625720d2a01798a1e935835d6b886ed967a7b1e7b9d43f6717beb63d0232a63e97b7fa91141841cbff7b6

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
1.2MB

MD5
a5092c35b6c717fa30f8dc9bdde7c051

SHA1
2613d5f19edfe4dc067c03fb46ffcbc26cf9c269

SHA256
fdb9028ddaa79708db7c8320f4a1d7979468a8d94d8b67df1481ba9ac09e0ce8

SHA512
274352c070e1a00350a081d49fcb9ec3578ed20571b36e18838edf9252d14850a6f8c6bcf5a2728cab467ec99ec74059cbd1f4c4ff57c1edf6628ffd7c9145a3

Download Submit
memory/1980-39-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2000-41-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2000-66-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2000-64-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2000-62-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2000-48-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2000-60-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2000-68-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2000-58-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2000-56-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2000-44-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2000-54-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2000-46-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2000-50-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-49-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-42-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-47-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-51-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-53-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-45-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-55-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-43-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-57-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-9-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-59-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-40-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-61-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-67-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-63-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2856-65-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4616-30-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4616-35-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4636-38-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/4636-0-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download