Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 03:39
Static task
static1
Behavioral task
behavioral1
Sample
9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe
-
Size
206KB
-
MD5
9a36e51f014ff30dd4276b7142e29c00
-
SHA1
3f14f74efc64640705894317c721a4660075f1f3
-
SHA256
8e839452e84c83d2dc3cbdec7d6ecd828797e6195ddf887c033742fc5b1a9032
-
SHA512
e78da95e819c7bd45fe74e33722ecbe565167996c6b13c867a4e8084a13434c593dc4fb952c4831f5393f5e51fa21b346ffc888fa232a968d5eb653f28f63bac
-
SSDEEP
3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unZ0:zvEN2U+T6i5LirrllHy4HUcMQY6H
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 1684 explorer.exe 2664 spoolsv.exe 2756 svchost.exe 2716 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2840 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 2840 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 1684 explorer.exe 1684 explorer.exe 2664 spoolsv.exe 2664 spoolsv.exe 2756 svchost.exe 2756 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2840 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 1684 explorer.exe 2756 svchost.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe 2756 svchost.exe 1684 explorer.exe 1684 explorer.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe 1684 explorer.exe 1684 explorer.exe 2756 svchost.exe 2756 svchost.exe 1684 explorer.exe 1684 explorer.exe 2756 svchost.exe 2756 svchost.exe 1684 explorer.exe 1684 explorer.exe 2756 svchost.exe 2756 svchost.exe 1684 explorer.exe 1684 explorer.exe 2756 svchost.exe 2756 svchost.exe 1684 explorer.exe 1684 explorer.exe 2756 svchost.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe 1684 explorer.exe 1684 explorer.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe 2756 svchost.exe 1684 explorer.exe 2756 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1684 explorer.exe 2756 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2840 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 2840 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 1684 explorer.exe 1684 explorer.exe 2664 spoolsv.exe 2664 spoolsv.exe 2756 svchost.exe 2756 svchost.exe 2716 spoolsv.exe 2716 spoolsv.exe 1684 explorer.exe 1684 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2840 wrote to memory of 1684 2840 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 28 PID 2840 wrote to memory of 1684 2840 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 28 PID 2840 wrote to memory of 1684 2840 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 28 PID 2840 wrote to memory of 1684 2840 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 28 PID 1684 wrote to memory of 2664 1684 explorer.exe 29 PID 1684 wrote to memory of 2664 1684 explorer.exe 29 PID 1684 wrote to memory of 2664 1684 explorer.exe 29 PID 1684 wrote to memory of 2664 1684 explorer.exe 29 PID 2664 wrote to memory of 2756 2664 spoolsv.exe 30 PID 2664 wrote to memory of 2756 2664 spoolsv.exe 30 PID 2664 wrote to memory of 2756 2664 spoolsv.exe 30 PID 2664 wrote to memory of 2756 2664 spoolsv.exe 30 PID 2756 wrote to memory of 2716 2756 svchost.exe 31 PID 2756 wrote to memory of 2716 2756 svchost.exe 31 PID 2756 wrote to memory of 2716 2756 svchost.exe 31 PID 2756 wrote to memory of 2716 2756 svchost.exe 31 PID 2756 wrote to memory of 2600 2756 svchost.exe 32 PID 2756 wrote to memory of 2600 2756 svchost.exe 32 PID 2756 wrote to memory of 2600 2756 svchost.exe 32 PID 2756 wrote to memory of 2600 2756 svchost.exe 32 PID 2756 wrote to memory of 1712 2756 svchost.exe 36 PID 2756 wrote to memory of 1712 2756 svchost.exe 36 PID 2756 wrote to memory of 1712 2756 svchost.exe 36 PID 2756 wrote to memory of 1712 2756 svchost.exe 36 PID 2756 wrote to memory of 1244 2756 svchost.exe 38 PID 2756 wrote to memory of 1244 2756 svchost.exe 38 PID 2756 wrote to memory of 1244 2756 svchost.exe 38 PID 2756 wrote to memory of 1244 2756 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2716
-
-
C:\Windows\SysWOW64\at.exeat 03:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2600
-
-
C:\Windows\SysWOW64\at.exeat 03:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1712
-
-
C:\Windows\SysWOW64\at.exeat 03:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1244
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5e2c4d3df1e94db7baf6bc57e9596655b
SHA1edd80c0ef4a945d74776eb7ffe02a9f795541aa9
SHA25672b350580fb9a3eebad845be90492663af22bfd8d8fc0f97baf5c1dfb8c529e5
SHA512dc71e0cc5ed7cc0756c98d08a6695149960c7007f209fba5cafa4789bafaf63bc59f1d9381e6a343d92ecfbc3af3a3d050468830f4a0194220cb548fb1697fb0
-
Filesize
206KB
MD57b42bac95c3355dc6b190071b8cfe00a
SHA120e903f5f230c07b9878ef43caf7d0ce7495b8ee
SHA25603ecdcb5e6ed0bb1a2fb81472ac2440d79abba99cdd736eccbd49b062bf922a8
SHA5127759dbdb73d4eefa1d367d0d2116e3ddfc5a97cfce4a9a958ca28fb6df281856356f14737e518c56e7acf3dddc61ee7215a402c5c43c6fd3f2d079f18e1ad5ae
-
Filesize
206KB
MD5d6a8fa4ee2cc327b6fa63c25742e1d8e
SHA16c6925f825be727153599f6eec0fbe17af009861
SHA2562dffc771c3396052a74066c8ab912de7b591aeb6c09039caad6de7ddd610535f
SHA5124c9c45627f3974c26d1b2f2bb6a5a5ecc55233da435186ce591c6305ef8937df829ebd8e26bb1cc426149f1c4a72da1c18d69e3460b7b131245fa9703ed9b299
-
Filesize
206KB
MD5f72c4e76933789801befcbcc0447e5f8
SHA13cc720ae5936bc4bbd4422605c0614cf58b1dc12
SHA256f126b1edd44a7a93ed6d1bb88c2e5c6171e5a7884e60546a8a467b76a8322b3e
SHA512dce42b0700e4a2a900938dcd824e5763d4b047bfe72fbe5d33c4c3d1d01973c123bf1ef124ea847bf4ef1ecc15168f541c48bacdc86cb95feee87ec2f3994d99