Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:02
Behavioral task
behavioral1
Sample
1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe
-
Size
71KB
-
MD5
1880a56c2c4c6b49744019f909c24090
-
SHA1
301682d45a7253697d0522830a7c24bdd1c07973
-
SHA256
210928547fea895545d44f56da985c6257c30fd5f520aee3a86cd15e31ab1885
-
SHA512
4f86f08058195f6b08c7b5a99bb58170e2586ce8c778726f7d0b820c15315152445009480f6378379e3e94aa497f97941ff2ca2eaba7028c35303d963454e33b
-
SSDEEP
768:EXKeT2Si83nLt8tkGX8uxOHgRrW5YLKG9Y/HrSNm0kmG7xMsVAnc3yy85SBiLFMv:EFrmh0HgB3LKrL9AcnQFMc9zwR6i+BO
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2052 explorer.exe 2516 spoolsv.exe 2700 svchost.exe 2524 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2492 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 2492 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 2052 explorer.exe 2052 explorer.exe 2516 spoolsv.exe 2516 spoolsv.exe 2700 svchost.exe 2700 svchost.exe -
resource yara_rule behavioral1/memory/2492-0-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/files/0x002b000000014b6d-6.dat upx behavioral1/memory/2492-8-0x0000000002570000-0x00000000025A5000-memory.dmp upx behavioral1/memory/2052-15-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/files/0x0008000000015264-22.dat upx behavioral1/files/0x00080000000155d4-36.dat upx behavioral1/memory/2700-46-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2524-53-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2524-57-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2516-63-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2492-62-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/files/0x0015000000014c67-64.dat upx behavioral1/memory/2052-65-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2700-66-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2052-77-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2492 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 2052 explorer.exe 2052 explorer.exe 2052 explorer.exe 2052 explorer.exe 2052 explorer.exe 2052 explorer.exe 2700 svchost.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe 2700 svchost.exe 2052 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2052 explorer.exe 2700 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2492 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 2492 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 2052 explorer.exe 2052 explorer.exe 2516 spoolsv.exe 2516 spoolsv.exe 2700 svchost.exe 2700 svchost.exe 2524 spoolsv.exe 2524 spoolsv.exe 2052 explorer.exe 2052 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2052 2492 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 28 PID 2492 wrote to memory of 2052 2492 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 28 PID 2492 wrote to memory of 2052 2492 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 28 PID 2492 wrote to memory of 2052 2492 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 28 PID 2052 wrote to memory of 2516 2052 explorer.exe 29 PID 2052 wrote to memory of 2516 2052 explorer.exe 29 PID 2052 wrote to memory of 2516 2052 explorer.exe 29 PID 2052 wrote to memory of 2516 2052 explorer.exe 29 PID 2516 wrote to memory of 2700 2516 spoolsv.exe 30 PID 2516 wrote to memory of 2700 2516 spoolsv.exe 30 PID 2516 wrote to memory of 2700 2516 spoolsv.exe 30 PID 2516 wrote to memory of 2700 2516 spoolsv.exe 30 PID 2700 wrote to memory of 2524 2700 svchost.exe 31 PID 2700 wrote to memory of 2524 2700 svchost.exe 31 PID 2700 wrote to memory of 2524 2700 svchost.exe 31 PID 2700 wrote to memory of 2524 2700 svchost.exe 31 PID 2700 wrote to memory of 636 2700 svchost.exe 32 PID 2700 wrote to memory of 636 2700 svchost.exe 32 PID 2700 wrote to memory of 636 2700 svchost.exe 32 PID 2700 wrote to memory of 636 2700 svchost.exe 32 PID 2700 wrote to memory of 1920 2700 svchost.exe 36 PID 2700 wrote to memory of 1920 2700 svchost.exe 36 PID 2700 wrote to memory of 1920 2700 svchost.exe 36 PID 2700 wrote to memory of 1920 2700 svchost.exe 36 PID 2700 wrote to memory of 2936 2700 svchost.exe 38 PID 2700 wrote to memory of 2936 2700 svchost.exe 38 PID 2700 wrote to memory of 2936 2700 svchost.exe 38 PID 2700 wrote to memory of 2936 2700 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
C:\Windows\SysWOW64\at.exeat 01:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:636
-
-
C:\Windows\SysWOW64\at.exeat 01:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1920
-
-
C:\Windows\SysWOW64\at.exeat 01:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2936
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD59a1f3f21c882ffc14b745d882f721f42
SHA1d9d60d0a208ddd28057847cad2f3d8f1f9329a48
SHA25636ac345fc2bc825d6f0981bd0132eedc769302c75590079a1eb1fd7aad259e32
SHA512c3a35fe6189422462b61071faa2c14c7db989d1ac0038d69880d3a010e5071d0c6cf3e3818bb7abf80cd36f611a88bc6f8b57f5f00ff52015a8d1e6cf19bd48d
-
Filesize
71KB
MD55fb710527268e27becd8f88f87cefcef
SHA18447f4f1ae94306167949c1ec768cb16b56c8a41
SHA25682ba18c94e5b830328d5cf54fdad9cd6851dabdf779f337cfbcec5082be68d4d
SHA512ba01828bd5fb79eb19f29ef3b3fd44e7c0283f2cdb2d70185a7808e840597910cecd56018d6844f87a55742e7f2e00e1c7dc59fbf4abf9249332e8f76a06842e
-
Filesize
71KB
MD5d43737eb1eca03c1f7c5e80f87bd6fce
SHA16b5c82d588cfac11442a82edde1f75a84f5c1076
SHA25657aa8c62fdb195dcbb56f38bfd455fb269958442881750bbf6e0db9564538b7b
SHA5120dfc8ff5024c2636a4229d6f79132741803fb3976012b31023355575315f81d51f6bf1fa2ed2ad2871d5ef59006cfb86d46e09fb164ee3499ec40c922ce1d559
-
Filesize
71KB
MD51def0049029a2a5371d98c71af82032f
SHA125e3c00a2b8bb2071fe40b339626b3d8e6fc580e
SHA25659a084fb50b3fc175e41abf64619e49d73fcc2dd8fb1aa2faaadfc52eb616efc
SHA512a4c8abccd6552efff0d73918f043c41bfe9546ed815d7d3955123558057a6fb22a79968095251ed5a109d4038bbcec78ccdcccfda6f65d201d3e606e95c48846