Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:02
Behavioral task
behavioral1
Sample
1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe
-
Size
71KB
-
MD5
1880a56c2c4c6b49744019f909c24090
-
SHA1
301682d45a7253697d0522830a7c24bdd1c07973
-
SHA256
210928547fea895545d44f56da985c6257c30fd5f520aee3a86cd15e31ab1885
-
SHA512
4f86f08058195f6b08c7b5a99bb58170e2586ce8c778726f7d0b820c15315152445009480f6378379e3e94aa497f97941ff2ca2eaba7028c35303d963454e33b
-
SSDEEP
768:EXKeT2Si83nLt8tkGX8uxOHgRrW5YLKG9Y/HrSNm0kmG7xMsVAnc3yy85SBiLFMv:EFrmh0HgB3LKrL9AcnQFMc9zwR6i+BO
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2124 explorer.exe 60 spoolsv.exe 4992 svchost.exe 3568 spoolsv.exe -
resource yara_rule behavioral2/memory/5108-0-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x000a00000002341e-7.dat upx behavioral2/files/0x000800000002342b-13.dat upx behavioral2/memory/60-17-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x000800000002342d-24.dat upx behavioral2/memory/3568-34-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/60-38-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/5108-40-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x000900000002342c-41.dat upx behavioral2/memory/2124-42-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/4992-43-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/2124-52-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5108 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 5108 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 4992 svchost.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe 2124 explorer.exe 2124 explorer.exe 4992 svchost.exe 4992 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2124 explorer.exe 4992 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 5108 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 5108 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 2124 explorer.exe 2124 explorer.exe 60 spoolsv.exe 60 spoolsv.exe 4992 svchost.exe 4992 svchost.exe 3568 spoolsv.exe 3568 spoolsv.exe 2124 explorer.exe 2124 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5108 wrote to memory of 2124 5108 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 83 PID 5108 wrote to memory of 2124 5108 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 83 PID 5108 wrote to memory of 2124 5108 1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe 83 PID 2124 wrote to memory of 60 2124 explorer.exe 84 PID 2124 wrote to memory of 60 2124 explorer.exe 84 PID 2124 wrote to memory of 60 2124 explorer.exe 84 PID 60 wrote to memory of 4992 60 spoolsv.exe 85 PID 60 wrote to memory of 4992 60 spoolsv.exe 85 PID 60 wrote to memory of 4992 60 spoolsv.exe 85 PID 4992 wrote to memory of 3568 4992 svchost.exe 86 PID 4992 wrote to memory of 3568 4992 svchost.exe 86 PID 4992 wrote to memory of 3568 4992 svchost.exe 86 PID 4992 wrote to memory of 2084 4992 svchost.exe 87 PID 4992 wrote to memory of 2084 4992 svchost.exe 87 PID 4992 wrote to memory of 2084 4992 svchost.exe 87 PID 4992 wrote to memory of 4852 4992 svchost.exe 102 PID 4992 wrote to memory of 4852 4992 svchost.exe 102 PID 4992 wrote to memory of 4852 4992 svchost.exe 102 PID 4992 wrote to memory of 3676 4992 svchost.exe 109 PID 4992 wrote to memory of 3676 4992 svchost.exe 109 PID 4992 wrote to memory of 3676 4992 svchost.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1880a56c2c4c6b49744019f909c24090_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3568
-
-
C:\Windows\SysWOW64\at.exeat 01:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2084
-
-
C:\Windows\SysWOW64\at.exeat 01:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4852
-
-
C:\Windows\SysWOW64\at.exeat 01:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3676
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5fff9e1d054a021d383386ef496e27b32
SHA194154adea58441fd2789ca7d94bd8bb7633fcc7b
SHA256a31a90537c1a3f810a0dce7215209b0362664db3156fba7af0d3de66e5ab79ee
SHA512ab31c91cc811e6010174e8cdb514cf9f414252b090eeafbc2cac2deed531b5e89ece45b6c986dbc6e944a1ea2f473f1304821cb90c77a70019647c173e588a91
-
Filesize
71KB
MD5d716849f5e9087e33bd31ef6ebafe0d9
SHA1e33070988c9ffb9f9d9e071b10f31cd2497457d1
SHA256f1de4fade9e097605db961f2c36c0f444ef4942e4c143582dfdb9d8668f6060d
SHA51215b5ab20f33a684bff897e77bfd5f421d5f488a972df7fee21ff74761785e83a00bd2ee60af114f61bc025318e8f4878f1dff8d36b6e7cc6c1c9f06d1d51b1de
-
Filesize
71KB
MD59dfadb7cb7065c94b2dda8982268c693
SHA1b3540bd25e62dc7038ef0dc418c410177f442372
SHA256e69f47bb55f435d5742109e74c04a7f5604d112e3cca6ea2828544e38a963d4a
SHA5120d3a171fe9ed2e73e6b8c88d8e5ae89b1b4431050b5b02c004cfa460a34f71653d5343b3af9613e3db9c60cf81198231b8a018083fbd0f046be1a3d118ed8918
-
Filesize
71KB
MD5bc3c1875468d894f650dbc73a8097209
SHA172cb20e4eb577dc526e01c054c3a628cf538bc3a
SHA256f36b7da620f76cea04867bdbcf47729b76e2e7254d574e81ed7d016a7a59555a
SHA51259dd2b5b27037756ae4cc3369fe65978659064ac000022fe37b7c4be05d660b039fbea5cbe137c9bf523b4db6721d31ce25e2bb7c3b3e4d04249510d207e774b