Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:03
Static task
static1
Behavioral task
behavioral1
Sample
189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe
-
Size
135KB
-
MD5
189bb10a9d08aec81b7dad43fb017370
-
SHA1
fc1a2a99fa80b621a87d86915e2352a0c690e30c
-
SHA256
83a9cf4bc1e1744b3c2bf95577d27932a90befcbc046057797d176047dd34b36
-
SHA512
86824ecb259d3a06606d5acbf78d42399a08994fdb78cb9293bc13c817d62376166a1b416494902e9328a5b21e07c9a47712ed41da24e7af5a1eab2cc820288c
-
SSDEEP
1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbgy+0xI:XVqoCl/YgjxEufVU0TbTyDDalm2I
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2700 explorer.exe 2548 spoolsv.exe 2688 svchost.exe 2656 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2700 explorer.exe 2548 spoolsv.exe 2688 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2712 schtasks.exe 1032 schtasks.exe 2176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2688 svchost.exe 2700 explorer.exe 2700 explorer.exe 2700 explorer.exe 2688 svchost.exe 2688 svchost.exe 2700 explorer.exe 2688 svchost.exe 2700 explorer.exe 2688 svchost.exe 2700 explorer.exe 2688 svchost.exe 2700 explorer.exe 2688 svchost.exe 2700 explorer.exe 2688 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2700 explorer.exe 2688 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2700 explorer.exe 2700 explorer.exe 2548 spoolsv.exe 2548 spoolsv.exe 2688 svchost.exe 2688 svchost.exe 2656 spoolsv.exe 2656 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2700 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 28 PID 2492 wrote to memory of 2700 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 28 PID 2492 wrote to memory of 2700 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 28 PID 2492 wrote to memory of 2700 2492 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 28 PID 2700 wrote to memory of 2548 2700 explorer.exe 29 PID 2700 wrote to memory of 2548 2700 explorer.exe 29 PID 2700 wrote to memory of 2548 2700 explorer.exe 29 PID 2700 wrote to memory of 2548 2700 explorer.exe 29 PID 2548 wrote to memory of 2688 2548 spoolsv.exe 30 PID 2548 wrote to memory of 2688 2548 spoolsv.exe 30 PID 2548 wrote to memory of 2688 2548 spoolsv.exe 30 PID 2548 wrote to memory of 2688 2548 spoolsv.exe 30 PID 2688 wrote to memory of 2656 2688 svchost.exe 31 PID 2688 wrote to memory of 2656 2688 svchost.exe 31 PID 2688 wrote to memory of 2656 2688 svchost.exe 31 PID 2688 wrote to memory of 2656 2688 svchost.exe 31 PID 2700 wrote to memory of 2576 2700 explorer.exe 32 PID 2700 wrote to memory of 2576 2700 explorer.exe 32 PID 2700 wrote to memory of 2576 2700 explorer.exe 32 PID 2700 wrote to memory of 2576 2700 explorer.exe 32 PID 2688 wrote to memory of 2712 2688 svchost.exe 33 PID 2688 wrote to memory of 2712 2688 svchost.exe 33 PID 2688 wrote to memory of 2712 2688 svchost.exe 33 PID 2688 wrote to memory of 2712 2688 svchost.exe 33 PID 2688 wrote to memory of 1032 2688 svchost.exe 38 PID 2688 wrote to memory of 1032 2688 svchost.exe 38 PID 2688 wrote to memory of 1032 2688 svchost.exe 38 PID 2688 wrote to memory of 1032 2688 svchost.exe 38 PID 2688 wrote to memory of 2176 2688 svchost.exe 40 PID 2688 wrote to memory of 2176 2688 svchost.exe 40 PID 2688 wrote to memory of 2176 2688 svchost.exe 40 PID 2688 wrote to memory of 2176 2688 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2656
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:05 /f5⤵
- Creates scheduled task(s)
PID:2712
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:06 /f5⤵
- Creates scheduled task(s)
PID:1032
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:07 /f5⤵
- Creates scheduled task(s)
PID:2176
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2576
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5df9c902b66eee3069ee20fe85da6e148
SHA15bea6d26811c3a9680fc929c6bb52ad73b8c4c42
SHA2561125e12a89a127e1022e85bd4550302ff8f1ff28517598ea6400e8512b06943c
SHA51246f7fb0235a90d6372fb3475806132887cd3b9ff9a278fd5cbcf493ac585455181b2388c07a86fd0bd388cc2b4b001f3b1f8ad900e06df1b8ccd59901e334f72
-
Filesize
135KB
MD5339cba64279282af1dd3ad72bffffa7c
SHA12faa8976cb86e2f54f2b09326e20d19269933dc9
SHA256416172f0cb72898af2404b2af83efad3c1896177d4f804dcab1fe46671dd35ee
SHA512f1a62300de8db115514c0a2aa544bff9e6969b420905adececeeb909d2b30fb6b480cf9902d15276796aa6b8a92be54e19ea0c80325e2c4b51e03741e7fc40fd
-
Filesize
135KB
MD5f7eabc23ec96c64751a617dac875592c
SHA10b10d2a33df4b5722810fec72bac113747f3015f
SHA256ccdc1192d436e7e4293fc250d9188adfebb744c597d011e239ba51f091d976d8
SHA512444c97f4ea578a36b6ffaee23fa5ecaeb5b49be3d55b59bf2885a50422d4a7ca8b463d373a4238f332fcd2c294a204dcae83ed82e73ba73973c7010f3c796e66