Analysis
-
max time kernel
154s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:03
Static task
static1
Behavioral task
behavioral1
Sample
189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe
-
Size
135KB
-
MD5
189bb10a9d08aec81b7dad43fb017370
-
SHA1
fc1a2a99fa80b621a87d86915e2352a0c690e30c
-
SHA256
83a9cf4bc1e1744b3c2bf95577d27932a90befcbc046057797d176047dd34b36
-
SHA512
86824ecb259d3a06606d5acbf78d42399a08994fdb78cb9293bc13c817d62376166a1b416494902e9328a5b21e07c9a47712ed41da24e7af5a1eab2cc820288c
-
SSDEEP
1536:XfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbgy+0xI:XVqoCl/YgjxEufVU0TbTyDDalm2I
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2672 explorer.exe 3640 spoolsv.exe 4084 svchost.exe 3364 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2672 explorer.exe 4084 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 2672 explorer.exe 2672 explorer.exe 3640 spoolsv.exe 3640 spoolsv.exe 4084 svchost.exe 4084 svchost.exe 3364 spoolsv.exe 3364 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2672 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 91 PID 2184 wrote to memory of 2672 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 91 PID 2184 wrote to memory of 2672 2184 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe 91 PID 2672 wrote to memory of 3640 2672 explorer.exe 92 PID 2672 wrote to memory of 3640 2672 explorer.exe 92 PID 2672 wrote to memory of 3640 2672 explorer.exe 92 PID 3640 wrote to memory of 4084 3640 spoolsv.exe 93 PID 3640 wrote to memory of 4084 3640 spoolsv.exe 93 PID 3640 wrote to memory of 4084 3640 spoolsv.exe 93 PID 4084 wrote to memory of 3364 4084 svchost.exe 94 PID 4084 wrote to memory of 3364 4084 svchost.exe 94 PID 4084 wrote to memory of 3364 4084 svchost.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3364
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:3752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD54a4d227abd2c2a2c9af3d142fab9f682
SHA154854d21261cb570dc06bcfb470e3114a9c3da95
SHA256437ab718b194fb70676f02016ab72edcb3f782d89e2a8a9fc4abc8c27112aed6
SHA512ee96bcf2077f20ff9e251999f1b0e73b90ad0e298806346dbd6a9a442a120b631db4be0780e53d0bc10a3f02009bf47451c3c9561733bfe6d6ae64593932bc11
-
Filesize
135KB
MD5c656eb4c127146c51d0184c488714b5b
SHA1db2f25fb002fde9c94a80004979d59296cd86522
SHA2563f71c53bbb3dea8a5220b7eeba9ad04812cf142e7379c47a3ccbe2d77118a8e8
SHA51257384ffa5bbe21da72622378c624eefc1f6c8fde69b4706d9da07d81c7197bad3ee4ccd1e0b414597d92f3f3aee3b5d7718e3c6ecea90dae1ca665a8155ee72d
-
Filesize
135KB
MD5f717112ad1b8f699797d64d301fd8f99
SHA15f1b281d66f0ff3c76d14218c10773e6e0e3ce6a
SHA2568f6f5078e0e7fe9178cc767db2eb83fde0e71e56774f19c0aeb1b0143b38b540
SHA512a3a5e1c2d16f8be7559a4ffb52ba9176330979e02e2ad04a483184d6432787b32667b6a0f9cf9fc7c6f5ffbbb558ffa4b48841b5b30c40ed595fbe449fd7a227