Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 22:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe
-
Size
200KB
-
MD5
0d33021177166513f50715fcda6a7da0
-
SHA1
b459d5005d1ce67fec015a13eba1233403966651
-
SHA256
2c2f26c6095f448dff8efebba4d4ee31c12c6c8d0fc63f9de1bb6a09f53aaf99
-
SHA512
486a3b114b10732a7e10e6c9419631f98ff5e26bce0c8ec0ed7f6ff4d54b183246e926dcee231720c2fd39e32152ad7cbb6c8b03cb6507590f90c4fa179eb225
-
SSDEEP
3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6uBL9iG:7vEN2U+T6i5LirrllHy4HUcMQY6C9iG
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2948 explorer.exe 2600 spoolsv.exe 2432 svchost.exe 2448 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1992 0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe 1992 0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe 2948 explorer.exe 2948 explorer.exe 2600 spoolsv.exe 2600 spoolsv.exe 2432 svchost.exe 2432 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1992 0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2948 explorer.exe 2432 svchost.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2432 svchost.exe 2948 explorer.exe 2948 explorer.exe 2432 svchost.exe 2432 svchost.exe 2948 explorer.exe 2432 svchost.exe 2948 explorer.exe 2948 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2948 explorer.exe 2432 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1992 0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe 1992 0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe 2948 explorer.exe 2948 explorer.exe 2600 spoolsv.exe 2600 spoolsv.exe 2432 svchost.exe 2432 svchost.exe 2448 spoolsv.exe 2448 spoolsv.exe 2948 explorer.exe 2948 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2948 1992 0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe 28 PID 1992 wrote to memory of 2948 1992 0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe 28 PID 1992 wrote to memory of 2948 1992 0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe 28 PID 1992 wrote to memory of 2948 1992 0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe 28 PID 2948 wrote to memory of 2600 2948 explorer.exe 29 PID 2948 wrote to memory of 2600 2948 explorer.exe 29 PID 2948 wrote to memory of 2600 2948 explorer.exe 29 PID 2948 wrote to memory of 2600 2948 explorer.exe 29 PID 2600 wrote to memory of 2432 2600 spoolsv.exe 30 PID 2600 wrote to memory of 2432 2600 spoolsv.exe 30 PID 2600 wrote to memory of 2432 2600 spoolsv.exe 30 PID 2600 wrote to memory of 2432 2600 spoolsv.exe 30 PID 2432 wrote to memory of 2448 2432 svchost.exe 31 PID 2432 wrote to memory of 2448 2432 svchost.exe 31 PID 2432 wrote to memory of 2448 2432 svchost.exe 31 PID 2432 wrote to memory of 2448 2432 svchost.exe 31 PID 2432 wrote to memory of 2784 2432 svchost.exe 32 PID 2432 wrote to memory of 2784 2432 svchost.exe 32 PID 2432 wrote to memory of 2784 2432 svchost.exe 32 PID 2432 wrote to memory of 2784 2432 svchost.exe 32 PID 2432 wrote to memory of 1560 2432 svchost.exe 36 PID 2432 wrote to memory of 1560 2432 svchost.exe 36 PID 2432 wrote to memory of 1560 2432 svchost.exe 36 PID 2432 wrote to memory of 1560 2432 svchost.exe 36 PID 2432 wrote to memory of 324 2432 svchost.exe 38 PID 2432 wrote to memory of 324 2432 svchost.exe 38 PID 2432 wrote to memory of 324 2432 svchost.exe 38 PID 2432 wrote to memory of 324 2432 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0d33021177166513f50715fcda6a7da0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2448
-
-
C:\Windows\SysWOW64\at.exeat 22:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2784
-
-
C:\Windows\SysWOW64\at.exeat 22:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1560
-
-
C:\Windows\SysWOW64\at.exeat 22:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:324
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5cb05a214f7477bb832dce91d4ed36af2
SHA1341b64049c2a267753b64493685abfef791e5904
SHA2561357b52682d64884b934b6e2b108f6da1a2fe769d322f3f532a39338b5f0813e
SHA5127e7c955b06260c4843609dbe3dac219981b85abb9b06885cbd1bdef43dc5df4a3f5069081fc504216bebb0fb64dba4122f1968416a55a360360d4688dfcb4f4c
-
Filesize
216KB
MD56dbf8510b274cedab8305f505e447116
SHA164bc9c879eae27769dc0ba462199e8d17992c8ce
SHA25689e767c835fca3086a352ccbfa7c31ee64cb6a092c6c365dcbf139fae8459434
SHA5125a8ab4a4adc9c193f527bb379a7c3e7ff78c9da404b6e3f00068d6fb195073e175b4f2e1b33afb27218eb82b1f20f3f4c13188738fb6f95d4e2a59c2c8cd618d
-
Filesize
216KB
MD58dfb703a3592d8f99f9bf0354884508f
SHA1da4f3f5ce9a52b4ec72c94a91e0bb0f09d7d52e6
SHA256ca8a7425629d292907cbcdceeae88973ca59361f70ddd90dc30bc2e63f7ceadb
SHA512d551e33c60858518d5567edf3c19182b999539f69d115db44a356fdf08e993d855210d59e35480b9b8faa591df0374fffc1f1607466ee57e22e816f955027c3e
-
Filesize
216KB
MD5fdf601d9642206d3856a25addb3c28cf
SHA10e903415cedccd85ae344077c3f1d5dc2ec6b748
SHA256390298ca417ff709aa1ef9a468f2daa40fb5a16f4cf38cd64af55fd757c07487
SHA51260ad12372b37b775527f85275fdad8f5a6b1bbb423c434986f53a5578b9d938670051af8c4c9740be96b4ec82af2b11669bded0839944011e272bcccb0c77b5c