Analysis Overview
SHA256
da6466dbd6efd6b46b50d9fea126540bf88b8c04d8b0af93c3fe80a4246326b3
Threat Level: Known bad
The file 9b6b1926d1ce78fa26d27dcf928c7bc0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 04:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 04:24
Reported
2024-06-03 04:27
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
151s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Users\Admin\AppData\Local\Temp\9b6b1926d1ce78fa26d27dcf928c7bc0_NeikiAnalytics.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b6b1926d1ce78fa26d27dcf928c7bc0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b6b1926d1ce78fa26d27dcf928c7bc0_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b6b1926d1ce78fa26d27dcf928c7bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9b6b1926d1ce78fa26d27dcf928c7bc0_NeikiAnalytics.exe"
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
memory/3248-0-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Windows\Resources\Themes\explorer.exe
| MD5 | 0c4c4710bfbaae8355776869ed0464ed |
| SHA1 | 43b4db0db6a6d4e76fe778087c15f971ef51fed0 |
| SHA256 | 235e656f10d92676cbc7067cc7c82e94ee4a7fb9ba93351e27b83a5154c81751 |
| SHA512 | 4c4eb59bdacbbe06b590a5e1a12b46be6ba800a1a1aa7491c62e37475c75ad5c758497387d34aa06bf8fbf1ee12c32b045aaedbd755bb67f296158f6210be1d9 |
C:\Windows\Resources\spoolsv.exe
| MD5 | bbb0acdc62b61769fd58388e46dd06b3 |
| SHA1 | 1c482620eec14da4f5d5e4a5f193859dab66759d |
| SHA256 | 549d95e7f70970229ba71c76a3a1fcc81991dd63eda0d7a26b8af2af25b38e7a |
| SHA512 | 4ecc71de02fdf8e8b9db5f826090e6a0ae545c578b7a97cea89e39428dab5cead625d623deec4ff6df31dad783008ea9bf795ae724988301133ff9748161057d |
C:\Windows\Resources\svchost.exe
| MD5 | b6da6be3ae74c51ae2ad5238c5385484 |
| SHA1 | d0e1a659da7a65533c2fe17a896a33a1ca305b2e |
| SHA256 | 530120e37bb490475029ecbec567ac0b5d1b0231c38d962676595832c9d9a508 |
| SHA512 | 4136b43e3f577e73c726560ab7526e956e75a834af8282f6781ec6e47857b0bba57072d2e7c21a521081cdce42a0fc4b1b99accae5da478a9d3e3beddd95b3c1 |
memory/2020-32-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3732-33-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3248-34-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 04:24
Reported
2024-06-03 04:27
Platform
win7-20240508-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b6b1926d1ce78fa26d27dcf928c7bc0_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Users\Admin\AppData\Local\Temp\9b6b1926d1ce78fa26d27dcf928c7bc0_NeikiAnalytics.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b6b1926d1ce78fa26d27dcf928c7bc0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b6b1926d1ce78fa26d27dcf928c7bc0_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b6b1926d1ce78fa26d27dcf928c7bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9b6b1926d1ce78fa26d27dcf928c7bc0_NeikiAnalytics.exe"
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:26 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:27 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:28 /f
Network
Files
memory/2428-0-0x0000000000400000-0x0000000000420000-memory.dmp
\Windows\Resources\Themes\explorer.exe
| MD5 | b8576d09f31533ef1284bae603e8c73b |
| SHA1 | 40ea6f8468e670102896b255869b7d946ab8ac91 |
| SHA256 | e7bf977988c9bec454b8b835d3708058aa41a1120fa41c843c5e1f90e1943567 |
| SHA512 | 089e6f419f4052a41f1d0b8ae2295b6e2f0bca93a1d91dafc3b0dda2af9f08a9145e2ffc7b27b87ccdaecd544b41103668db8e053a73539617a48be7e94b8584 |
C:\Windows\Resources\spoolsv.exe
| MD5 | 3cab9c40b9d48a8c08f54135e2455892 |
| SHA1 | 1a49427353b284004154e1677e915cc98e22588c |
| SHA256 | 239083b5e142e68cde9050f6c94ccfe46823faac211029ca33aa615530985dd2 |
| SHA512 | a836b0299039d49ca0817c120ef1a0adfc50f8f2e72107ee03c44071bd67edabf7e140d5c4747d92a7544751a9ce0046cd5162aa9d819e6df8751b19249b953f |
memory/1400-20-0x0000000000330000-0x0000000000350000-memory.dmp
\Windows\Resources\svchost.exe
| MD5 | e8486966784de73fc3edf45ae5f97f38 |
| SHA1 | 2b24f406c729169f9810ba09c441d185c63553b1 |
| SHA256 | 8293a01932392d0c281b6c675f25ef795adcd243722a1458611ca9a1a6a24717 |
| SHA512 | 3983fa4c44fbafc716ca3476b80ec82e9be4803e14365c37447191251f5f42d633e2050023d26a53d5ce0d0a79926e957d36f272f564c9769ac81f75f416e9f8 |
memory/2200-33-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2360-41-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1732-42-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2428-43-0x0000000000400000-0x0000000000420000-memory.dmp