6af574f761ae76b680b0da61cc945b33b0bf4bbcfd635814ca8393b4c3961685

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 04:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe
Size

225KB
MD5

9bc28921c5022333a8e52ccc0d2a67a0
SHA1

8912d6db5bdb5046336455781a4e728500bbe5eb
SHA256

6af574f761ae76b680b0da61cc945b33b0bf4bbcfd635814ca8393b4c3961685
SHA512

80287c96344e2cacd262b15fb2b5a8304bba3c603aaa7a8e0c579490f9651d92cef6a1d93b8f012ae342fc4adbf48ac071b3581cd9a474da340f35397817cbaf
SSDEEP

3072:8vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u8vMSR6:8vEN2U+T6i5LirrllHy4HUcMQY6vMSE

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3004	explorer.exe
2432	spoolsv.exe
2732	svchost.exe
2720	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1600	9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe
1600	9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe
3004	explorer.exe
3004	explorer.exe
2432	spoolsv.exe
2432	spoolsv.exe
2732	svchost.exe
2732	svchost.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1600-0-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/files/0x003b000000013362-6.dat	upx
behavioral1/files/0x0009000000013a15-20.dat	upx
behavioral1/files/0x0009000000013a85-33.dat	upx
behavioral1/memory/2732-42-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2720-51-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1600-54-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2432-55-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/files/0x000c000000013b02-56.dat	upx
behavioral1/memory/3004-57-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2732-58-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1600	9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe
3004	explorer.exe
3004	explorer.exe
3004	explorer.exe
2732	svchost.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe
3004	explorer.exe
2732	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3004	explorer.exe
2732	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1600	9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe
1600	9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe
3004	explorer.exe
3004	explorer.exe
2432	spoolsv.exe
2432	spoolsv.exe
2732	svchost.exe
2732	svchost.exe
2720	spoolsv.exe
2720	spoolsv.exe
3004	explorer.exe
3004	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 3004	1600	9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe	28
PID 1600 wrote to memory of 3004	1600	9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe	28
PID 1600 wrote to memory of 3004	1600	9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe	28
PID 1600 wrote to memory of 3004	1600	9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe	28
PID 3004 wrote to memory of 2432	3004	explorer.exe	29
PID 3004 wrote to memory of 2432	3004	explorer.exe	29
PID 3004 wrote to memory of 2432	3004	explorer.exe	29
PID 3004 wrote to memory of 2432	3004	explorer.exe	29
PID 2432 wrote to memory of 2732	2432	spoolsv.exe	30
PID 2432 wrote to memory of 2732	2432	spoolsv.exe	30
PID 2432 wrote to memory of 2732	2432	spoolsv.exe	30
PID 2432 wrote to memory of 2732	2432	spoolsv.exe	30
PID 2732 wrote to memory of 2720	2732	svchost.exe	31
PID 2732 wrote to memory of 2720	2732	svchost.exe	31
PID 2732 wrote to memory of 2720	2732	svchost.exe	31
PID 2732 wrote to memory of 2720	2732	svchost.exe	31
PID 2732 wrote to memory of 2700	2732	svchost.exe	32
PID 2732 wrote to memory of 2700	2732	svchost.exe	32
PID 2732 wrote to memory of 2700	2732	svchost.exe	32
PID 2732 wrote to memory of 2700	2732	svchost.exe	32
PID 2732 wrote to memory of 268	2732	svchost.exe	36
PID 2732 wrote to memory of 268	2732	svchost.exe	36
PID 2732 wrote to memory of 268	2732	svchost.exe	36
PID 2732 wrote to memory of 268	2732	svchost.exe	36
PID 2732 wrote to memory of 2012	2732	svchost.exe	38
PID 2732 wrote to memory of 2012	2732	svchost.exe	38
PID 2732 wrote to memory of 2012	2732	svchost.exe	38
PID 2732 wrote to memory of 2012	2732	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3004
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2720
    - - C:\Windows\SysWOW64\at.exe
        
        at 04:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2700
    - - C:\Windows\SysWOW64\at.exe
        
        at 04:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:268
    - - C:\Windows\SysWOW64\at.exe
        
        at 04:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
225KB

MD5
c308513c88144836b1d2d6345312ae0f

SHA1
c0016ece36366f8ddc77b8c5c38f3c7cd7bf5d00

SHA256
2ac9b5aceb654fe9407167db63e77f25f8dbef559f6a16cb9da191df64a89792

SHA512
96f1f216d646ee877841cb659b25498558831ba893fa7c34b88cfb2581f6a1ccdf8a3a49b10077a17bffa0edb32b497808bb54e816b9a681a89508324d98c691

Download Submit
\Windows\system\explorer.exe

Filesize
225KB

MD5
cae49661263d339ab370084f21eebc3e

SHA1
8507e79df6e907ecf32443abe7ff60e495b65fdf

SHA256
2622bd0ee31dfaabb5d0a0abeff875bfb05964e9ee025316060dd10344ece249

SHA512
d9b3d2277549e35eb88db92f5a4b20982509f361d296ee420dc7cf698269724a9966081a64ef4abcf6be46208bd81b8f932c75f3b5261045a25872579081ba12

Download Submit
\Windows\system\spoolsv.exe

Filesize
225KB

MD5
2317da739eab05366bb7eafb70ad5ead

SHA1
19d6327bdeabc5985b8b95b321ae68ade26922c0

SHA256
4f6a4d0ee363c1bef38a91bf0299089e148c80c04ae20cde19017b12c3ef0415

SHA512
5fd6f5cceaac29337eb4839525fe67b542d2f58b4a386794413bf0a63751916c9754f35b99d43781270c863ab3e51899fa5404ed9e0d3922089ed8a49e09e448

Download Submit
\Windows\system\svchost.exe

Filesize
225KB

MD5
748d447f04581668ccb78362a3a356e1

SHA1
5fab9a49e8d3a6e792699a7eb8bdf2be4a8c2704

SHA256
35eabdc2e596f3ca9c0fe20b74658886dc6bac97815b0d41db9782b8daf20275

SHA512
65f06e1d5642f9d606bda2f62025b016b22aa06533a04ca4351c22a66f0def51bc5195e24a3364caf9bf2a77bedc49bd059dbec2e8b066ff87d7d179c7b4f818

Download Submit
memory/1600-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1600-12-0x0000000002B00000-0x0000000002B35000-memory.dmp

Filesize
212KB

Download
memory/1600-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2720-51-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-42-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3004-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download