Malware Analysis Report

2025-01-06 09:38

Sample ID 240601-f1sgfabh32
Target 8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe
SHA256 719aa7b9741f619589e650f9fa62d73fc586b6444aa0fb912efabe4b789564d2
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

719aa7b9741f619589e650f9fa62d73fc586b6444aa0fb912efabe4b789564d2

Threat Level: Known bad

The file 8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Detects BazaLoader malware

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:20

Reported

2024-06-01 05:23

Platform

win7-20240215-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1336 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1336 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1336 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2884 wrote to memory of 2808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2884 wrote to memory of 2808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2884 wrote to memory of 2808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2884 wrote to memory of 2808 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2808 wrote to memory of 2484 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2808 wrote to memory of 2484 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2808 wrote to memory of 2484 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2808 wrote to memory of 2484 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2484 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2484 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2484 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2484 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2484 wrote to memory of 1992 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1992 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1992 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1992 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1448 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1448 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1448 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1448 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1400 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1400 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1400 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1400 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 05:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1336-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1336-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1336-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1336-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1336-4-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\system\explorer.exe

MD5 9ba8dc003896462ef83462de302a3544
SHA1 14923f221a36efd81b68c7f942a3b2c991d111a0
SHA256 21058dec6a9552d559608ccf14b8b003961ca248315db1f603e1438ecdaa9e04
SHA512 d458426dcd7ccae7d663406da08f9a1391ef86ea729682dc1156f99991ed9c05bbda0c6708df67255fa4561af99cb59a688180fdd0e1f14925040b5343444136

memory/2884-17-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2884-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1336-20-0x00000000030E0000-0x0000000003111000-memory.dmp

\Windows\system\spoolsv.exe

MD5 fd82156b404724247143fa5bd92332c0
SHA1 d5054c98e30effcbd234d3b791d3f1b4f4c09044
SHA256 008be9ba2490748bf3fa6e50a6ad90910af6fe545ffa158c4a14e6635fdd1563
SHA512 a98d2c37b440f0b1f4ec6eda4577089c1655b80b28621b7dc304b521579981beb6ee577758fd6fa59dc2de1600a8f0528038e5a9a122a60a891d5e186ee77c87

memory/1336-19-0x00000000030E0000-0x0000000003111000-memory.dmp

memory/2808-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2448-66-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2484-65-0x0000000002420000-0x0000000002451000-memory.dmp

memory/2448-72-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 d75fb6bb4e55fd91e4b7b077364c2260
SHA1 fee9d77efb0c9c6c8862c3bfed33756ae2371cfc
SHA256 49461e7b7764223ae1bfd3b2a3f923409e5bdfe47dc9b34aa541e7407d3d5505
SHA512 494aed29106b0cc72a1efb1dcbf9578d19f48108f1bbb0e2e7e1faefec82c3d4cdc6d476a635aa38c6d7d09be0953d962811c69769855ef785599600897b98cd

memory/1336-78-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1336-77-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1336-76-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2808-75-0x0000000000400000-0x0000000000431000-memory.dmp

\??\c:\windows\system\svchost.exe

MD5 85c7ba74e028ab17bce77d8c86fa4b07
SHA1 36ed6b3f56568adb2115dae302f166431d6f6e34
SHA256 9f78df98b1ad7acd82a7105697da5a88e95a229cf7314d2c611d56b5a21ba38c
SHA512 97c797dab5a0830e8fc8a0abceaaf4ed7c81281d6f549a034ba231807a465a5625f8b53f9d559a819d4f2cc413176bdccb30f8ab656c953733b736eaa5fa02e1

memory/2484-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2484-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2484-53-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2484-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2808-37-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2808-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2808-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2884-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2484-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2884-91-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:20

Reported

2024-06-01 05:23

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2652 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2652 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 64 wrote to memory of 3232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 64 wrote to memory of 3232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 64 wrote to memory of 3232 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3232 wrote to memory of 2156 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3232 wrote to memory of 2156 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3232 wrote to memory of 2156 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2156 wrote to memory of 4020 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2156 wrote to memory of 4020 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2156 wrote to memory of 4020 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2156 wrote to memory of 4336 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2156 wrote to memory of 4336 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2156 wrote to memory of 4336 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2156 wrote to memory of 1948 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2156 wrote to memory of 1948 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2156 wrote to memory of 1948 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2156 wrote to memory of 2432 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2156 wrote to memory of 2432 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2156 wrote to memory of 2432 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8efd0cfdd1d91dfa1adef0d1ab4d71a0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 05:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/2652-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/2652-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2652-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2652-2-0x0000000074D80000-0x0000000074EDD000-memory.dmp

memory/2652-5-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 edc37b4e342535a03c218951f5615172
SHA1 4d121b5acac7dbd87113fa6db964e663f99b8fef
SHA256 0cb1d0d0f4bccdf3218114d772ba08b18b03b4bda19bd3f89c8e15b2be3cbdba
SHA512 76c78b721a2df8a7790ae52057ec731421a94e4c046c222fdd2f58b4540388f5b73e7894b6b2ed8fc79ee34c07f0dc2ccbf8d1975328da9c5db3f40379d4c05c

memory/64-13-0x0000000074D80000-0x0000000074EDD000-memory.dmp

memory/64-16-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 1f9aeaf7e8ec54c2a2e7bbab67c3b83f
SHA1 59e9a3868f0d906373cb64f298ff3cf213572c48
SHA256 b11a95d08f941abbce59d2ef62361c6574244bffc7d54abee6eb2dce26e3909f
SHA512 5ab4c1d184fbb38832480ba4e8b6ef947696ef18f91906055e2bcac5de6e93877a3435ca0161167a56db7e87cbd387002d123360fd29d293c3812e163fbfbfb4

memory/3232-25-0x0000000074D80000-0x0000000074EDD000-memory.dmp

memory/3232-29-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3232-24-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 867bfdf26934a1fc71b341c7f7b43b79
SHA1 880c532658bd48933aea9698bdcac8966a0e9a59
SHA256 a6f9a77b03d3566d004dc1b9a5f72ad803d7be0caa38483d647a8140c640185b
SHA512 032762134d7f66d3caa7f1c83ef9af1fad6ba89a38da3b14e77553168362c7a9942353873bd0150b998d2b40aa9c653e0e3b5b3bd8c3de26cb2629f8788571f9

memory/2156-36-0x0000000074D80000-0x0000000074EDD000-memory.dmp

memory/4020-42-0x0000000074D80000-0x0000000074EDD000-memory.dmp

memory/4020-50-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3232-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2652-53-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 f8a465f8eb6cfd1b0355dc32874fe5ea
SHA1 4e4df40f70381271e52385534cab3eda94758378
SHA256 95e88e150d134aa0811f4509831b3b3ad22bb8cf425d2c9894d3b39f43c77b96
SHA512 86b63430d4c1b2dd03559996a9ac1b6b0798dba68fb33fe4626d78319b2f3d02571be032e7ce1394020a2baaee5de9706e93ab782f6ccac9466be25efdf386ea

memory/2652-54-0x0000000000401000-0x000000000042E000-memory.dmp

memory/64-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2156-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/64-67-0x0000000000400000-0x0000000000431000-memory.dmp