c24b1008da7ae4a2f4fb89466f3e55d092d6f666aeb6dea12ff147bbd28c58f1

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
Size

2.6MB
MD5

119c92e97725fdbd6c6be20d47478a60
SHA1

c56648597ce50e8f0a1ad964eff5c28817bf382f
SHA256

c24b1008da7ae4a2f4fb89466f3e55d092d6f666aeb6dea12ff147bbd28c58f1
SHA512

4232bbc8f6b68ff949590b6e57e52fe3f94a87f3ea6bb9debc1d80e27431a79757df84973f6864998938af8f7572f368db80d9fa6478facfad82453e52c222f1
SSDEEP

49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/z:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/z

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2860	explorer.exe
2616	spoolsv.exe
2600	svchost.exe
2628	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2860	explorer.exe
2616	spoolsv.exe
2600	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs

pid	Process
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2860	explorer.exe
2616	spoolsv.exe
2616	spoolsv.exe
2600	svchost.exe
2628	spoolsv.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe
2600	svchost.exe
2860	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2120	schtasks.exe
944	schtasks.exe
2796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2600	svchost.exe
2600	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2860	explorer.exe
2600	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2616	spoolsv.exe
2616	spoolsv.exe
2616	spoolsv.exe
2600	svchost.exe
2600	svchost.exe
2600	svchost.exe
2628	spoolsv.exe
2628	spoolsv.exe
2628	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2860	2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe	28
PID 2900 wrote to memory of 2860	2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe	28
PID 2900 wrote to memory of 2860	2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe	28
PID 2900 wrote to memory of 2860	2900	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe	28
PID 2860 wrote to memory of 2616	2860	explorer.exe	29
PID 2860 wrote to memory of 2616	2860	explorer.exe	29
PID 2860 wrote to memory of 2616	2860	explorer.exe	29
PID 2860 wrote to memory of 2616	2860	explorer.exe	29
PID 2616 wrote to memory of 2600	2616	spoolsv.exe	30
PID 2616 wrote to memory of 2600	2616	spoolsv.exe	30
PID 2616 wrote to memory of 2600	2616	spoolsv.exe	30
PID 2616 wrote to memory of 2600	2616	spoolsv.exe	30
PID 2600 wrote to memory of 2628	2600	svchost.exe	31
PID 2600 wrote to memory of 2628	2600	svchost.exe	31
PID 2600 wrote to memory of 2628	2600	svchost.exe	31
PID 2600 wrote to memory of 2628	2600	svchost.exe	31
PID 2860 wrote to memory of 2416	2860	explorer.exe	32
PID 2860 wrote to memory of 2416	2860	explorer.exe	32
PID 2860 wrote to memory of 2416	2860	explorer.exe	32
PID 2860 wrote to memory of 2416	2860	explorer.exe	32
PID 2600 wrote to memory of 2796	2600	svchost.exe	33
PID 2600 wrote to memory of 2796	2600	svchost.exe	33
PID 2600 wrote to memory of 2796	2600	svchost.exe	33
PID 2600 wrote to memory of 2796	2600	svchost.exe	33
PID 2600 wrote to memory of 2120	2600	svchost.exe	38
PID 2600 wrote to memory of 2120	2600	svchost.exe	38
PID 2600 wrote to memory of 2120	2600	svchost.exe	38
PID 2600 wrote to memory of 2120	2600	svchost.exe	38
PID 2600 wrote to memory of 944	2600	svchost.exe	40
PID 2600 wrote to memory of 944	2600	svchost.exe	40
PID 2600 wrote to memory of 944	2600	svchost.exe	40
PID 2600 wrote to memory of 944	2600	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2860
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2600
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2628
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:34 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2796
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:35 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2120
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:36 /f
        5⤵
        Creates scheduled task(s)
        
        PID:944
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
9dee4c8ee4c8da45e632525a4d4d2672

SHA1
1d4b68c3fb5e7e8b216864f68f8814f01502f5b3

SHA256
bb5dae3a8304e4d1bfeb9d5da86bb2c0f72ebbfe14665a429dc5f751240b95c9

SHA512
772d95a36a716ce9a3c347f4008c48ed1d59028dc4ad68c273abe9096989448097d280706531f052b0b8a313330bb2d49af34c7c425b887fc73f5afbf5f1bf11

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
d7ac51f43d2f7f4aee5c870189f36635

SHA1
987ce942750e34014a3cb488429c373c2bc1c4d3

SHA256
d118fffd92cb4de9256a707037fef3a639455b97ba3e7b3e91c6d0f2d417a357

SHA512
891ac6244d8fedaccd6dc80028dd5b4c09d1c0bad49875e4988045e1edbc95e6611ed52d1109fcbe18c2405114c3bcbe0b6a1b36977309bda94793a58789d3ba

Download Submit
\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
67a541d6c4faf587dfa61053cb4c9b1a

SHA1
3da492c7468a400607a0b135724209b7b0a92d91

SHA256
2c60933f10b42bc1e8ada258c7684f128255a4603b607a71bef14deb54a079d4

SHA512
ef8c4dfd2cd835b57e959325f0ee0710a3b7d4ffb921f2c462aeb1eadac3c67eaba2b1d2f7ac8f666e8b431c1a0d46a458eace6dc96154e128d9b97bef37467e

Download Submit
memory/2600-74-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-46-0x0000000004200000-0x0000000004B51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-84-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-82-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-80-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-58-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-78-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-68-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-38-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-76-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-62-0x0000000004200000-0x0000000004B51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-61-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-70-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-66-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-72-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2600-64-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2616-53-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2616-36-0x00000000040E0000-0x0000000004A31000-memory.dmp

Filesize
9.3MB

Download
memory/2616-31-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2628-48-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2628-52-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-75-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-73-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-85-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-60-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-65-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-67-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-59-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2860-69-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-57-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-56-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-71-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-13-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-14-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2860-83-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-81-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-77-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2860-24-0x0000000004090000-0x00000000049E1000-memory.dmp

Filesize
9.3MB

Download
memory/2860-79-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2900-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2900-43-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2900-11-0x0000000004110000-0x0000000004A61000-memory.dmp

Filesize
9.3MB

Download
memory/2900-45-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2900-0-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/2900-55-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download