Analysis Overview
SHA256
83a9cf4bc1e1744b3c2bf95577d27932a90befcbc046057797d176047dd34b36
Threat Level: Known bad
The file 189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 01:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 01:03
Reported
2024-06-02 01:05
Platform
win7-20240221-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe"
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:05 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:06 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:07 /f
Network
Files
memory/2492-0-0x0000000000400000-0x000000000041F000-memory.dmp
\Windows\Resources\Themes\explorer.exe
| MD5 | 339cba64279282af1dd3ad72bffffa7c |
| SHA1 | 2faa8976cb86e2f54f2b09326e20d19269933dc9 |
| SHA256 | 416172f0cb72898af2404b2af83efad3c1896177d4f804dcab1fe46671dd35ee |
| SHA512 | f1a62300de8db115514c0a2aa544bff9e6969b420905adececeeb909d2b30fb6b480cf9902d15276796aa6b8a92be54e19ea0c80325e2c4b51e03741e7fc40fd |
C:\Windows\Resources\spoolsv.exe
| MD5 | df9c902b66eee3069ee20fe85da6e148 |
| SHA1 | 5bea6d26811c3a9680fc929c6bb52ad73b8c4c42 |
| SHA256 | 1125e12a89a127e1022e85bd4550302ff8f1ff28517598ea6400e8512b06943c |
| SHA512 | 46f7fb0235a90d6372fb3475806132887cd3b9ff9a278fd5cbcf493ac585455181b2388c07a86fd0bd388cc2b4b001f3b1f8ad900e06df1b8ccd59901e334f72 |
\Windows\Resources\svchost.exe
| MD5 | f7eabc23ec96c64751a617dac875592c |
| SHA1 | 0b10d2a33df4b5722810fec72bac113747f3015f |
| SHA256 | ccdc1192d436e7e4293fc250d9188adfebb744c597d011e239ba51f091d976d8 |
| SHA512 | 444c97f4ea578a36b6ffaee23fa5ecaeb5b49be3d55b59bf2885a50422d4a7ca8b463d373a4238f332fcd2c294a204dcae83ed82e73ba73973c7010f3c796e66 |
memory/2548-28-0x0000000000270000-0x000000000028F000-memory.dmp
memory/2656-40-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2548-41-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2492-42-0x0000000000400000-0x000000000041F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 01:03
Reported
2024-06-02 01:05
Platform
win10v2004-20240226-en
Max time kernel
154s
Max time network
152s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\189bb10a9d08aec81b7dad43fb017370_NeikiAnalytics.exe"
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
memory/2184-0-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Windows\Resources\Themes\explorer.exe
| MD5 | 4a4d227abd2c2a2c9af3d142fab9f682 |
| SHA1 | 54854d21261cb570dc06bcfb470e3114a9c3da95 |
| SHA256 | 437ab718b194fb70676f02016ab72edcb3f782d89e2a8a9fc4abc8c27112aed6 |
| SHA512 | ee96bcf2077f20ff9e251999f1b0e73b90ad0e298806346dbd6a9a442a120b631db4be0780e53d0bc10a3f02009bf47451c3c9561733bfe6d6ae64593932bc11 |
C:\Windows\Resources\spoolsv.exe
| MD5 | c656eb4c127146c51d0184c488714b5b |
| SHA1 | db2f25fb002fde9c94a80004979d59296cd86522 |
| SHA256 | 3f71c53bbb3dea8a5220b7eeba9ad04812cf142e7379c47a3ccbe2d77118a8e8 |
| SHA512 | 57384ffa5bbe21da72622378c624eefc1f6c8fde69b4706d9da07d81c7197bad3ee4ccd1e0b414597d92f3f3aee3b5d7718e3c6ecea90dae1ca665a8155ee72d |
C:\Windows\Resources\svchost.exe
| MD5 | f717112ad1b8f699797d64d301fd8f99 |
| SHA1 | 5f1b281d66f0ff3c76d14218c10773e6e0e3ce6a |
| SHA256 | 8f6f5078e0e7fe9178cc767db2eb83fde0e71e56774f19c0aeb1b0143b38b540 |
| SHA512 | a3a5e1c2d16f8be7559a4ffb52ba9176330979e02e2ad04a483184d6432787b32667b6a0f9cf9fc7c6f5ffbbb558ffa4b48841b5b30c40ed595fbe449fd7a227 |
memory/3364-32-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3640-33-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2184-34-0x0000000000400000-0x000000000041F000-memory.dmp