865170810626fcebcff12b15fa8ea199916a586de17a5c1125f2ccf07786b954

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe
Size

1.4MB
MD5

85fc87a75750b26bc4da4c53ff316810
SHA1

5e31011b135ceb0a026c28deb74804a05a23af29
SHA256

865170810626fcebcff12b15fa8ea199916a586de17a5c1125f2ccf07786b954
SHA512

24e23284070bfc3a34eb49c5ff32044b1e6a663e9cdb382034c68f92950de8d9b74e568ecf987bd090a39d6063dd73cc28424601777c701f5141dcf078c960a4
SSDEEP

24576:l9cdOqX1uuMliQzd4mNy9Sh5hJgpiwVQLJaOSZ4LehoZza9gNWmAO5ehlMR:l9UX1uBx4mYo83vOSeyeaKrj

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2384	explorer.exe
2552	spoolsv.exe
2564	svchost.exe
2492	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1936	85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe
1936	85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe
2384	explorer.exe
2384	explorer.exe
2552	spoolsv.exe
2552	spoolsv.exe
2564	svchost.exe
2564	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

pid	Process
1936	85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe
2384	explorer.exe
2552	spoolsv.exe
2564	svchost.exe
2492	spoolsv.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2564	svchost.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2384	explorer.exe
2564	svchost.exe
2564	svchost.exe
2384	explorer.exe
2384	explorer.exe
2564	svchost.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2384	explorer.exe
2564	svchost.exe
2564	svchost.exe
2384	explorer.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2564	svchost.exe
2384	explorer.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2384	explorer.exe
2564	svchost.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe
2564	svchost.exe
2384	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2384	explorer.exe
2564	svchost.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1936	85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe
1936	85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe
1936	85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2552	spoolsv.exe
2552	spoolsv.exe
2552	spoolsv.exe
2564	svchost.exe
2564	svchost.exe
2564	svchost.exe
2492	spoolsv.exe
2492	spoolsv.exe
2492	spoolsv.exe
2384	explorer.exe
2384	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2384	1936	85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2384	1936	85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2384	1936	85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2384	1936	85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe	28
PID 2384 wrote to memory of 2552	2384	explorer.exe	29
PID 2384 wrote to memory of 2552	2384	explorer.exe	29
PID 2384 wrote to memory of 2552	2384	explorer.exe	29
PID 2384 wrote to memory of 2552	2384	explorer.exe	29
PID 2552 wrote to memory of 2564	2552	spoolsv.exe	30
PID 2552 wrote to memory of 2564	2552	spoolsv.exe	30
PID 2552 wrote to memory of 2564	2552	spoolsv.exe	30
PID 2552 wrote to memory of 2564	2552	spoolsv.exe	30
PID 2564 wrote to memory of 2492	2564	svchost.exe	31
PID 2564 wrote to memory of 2492	2564	svchost.exe	31
PID 2564 wrote to memory of 2492	2564	svchost.exe	31
PID 2564 wrote to memory of 2492	2564	svchost.exe	31
PID 2564 wrote to memory of 2764	2564	svchost.exe	32
PID 2564 wrote to memory of 2764	2564	svchost.exe	32
PID 2564 wrote to memory of 2764	2564	svchost.exe	32
PID 2564 wrote to memory of 2764	2564	svchost.exe	32
PID 2564 wrote to memory of 764	2564	svchost.exe	36
PID 2564 wrote to memory of 764	2564	svchost.exe	36
PID 2564 wrote to memory of 764	2564	svchost.exe	36
PID 2564 wrote to memory of 764	2564	svchost.exe	36
PID 2564 wrote to memory of 2416	2564	svchost.exe	38
PID 2564 wrote to memory of 2416	2564	svchost.exe	38
PID 2564 wrote to memory of 2416	2564	svchost.exe	38
PID 2564 wrote to memory of 2416	2564	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\85fc87a75750b26bc4da4c53ff316810_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2384
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2492
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:764
    - - C:\Windows\SysWOW64\at.exe
        
        at 00:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
1.4MB

MD5
c86a7f94e0da9e00f587561f336b1fff

SHA1
31479fc20c322315a4296cf5d962a80025d71cb3

SHA256
ad4731bc34417669bd170456fb8fe9ebfb8188f3f64a541cdb4126ea3e07a101

SHA512
25144dfbb07c2d3c18b42a085f998e89dbe7953238c3468da7739871936c20e17c05d4598e9692102a587c3cbebb651fd2306244310adbbb330699a1245aac07

Download Submit
C:\Windows\system\svchost.exe

Filesize
1.4MB

MD5
8a5a5939e3d0c50a5a13c1912755d8d5

SHA1
beff4339cb0220c3bb62afcca774041f21b8c89d

SHA256
4f9c2277eadf297690ae6c446cb61e049f074afd756ae1ee65190031a62dea3f

SHA512
bbcc2238a4a93bad1ec07cc616f8c7825a0eeecad68d85de939fa9e1cec29b5e580c425d77d5bc6a24ed77210f2dbd04cb3517b5ee32345b179ffbfd9f44c468

Download Submit
\Windows\system\explorer.exe

Filesize
1.4MB

MD5
bf1db47a30445fb28036af7a33836f22

SHA1
4008ec019d0803f80f2c85fcc3c019a86a482557

SHA256
a7afb8471b419ef892482bbed999fe13a30b092e0d1f23cbd562b97d0133d9a5

SHA512
f3e8ea16d5799d5e6f08c68136b10ec2e1ebec55828ce49a43a78c66df74e89249456d3020d2aaa013ade22371cb3355acc611557e726e61e7211a3932c98750

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.4MB

MD5
d78931ec103329bfc7b82d616016615b

SHA1
7fa8f38ef146007b529429b2e782c5dd448a9e5d

SHA256
4d0489fed2dbccca58b1b5f5ed596048fbed6447a76bb34cb340e01562229da0

SHA512
6a41bd1a7846093dad0ebc46be96a9073c05e5492c6687129f6d938693cbe4830159fc4d0cc405942af767c464664bb5c44121af1c966c912d3afdd34147aab9

Download Submit
memory/1936-13-0x00000000045B0000-0x0000000004B50000-memory.dmp

Filesize
5.6MB

Download
memory/1936-0-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/1936-67-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2384-82-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2384-29-0x0000000004660000-0x0000000004C00000-memory.dmp

Filesize
5.6MB

Download
memory/2384-72-0x0000000004660000-0x0000000004C00000-memory.dmp

Filesize
5.6MB

Download
memory/2384-71-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2384-69-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2384-28-0x0000000004660000-0x0000000004C00000-memory.dmp

Filesize
5.6MB

Download
memory/2384-14-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2492-55-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2492-62-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2552-63-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2552-45-0x0000000004600000-0x0000000004BA0000-memory.dmp

Filesize
5.6MB

Download
memory/2552-44-0x0000000004600000-0x0000000004BA0000-memory.dmp

Filesize
5.6MB

Download
memory/2552-30-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2564-56-0x00000000041D0000-0x0000000004770000-memory.dmp

Filesize
5.6MB

Download
memory/2564-54-0x00000000041D0000-0x0000000004770000-memory.dmp

Filesize
5.6MB

Download
memory/2564-53-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2564-70-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2564-75-0x00000000041D0000-0x0000000004770000-memory.dmp

Filesize
5.6MB

Download
memory/2564-74-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download
memory/2564-87-0x0000000000400000-0x00000000009A0000-memory.dmp

Filesize
5.6MB

Download