Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 04:35
Behavioral task
behavioral1
Sample
9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe
-
Size
225KB
-
MD5
9bc28921c5022333a8e52ccc0d2a67a0
-
SHA1
8912d6db5bdb5046336455781a4e728500bbe5eb
-
SHA256
6af574f761ae76b680b0da61cc945b33b0bf4bbcfd635814ca8393b4c3961685
-
SHA512
80287c96344e2cacd262b15fb2b5a8304bba3c603aaa7a8e0c579490f9651d92cef6a1d93b8f012ae342fc4adbf48ac071b3581cd9a474da340f35397817cbaf
-
SSDEEP
3072:8vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6u8vMSR6:8vEN2U+T6i5LirrllHy4HUcMQY6vMSE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 3540 explorer.exe 1772 spoolsv.exe 1248 svchost.exe 3096 spoolsv.exe -
resource yara_rule behavioral2/memory/3228-0-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x000a00000002339a-7.dat upx behavioral2/files/0x00080000000233a2-13.dat upx behavioral2/files/0x00080000000233a5-23.dat upx behavioral2/memory/3096-29-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/3096-33-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/1772-36-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/3228-37-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00090000000233a4-38.dat upx behavioral2/memory/3540-39-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/1248-40-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3228 9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe 3228 9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe 3540 explorer.exe 3540 explorer.exe 3540 explorer.exe 3540 explorer.exe 3540 explorer.exe 3540 explorer.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 1248 svchost.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 1248 svchost.exe 3540 explorer.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 1248 svchost.exe 3540 explorer.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe 3540 explorer.exe 1248 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3540 explorer.exe 1248 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3228 9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe 3228 9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe 3540 explorer.exe 3540 explorer.exe 1772 spoolsv.exe 1772 spoolsv.exe 1248 svchost.exe 1248 svchost.exe 3096 spoolsv.exe 3096 spoolsv.exe 3540 explorer.exe 3540 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3228 wrote to memory of 3540 3228 9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe 81 PID 3228 wrote to memory of 3540 3228 9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe 81 PID 3228 wrote to memory of 3540 3228 9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe 81 PID 3540 wrote to memory of 1772 3540 explorer.exe 82 PID 3540 wrote to memory of 1772 3540 explorer.exe 82 PID 3540 wrote to memory of 1772 3540 explorer.exe 82 PID 1772 wrote to memory of 1248 1772 spoolsv.exe 83 PID 1772 wrote to memory of 1248 1772 spoolsv.exe 83 PID 1772 wrote to memory of 1248 1772 spoolsv.exe 83 PID 1248 wrote to memory of 3096 1248 svchost.exe 84 PID 1248 wrote to memory of 3096 1248 svchost.exe 84 PID 1248 wrote to memory of 3096 1248 svchost.exe 84 PID 1248 wrote to memory of 1648 1248 svchost.exe 85 PID 1248 wrote to memory of 1648 1248 svchost.exe 85 PID 1248 wrote to memory of 1648 1248 svchost.exe 85 PID 1248 wrote to memory of 1636 1248 svchost.exe 95 PID 1248 wrote to memory of 1636 1248 svchost.exe 95 PID 1248 wrote to memory of 1636 1248 svchost.exe 95 PID 1248 wrote to memory of 2044 1248 svchost.exe 97 PID 1248 wrote to memory of 2044 1248 svchost.exe 97 PID 1248 wrote to memory of 2044 1248 svchost.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9bc28921c5022333a8e52ccc0d2a67a0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3096
-
-
C:\Windows\SysWOW64\at.exeat 04:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1648
-
-
C:\Windows\SysWOW64\at.exeat 04:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1636
-
-
C:\Windows\SysWOW64\at.exeat 04:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2044
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD5434aaac15dc66f4d4e1acee41fdcf6ec
SHA154fd78ab2cd3303130f9472f5c718de2d6f1871a
SHA256807dc521a73d072381d2fee2e57db1f6865757b034fec368a95b70c5b45b1f44
SHA51241aa7150036e75105160186e26eb9e2b05ab3116bb13694308e870f821d7b03d05880c094561b091b86c260eaeae0e9fd64986e68c462984e02bc184966126fd
-
Filesize
225KB
MD59a48d6dd39617df18421a7434438976e
SHA1eee60f0fb34bb68081254e3777cc531714a2c330
SHA256377439310d1d1a2bf60c4c35037a0148d128c25d0e619db125280abfa4a8b1f1
SHA512c2e18e6435c22c044514bb392e8ac30e32c3c0abcc5c798f035e16ab9f216c17df6f359c1f2c3c913ee1df67a7a88d4219caf751ef133c00c7b01d4ccf3b9c0b
-
Filesize
225KB
MD54e65992b5adb30d1226904d1815011a3
SHA146d2956cd357edaa32da5182a2ef068763c08dc1
SHA256edbad86fedb6100deda43713b786d4b1229129d2746fc785625fac36d1a06ac3
SHA51234258e6ad6968653df685461e859c10474ee91155d73b503cd6ad7cb468e38588c90654abd6d264df15a6a26be8bd4683b3e691884bdc8164f9b2026ec4c90ad
-
Filesize
225KB
MD547b9ef87ce54cd1091b6d45ff38a52be
SHA12afcb870fd6b0be7b98987d8d50a353c5bed606d
SHA256dc728947644e2ba38b2d17611b2ea961a27e85b0636c9723d782e36fdc3f5f20
SHA512a6d2c44e1f4801970968eb8a39dd60e9d8cad5852cfb80b23c76e20d5279c4c23b79eeaf85f918ecfd2ea64ce94de3ca400f5046bda49c0396d7c7be9877391e