Malware Analysis Report

2025-01-06 09:16

Sample ID 240601-f6bqwaca87
Target 8f397adbb5de940116c8469303417200_NeikiAnalytics.exe
SHA256 ea2a4f2cd93c10c638e011b8abda84ba9db74b5013184ce27b2dbc0ccd6fca00
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea2a4f2cd93c10c638e011b8abda84ba9db74b5013184ce27b2dbc0ccd6fca00

Threat Level: Known bad

The file 8f397adbb5de940116c8469303417200_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Modifies WinLogon for persistence

Detects BazaLoader malware

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:28

Reported

2024-06-01 05:31

Platform

win7-20240215-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1200 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1200 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1200 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2944 wrote to memory of 2604 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2944 wrote to memory of 2604 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2944 wrote to memory of 2604 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2944 wrote to memory of 2604 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2604 wrote to memory of 2484 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2604 wrote to memory of 2484 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2604 wrote to memory of 2484 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2604 wrote to memory of 2484 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2484 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2484 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2484 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2484 wrote to memory of 2448 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2484 wrote to memory of 1956 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1956 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1956 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 1956 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 284 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 284 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 284 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 284 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 240 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 240 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 240 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2484 wrote to memory of 240 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 05:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1200-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1200-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1200-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1200-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1200-2-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\explorer.exe

MD5 fde1b2a3dd8f257b3da8c751e4833afb
SHA1 f1b6817909adbf8fab630b9b433e23e3a680a615
SHA256 548934c0bbe7762c4801268fce1728a64a4b0b12f80f6e5c2eaee10cff41212c
SHA512 d8fab2bd1015e99532db8ec55c5fd64736835dbb465615c644090fe12a8c8284d9db335c12a25819e62c84c2ccf813ce9b10240f8723df8e9dad32859920bb9f

memory/1200-17-0x0000000003200000-0x0000000003231000-memory.dmp

memory/2944-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2944-21-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2944-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1200-18-0x0000000003200000-0x0000000003231000-memory.dmp

memory/2944-23-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 c804db21976a1e0a2db6229af5f9c573
SHA1 e476eae8992642108c6106f742fe97a925242256
SHA256 8b8d6ae64d95c71bc3c4a358638dbc58bb28ff2fafcf9b2d30a0ae54cb0f7bd5
SHA512 d13fb00288d97c0f938869e26331a36bb24d763a4984e8d2071cd266100830b33b38387998f0cf5043b9fae94af13fa3a8e073a628754f1b50ca8ac6ee3b15cc

memory/2604-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2604-37-0x0000000072940000-0x0000000072A93000-memory.dmp

C:\Windows\system\svchost.exe

MD5 b228061a2b0f3c534aed767f1fd2d900
SHA1 84b154eb4c1d82f6881d127bdfb3adf120d92652
SHA256 7a4cb5b01986a3ce61dbaef68d386cc3a8b7c059ca5de116e0848e5038e74f08
SHA512 6bdc29b4146fec006925350909b027c800caa835f8e4869656661d101278f569ff883bc69d37a3790f48b76abff0220155b6e0128e680663cc7c914c80344e5e

memory/2484-54-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2484-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2604-53-0x00000000004F0000-0x0000000000521000-memory.dmp

memory/2484-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1200-63-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2944-67-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1200-66-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2448-68-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2604-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1200-79-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1200-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2448-73-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 3a210a4cff14efbc379aaaea9522bee5
SHA1 3500b14dac8c6a10bba4ace945b5a124307d4c55
SHA256 1d2581654a0d19b92ce503ef9db9be4d45c67d5fb22a416e36cf568d27c899eb
SHA512 582a01e494b2808af8d1995e65818517dca57b92e021cc474122dba92e39affe896ae69efe39adb7edd7ec00b9577fa4ccc34f550e1b9b451eabdb57f51b8c65

memory/2484-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2944-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2944-91-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:28

Reported

2024-06-01 05:31

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1504 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1504 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3240 wrote to memory of 3960 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3240 wrote to memory of 3960 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3240 wrote to memory of 3960 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3960 wrote to memory of 4436 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3960 wrote to memory of 4436 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3960 wrote to memory of 4436 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4436 wrote to memory of 4904 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4436 wrote to memory of 4904 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4436 wrote to memory of 4904 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4436 wrote to memory of 4420 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4436 wrote to memory of 4420 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4436 wrote to memory of 4420 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4436 wrote to memory of 2288 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4436 wrote to memory of 2288 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4436 wrote to memory of 2288 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4436 wrote to memory of 2032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4436 wrote to memory of 2032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4436 wrote to memory of 2032 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8f397adbb5de940116c8469303417200_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 05:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 05:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1504-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/1504-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1504-2-0x0000000074B30000-0x0000000074C8D000-memory.dmp

memory/1504-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1504-5-0x0000000000401000-0x000000000042E000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 aa18a66848be43cf60864139faf71ea4
SHA1 5a93ffc20eac74bdbbc02967414e35d169c10125
SHA256 ebda9cabd97080ab9c8e854d945b1a9ac2f0cb3bb0095968e21a9dddb5460615
SHA512 c75a9b271cc501b082c707014ae3d20ea4f54612b80a674588fd1afa93c46b0867d1c91527d5db7d45cb8e6304625a7213ed7450d3efe52e3e72bb17cd60c43e

memory/3240-16-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3240-14-0x0000000074B30000-0x0000000074C8D000-memory.dmp

memory/3240-13-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 34d64e32ef9ab7fc4b3f5ea3afa673b8
SHA1 654585ca18c5a6ca2ad9f5beced1c888d2d7f0bd
SHA256 5fc6ba20cc08699dbf82dbe34b6670a4447536240c3d049055f8b79e1a132f0d
SHA512 7565fc2d33b925af9dd28a0632ee9ab78e7ffacf1a29a148a393858419581a01d5b6423a2526baafc147046ffc1463e40681262a515182b044b210f68bf03fe0

memory/3960-26-0x0000000074B30000-0x0000000074C8D000-memory.dmp

memory/3960-30-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3960-25-0x0000000000400000-0x0000000000431000-memory.dmp

\??\c:\windows\system\svchost.exe

MD5 b85b7dd705a80140f0c11d588ea0922e
SHA1 d2ef892c2357c98e57c8a1ba30fdd67082e1a0e9
SHA256 91dbeb22dc37261776bcde88c31a53f36cbba61a5b4d83cfb21bbac4c445296c
SHA512 429121580eacb15e2753993002a09fb2f00f69be9c2bd8751ecac52f4e6825503def719108700d1ec7555862c7a3d6c92672cbafbd98d42370a62cb646ee56f7

memory/4436-37-0x0000000074B30000-0x0000000074C8D000-memory.dmp

memory/4904-43-0x0000000074B30000-0x0000000074C8D000-memory.dmp

memory/4904-49-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1504-56-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1504-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3960-53-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 da4eea4ed61ea3bff4087f79fd5262b1
SHA1 88814543033a103af09914135813145e8634e75a
SHA256 347265094d9f9fca8734f3cb1150824d39c59321691ba1b0d5e46140134ad567
SHA512 5a44b567d97676136578f8d0a5d396ab608dd971f5f931c4787f7111452a72ae0ae88364cb1ad29d7c9dfc0418643de52cdfbbbced574904435ee0b969f42db9

memory/3240-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4436-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3240-68-0x0000000000400000-0x0000000000431000-memory.dmp