Analysis Overview
SHA256
cb8a8dfea047c07863a2515cb4e40300a1581d1554fefa9e90f76428a96c0b68
Threat Level: Known bad
The file 8e3c456da5ef86cdaa6729089feb8680_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 04:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 04:54
Reported
2024-06-01 04:56
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Users\Admin\AppData\Local\Temp\8e3c456da5ef86cdaa6729089feb8680_NeikiAnalytics.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e3c456da5ef86cdaa6729089feb8680_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e3c456da5ef86cdaa6729089feb8680_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8e3c456da5ef86cdaa6729089feb8680_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8e3c456da5ef86cdaa6729089feb8680_NeikiAnalytics.exe"
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/2312-0-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Windows\Resources\Themes\explorer.exe
| MD5 | fe46f6ed0956251f19ecab98de4a9fbd |
| SHA1 | eed684498febdcc7c3ad63ff1f8bc6c10872ced9 |
| SHA256 | 4cb9887adc28c6104e83545fb1bd459f332bf6f0c88e217b30064935ad4cf2e3 |
| SHA512 | b9c8e1e31c6633b83ae9453e9aa81d5a1afcba41046519edeead4ca8a0051edcb8d29a4da3aa7b78b774d86a5833ebb4e24f5cb6e933d1e4de6a7369836645c8 |
C:\Windows\Resources\spoolsv.exe
| MD5 | eac65e9c3d773547b626bd643ff99353 |
| SHA1 | 3d99f74ced3ff148dc82491555dd4564ba745aa9 |
| SHA256 | dbd7970c18a378936b333325e9b13d6a00a6734d43327469f52d5d50084e49ec |
| SHA512 | f371e9041ba0bb91071e091319ba0e5b174936137ab58c1e408b74288557d759ae2c92af062684e2d5713f92745bd5e9c01bb2c80c00fe2c33aca70242b6d48e |
C:\Windows\Resources\svchost.exe
| MD5 | 80c3fd9bc1d0a49f982f66ce2ee15b2d |
| SHA1 | 9101b794f175196e9d80c15925dff79b9b217afe |
| SHA256 | 7ccf3522db8ff74c0ddfa4111282f797191c3ba4121d179c2ac7c6777c809259 |
| SHA512 | e8c55533e9e6740b9b0de3e6399774fac4f8c7ee4a28cba1606a2ea1526c1b242dd6d905dddb75dd77955dd1ec2dcf5bd2daf81181526e6db3a5a461a79aa434 |
memory/1372-30-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1372-33-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1840-34-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2312-35-0x0000000000400000-0x000000000041F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 04:54
Reported
2024-06-01 04:56
Platform
win7-20240508-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e3c456da5ef86cdaa6729089feb8680_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Users\Admin\AppData\Local\Temp\8e3c456da5ef86cdaa6729089feb8680_NeikiAnalytics.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e3c456da5ef86cdaa6729089feb8680_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e3c456da5ef86cdaa6729089feb8680_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8e3c456da5ef86cdaa6729089feb8680_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8e3c456da5ef86cdaa6729089feb8680_NeikiAnalytics.exe"
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:56 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:57 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:58 /f
Network
Files
memory/1936-0-0x0000000000400000-0x000000000041F000-memory.dmp
\Windows\Resources\Themes\explorer.exe
| MD5 | bc244681022a6c5447cd144fed9d307d |
| SHA1 | 02b76efb3e2f5b01cfa7ba0792af9f28f2b4bf05 |
| SHA256 | 327975c792ebf4e27b19254109de83d8fb64867095137fa9be519c7f0ce7dd09 |
| SHA512 | 982261221b876108266a68cd1ea2aed90e8a1ea0a65a9d6a08477758e2698f198d17c589e68e5db1aad2f186fe141c51d97212f118440be4b8daabd1dc5cadf4 |
memory/1936-10-0x00000000006C0000-0x00000000006DF000-memory.dmp
C:\Windows\Resources\spoolsv.exe
| MD5 | f9e5e0a662751de1dad66fbc159bc4f2 |
| SHA1 | 5ca8399856920cec120536cede2be85ac8673637 |
| SHA256 | 28047789b47fda72e353c1e327acb9132bb00147b9c4992baa598383b6fd472a |
| SHA512 | 93a103fa2effffefd00defefa1e36acd279154f248ab2d12b981d0b5d8cd152b1706f4e5374f4cae98232c84efd199aa844109084770288173a953c4f65db3f9 |
\Windows\Resources\svchost.exe
| MD5 | 170b11a61ed2085a1cb7c3b59af4e9c3 |
| SHA1 | 5b8499ec659c257237cacc07d35ad59aeea5f6bd |
| SHA256 | 3a79c9f11aa905cb4c3beacf967b28fd116b45b019bd76c8f238ecf4ed6713ad |
| SHA512 | a401d9114d378a402180f218c5439c4f41264847c2c20ad31f50a328fad8cbb6ac8fecc878be13b7d728a125dc598d73028b2b52f24f3242a2a47a27243eaad2 |
memory/2608-31-0x00000000002A0000-0x00000000002BF000-memory.dmp
memory/2672-41-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2672-42-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2608-43-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1936-44-0x0000000000400000-0x000000000041F000-memory.dmp