Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 03:39
Static task
static1
Behavioral task
behavioral1
Sample
9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe
-
Size
206KB
-
MD5
9a36e51f014ff30dd4276b7142e29c00
-
SHA1
3f14f74efc64640705894317c721a4660075f1f3
-
SHA256
8e839452e84c83d2dc3cbdec7d6ecd828797e6195ddf887c033742fc5b1a9032
-
SHA512
e78da95e819c7bd45fe74e33722ecbe565167996c6b13c867a4e8084a13434c593dc4fb952c4831f5393f5e51fa21b346ffc888fa232a968d5eb653f28f63bac
-
SSDEEP
3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unZ0:zvEN2U+T6i5LirrllHy4HUcMQY6H
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3932 explorer.exe 3516 spoolsv.exe 4832 svchost.exe 1080 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1492 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 1492 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 3932 explorer.exe 3932 explorer.exe 3932 explorer.exe 3932 explorer.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe 4832 svchost.exe 4832 svchost.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe 3932 explorer.exe 3932 explorer.exe 4832 svchost.exe 4832 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3932 explorer.exe 4832 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1492 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 1492 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 3932 explorer.exe 3932 explorer.exe 3516 spoolsv.exe 3516 spoolsv.exe 4832 svchost.exe 4832 svchost.exe 1080 spoolsv.exe 1080 spoolsv.exe 3932 explorer.exe 3932 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1492 wrote to memory of 3932 1492 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 83 PID 1492 wrote to memory of 3932 1492 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 83 PID 1492 wrote to memory of 3932 1492 9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe 83 PID 3932 wrote to memory of 3516 3932 explorer.exe 84 PID 3932 wrote to memory of 3516 3932 explorer.exe 84 PID 3932 wrote to memory of 3516 3932 explorer.exe 84 PID 3516 wrote to memory of 4832 3516 spoolsv.exe 85 PID 3516 wrote to memory of 4832 3516 spoolsv.exe 85 PID 3516 wrote to memory of 4832 3516 spoolsv.exe 85 PID 4832 wrote to memory of 1080 4832 svchost.exe 86 PID 4832 wrote to memory of 1080 4832 svchost.exe 86 PID 4832 wrote to memory of 1080 4832 svchost.exe 86 PID 4832 wrote to memory of 1176 4832 svchost.exe 87 PID 4832 wrote to memory of 1176 4832 svchost.exe 87 PID 4832 wrote to memory of 1176 4832 svchost.exe 87 PID 4832 wrote to memory of 4480 4832 svchost.exe 102 PID 4832 wrote to memory of 4480 4832 svchost.exe 102 PID 4832 wrote to memory of 4480 4832 svchost.exe 102 PID 4832 wrote to memory of 1120 4832 svchost.exe 114 PID 4832 wrote to memory of 1120 4832 svchost.exe 114 PID 4832 wrote to memory of 1120 4832 svchost.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1080
-
-
C:\Windows\SysWOW64\at.exeat 03:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1176
-
-
C:\Windows\SysWOW64\at.exeat 03:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4480
-
-
C:\Windows\SysWOW64\at.exeat 03:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1120
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD562bcc3d996fb1d771a142da702a4781a
SHA1d78d88a8d12e68b88cc610c6fae285ece0bf40c1
SHA256a3a1aead7713823bb260a8a0eb1a1247aca75db8bb9866c3b772504ffb52d43f
SHA51292dd5ebc1480231fafa84f272b5f1d8ebda3df50b724c484d9852a9722dc8f9457f3f76abd883d23ebbecde86b4e35c3b2ab4dba949264c3d758bdb36512eb8b
-
Filesize
206KB
MD54cc2bd7c4049e736619d17805aa4002c
SHA171f37285918e50bac3c77fa96312b2c955a06fce
SHA256bd4c99bde892a6945a692659115556e23c5be7c6847ac470fde05955619fb027
SHA5129c9f38d325524c11aff68163a8bd94d68563f08c913cbfdf8ce0f0084159235528785fb2c30b54d17241f9497fe73c3877c9d7bf9cc5b5af66000c48385f88ff
-
Filesize
206KB
MD59105b162e8db51662ea612f86cc8c6b5
SHA180a4672be3c4551aa30b257e6dfff2e09f1eae48
SHA2568653f7fd3066d8a640fa4240a8ed0755a19081392559c430034223723304432a
SHA5126729f8de76365af25424fb51fc79f2d1179c8bf5df8b8f414535dd7bd2e2006c6eb5bf4ac4cf497761e263538653de95667b5ec320da722a2e3009215fb5a52b
-
Filesize
206KB
MD5a2b822f2277fb47c0ade347a849529f7
SHA16c58e825cfe49164f68493de07d4169c5e68f4ca
SHA256463b0b9a7a630ae76189ee335b16faaaa9c50877923cb70c4eb974c905ef9edf
SHA5123ecda9d179e1a4ae05687eee98227384bffc86e2ba460ad25bb15dd58cd44a84b53f88f99d50508bd8bd2e6f9014016e8b40db5e9519464bcc0345717589bfe5