Malware Analysis Report

2025-01-06 09:58

Sample ID 240601-fjz5ysae8v
Target 8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe
SHA256 86efac5b12f71e2758e807f39f4823de9871bdb85f65db6b712b60594343fd79
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86efac5b12f71e2758e807f39f4823de9871bdb85f65db6b712b60594343fd79

Threat Level: Known bad

The file 8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Detects BazaLoader malware

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:54

Reported

2024-06-01 04:57

Platform

win7-20240221-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2904 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2904 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2904 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3024 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3024 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3024 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3024 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2512 wrote to memory of 2592 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2512 wrote to memory of 2592 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2512 wrote to memory of 2592 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2512 wrote to memory of 2592 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2592 wrote to memory of 2912 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2592 wrote to memory of 2912 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2592 wrote to memory of 2912 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2592 wrote to memory of 2912 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2592 wrote to memory of 884 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2592 wrote to memory of 884 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2592 wrote to memory of 884 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2592 wrote to memory of 884 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2592 wrote to memory of 2228 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2592 wrote to memory of 2228 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2592 wrote to memory of 2228 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2592 wrote to memory of 2228 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2592 wrote to memory of 632 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2592 wrote to memory of 632 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2592 wrote to memory of 632 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2592 wrote to memory of 632 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2904-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2904-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2904-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2904-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2904-6-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 d123fc5d465f08467cd9aaf13b0a35f5
SHA1 f44f683479d06f97c5fe4bde0a8a22e7fdaf9527
SHA256 3e7551836de1caa2bbb9ff333b517e0fb0fe493ab60dd7e02360cbef77f9b516
SHA512 7256f9bad5465b630678ffe38c23f03143f888366da34f77fad2d599ff9a1aba73c769e5ccacd713f90d12d611b783783df1848659c806a237cb5989558bcf0e

memory/2904-12-0x0000000002D50000-0x0000000002D81000-memory.dmp

memory/3024-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2904-18-0x0000000002D50000-0x0000000002D81000-memory.dmp

memory/3024-20-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/3024-22-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 f0bcfc1a84eed144750e6382d95df755
SHA1 4e199bd75365f1018eb85b2b776699bdd75a5f68
SHA256 ffdce4566692b69cab64eec318fcb953c1a34274bb16aa0c15a332fe7fde1eef
SHA512 df4da61e27f6fcea3e16ee6a89d54e65dfac04fe8cb3ee354365577ee2f492e98911524ff14659068f637d38c029c7061df71bf3c2fccef3eec1cb3d9153a2f2

memory/3024-31-0x0000000002E70000-0x0000000002EA1000-memory.dmp

memory/2512-40-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2512-42-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2512-37-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\svchost.exe

MD5 d347c19d6ecc5d921bc42cab67843561
SHA1 e959e7e1ea26cef61b911efca74903bf33f12b71
SHA256 1f9d6a9cc724e92bfa82539202c0f7573d12669fe9d1637be6369db0909cdfaf
SHA512 290bbc3b7cacad9f4d070f8ba6c39b1f0614c2a991f65e56694065b3b68a19564e88f583001f94e9f50ed1a488c8fa56af4fdb61fafafcfa74647bd585b9ffca

memory/2592-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2904-57-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2592-63-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2592-59-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2512-56-0x00000000025F0000-0x0000000002621000-memory.dmp

memory/2512-55-0x00000000025F0000-0x0000000002621000-memory.dmp

memory/2904-54-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2904-82-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2904-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2512-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2912-75-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2912-69-0x0000000072940000-0x0000000072A93000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 ebc920fd66dc233dcd71bbb68c5f58e4
SHA1 879e4ba02f8de43c992b8e8329a1f72e19b0d392
SHA256 2c49a2bb8e92c1d3a3e3631ead9e9f0508e437b63f6cc5b6ada46b23039d0a0a
SHA512 6932143c8ab5fb78d7d60dd57c6e48f6a09735c532e43ac47789b18a1470c184ca026f05febbc22d3943dd7735b6a5ff9893e345d627b5fc795fb19c3db62ad7

memory/3024-84-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3024-85-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2592-86-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3024-95-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:54

Reported

2024-06-01 04:57

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 384 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 384 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 384 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1112 wrote to memory of 4784 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1112 wrote to memory of 4784 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1112 wrote to memory of 4784 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4784 wrote to memory of 2940 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4784 wrote to memory of 2940 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4784 wrote to memory of 2940 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2940 wrote to memory of 1884 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2940 wrote to memory of 1884 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2940 wrote to memory of 1884 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2940 wrote to memory of 2836 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2940 wrote to memory of 2836 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2940 wrote to memory of 2836 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2940 wrote to memory of 2912 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2940 wrote to memory of 2912 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2940 wrote to memory of 2912 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2940 wrote to memory of 2000 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2940 wrote to memory of 2000 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2940 wrote to memory of 2000 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e42cb9b7103cc017ea7857949439e40_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp

Files

memory/384-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/384-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/384-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/384-2-0x0000000074DA0000-0x0000000074EFD000-memory.dmp

memory/384-5-0x0000000000401000-0x000000000042E000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 41d00b8387e46aaa29f832573c82364c
SHA1 e4365fa251256c9f804efd7905ed15107db7354c
SHA256 64f2f1741b40481904054c4c9b8668a2a7e78e1a6fc0941591c4a0fd14b608cc
SHA512 ff1355891dc370d02bd91b798e08fe637edcb9e97a8caeb2147994dd654dbe0f4045d47a94325f93d8878acc88e1b314b1232e6491ce731978d34642a00f2d0f

memory/1112-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1112-14-0x0000000074DA0000-0x0000000074EFD000-memory.dmp

memory/1112-16-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 e87f2fc8b2f5657f776bfb2f0b6c23eb
SHA1 726eb0d9ba460d001886d3e61cb844a74a755e1e
SHA256 f1001d2585d91fbd4026fbaa32dda8972e65a12555ed35bf596349eea428a6cd
SHA512 9756622b66d5bff7e3c8d349e79cbcf6cff82fcaf83fef5d73bc0af9748dccedbd06d23ccded3f2c557f2f454609ea6326418414da63257449676e2db1c8fa22

memory/4784-25-0x0000000074DA0000-0x0000000074EFD000-memory.dmp

memory/4784-30-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 b5ac590688a4b9c9e0e70b4d80b82e60
SHA1 40814b0ffa1f34b69ddb435116d8de6de98cf0f4
SHA256 22e996000565715f48c3aa627a45aa02420eeb089304dd3318ec443a4414b029
SHA512 7600d8a112a5837b50ce11b43e45440d6d53a0e437120855916fd9d75745920f2267c89c096c25650510ba94f15a053b8a1272897e03fb153509b906378cb081

memory/2940-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2940-37-0x0000000074DA0000-0x0000000074EFD000-memory.dmp

memory/384-43-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/1884-44-0x0000000074DA0000-0x0000000074EFD000-memory.dmp

memory/1884-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/384-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4784-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/384-56-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 1c3fdd06b09932e8464880aa9cfe04be
SHA1 f64683bce522035727b1206e9d1145f78c756483
SHA256 1b9ac27dd9d101659eeaf04c608c440a30b1445e3d5d202df32476f476513ab3
SHA512 ef5de82ba4d0ff655f9155b827b23335c4b0df0c2c96eaadbcbde086a9a6c8f2bfd64a490a944c556a3a6c7bf608f1ec668a8888c3580f27b9b927ad76c8d61c

memory/1112-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2940-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1112-69-0x0000000000400000-0x0000000000431000-memory.dmp