c24b1008da7ae4a2f4fb89466f3e55d092d6f666aeb6dea12ff147bbd28c58f1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 23:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
Size

2.6MB
MD5

119c92e97725fdbd6c6be20d47478a60
SHA1

c56648597ce50e8f0a1ad964eff5c28817bf382f
SHA256

c24b1008da7ae4a2f4fb89466f3e55d092d6f666aeb6dea12ff147bbd28c58f1
SHA512

4232bbc8f6b68ff949590b6e57e52fe3f94a87f3ea6bb9debc1d80e27431a79757df84973f6864998938af8f7572f368db80d9fa6478facfad82453e52c222f1
SSDEEP

49152:TeS12nRc6C5CEAHD26ICQVt1ULUQRP6a6YPkCLJ37xbIjNyX5Hxzl/z:6S+c6ZEmqCMtmoQRP6aZtnsNq9l/z

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4104	explorer.exe
3664	spoolsv.exe
3980	svchost.exe
3456	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs

pid	Process
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
4104	explorer.exe
3664	spoolsv.exe
3664	spoolsv.exe
3980	svchost.exe
3980	svchost.exe
3456	spoolsv.exe
4104	explorer.exe
3980	svchost.exe
4104	explorer.exe
3980	svchost.exe
4104	explorer.exe
3980	svchost.exe
4104	explorer.exe
3980	svchost.exe
4104	explorer.exe
3980	svchost.exe
4104	explorer.exe
3980	svchost.exe
4104	explorer.exe
3980	svchost.exe
4104	explorer.exe
3980	svchost.exe
4104	explorer.exe
3980	svchost.exe
4104	explorer.exe
3980	svchost.exe
4104	explorer.exe
3980	svchost.exe
4104	explorer.exe
3980	svchost.exe
4104	explorer.exe
3980	svchost.exe
4104	explorer.exe
3980	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4104	explorer.exe
3980	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
4104	explorer.exe
4104	explorer.exe
4104	explorer.exe
3664	spoolsv.exe
3664	spoolsv.exe
3664	spoolsv.exe
3980	svchost.exe
3980	svchost.exe
3980	svchost.exe
3456	spoolsv.exe
3456	spoolsv.exe
3456	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 4104	3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe	83
PID 3344 wrote to memory of 4104	3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe	83
PID 3344 wrote to memory of 4104	3344	119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe	83
PID 4104 wrote to memory of 3664	4104	explorer.exe	86
PID 4104 wrote to memory of 3664	4104	explorer.exe	86
PID 4104 wrote to memory of 3664	4104	explorer.exe	86
PID 3664 wrote to memory of 3980	3664	spoolsv.exe	87
PID 3664 wrote to memory of 3980	3664	spoolsv.exe	87
PID 3664 wrote to memory of 3980	3664	spoolsv.exe	87
PID 3980 wrote to memory of 3456	3980	svchost.exe	88
PID 3980 wrote to memory of 3456	3980	svchost.exe	88
PID 3980 wrote to memory of 3456	3980	svchost.exe	88

C:\Users\Admin\AppData\Local\Temp\119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\119c92e97725fdbd6c6be20d47478a60_NeikiAnalytics.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4104
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3980
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
105cc1069a892ad2bc942ed2066133c2

SHA1
9dfa848e54c6302394e399e038e1ad33450d7917

SHA256
24eead61ecff0570625de889ee1d022281af39c2ba3900a110f596ac0ee37818

SHA512
7caf8472d2beeaa76c7a26ff6f3d608bce8ceec79eee62a771ff610d4f1e1a364734d441469d9c384fb930991f2c6f7b8c9c45fd584955e65ee2a75399f3a421

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
1f18b52261196c0345e5f8cb0d97b456

SHA1
09e03d8222e94804e19ab3425e7f744cdb3228b4

SHA256
7f3017c92c73c3b3c7ae7db4167e592ac969c5c9177e426f430feff1d1c5fd61

SHA512
1cef00273f9f6330d9b3de943ad6335e511c930a7d783d27b6cc207d81c942dba40203e21ad262fdc45919e6dbd232cb6de8c985446d7310db0ccec4220aca93

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
2.6MB

MD5
966380b5be1fb946c054f11d523523e3

SHA1
3088211e406a22e87038ff7fb2cb8da38c17aa37

SHA256
df41c55b3c486e1372098d741e3e4259e080d77ba1dc6e8e8601b56c47fed200

SHA512
ac0b91e9ac44408d4fef04303ca8d36ef262630348054589a4a672fa02d00830f214759924f559043035ee965e718b3ef131dba9c9d86e6310bceca349ddee44

Download Submit
memory/3344-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3344-0-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3344-42-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3344-43-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3456-34-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3456-39-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3664-20-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3664-19-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3664-38-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3664-40-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3980-61-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3980-65-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3980-73-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3980-45-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3980-71-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3980-69-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3980-49-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3980-67-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3980-51-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3980-53-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3980-29-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3980-55-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3980-59-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/3980-57-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4104-66-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4104-72-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4104-60-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4104-10-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4104-62-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4104-54-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4104-68-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4104-58-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4104-56-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4104-48-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4104-70-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4104-47-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/4104-50-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download
memory/4104-46-0x0000000000400000-0x0000000000D51000-memory.dmp

Filesize
9.3MB

Download