Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 03:47
Static task
static1
Behavioral task
behavioral1
Sample
9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe
-
Size
135KB
-
MD5
9a7d8dffbf9c972fe412e27df603d550
-
SHA1
234f06d42bcf2542e82479dc432c157e5699b44e
-
SHA256
fe9e0b6dc44da1531a24b7868c24a970788ccd393d4882227bc8d156aa0625ef
-
SHA512
b21bc87a2dc822ecdfff6b2bb063e90562fbab3c4e50d8b0c8595ddc101d2e72569dc2b1c7717c38a4414670286598da83683c64463e7206d419033baaa13654
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVVE3jT:UVqoCl/YgjxEufVU0TbTyDDal/EzT
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 1724 explorer.exe 2924 spoolsv.exe 2636 svchost.exe 2712 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 1724 explorer.exe 2924 spoolsv.exe 2636 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2892 schtasks.exe 2524 schtasks.exe 1412 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 2636 svchost.exe 2636 svchost.exe 1724 explorer.exe 2636 svchost.exe 1724 explorer.exe 2636 svchost.exe 1724 explorer.exe 2636 svchost.exe 1724 explorer.exe 2636 svchost.exe 1724 explorer.exe 2636 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1724 explorer.exe 2636 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 1724 explorer.exe 1724 explorer.exe 2924 spoolsv.exe 2924 spoolsv.exe 2636 svchost.exe 2636 svchost.exe 2712 spoolsv.exe 2712 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 352 wrote to memory of 1724 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 28 PID 352 wrote to memory of 1724 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 28 PID 352 wrote to memory of 1724 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 28 PID 352 wrote to memory of 1724 352 9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe 28 PID 1724 wrote to memory of 2924 1724 explorer.exe 29 PID 1724 wrote to memory of 2924 1724 explorer.exe 29 PID 1724 wrote to memory of 2924 1724 explorer.exe 29 PID 1724 wrote to memory of 2924 1724 explorer.exe 29 PID 2924 wrote to memory of 2636 2924 spoolsv.exe 30 PID 2924 wrote to memory of 2636 2924 spoolsv.exe 30 PID 2924 wrote to memory of 2636 2924 spoolsv.exe 30 PID 2924 wrote to memory of 2636 2924 spoolsv.exe 30 PID 2636 wrote to memory of 2712 2636 svchost.exe 31 PID 2636 wrote to memory of 2712 2636 svchost.exe 31 PID 2636 wrote to memory of 2712 2636 svchost.exe 31 PID 2636 wrote to memory of 2712 2636 svchost.exe 31 PID 1724 wrote to memory of 3000 1724 explorer.exe 32 PID 1724 wrote to memory of 3000 1724 explorer.exe 32 PID 1724 wrote to memory of 3000 1724 explorer.exe 32 PID 1724 wrote to memory of 3000 1724 explorer.exe 32 PID 2636 wrote to memory of 2524 2636 svchost.exe 33 PID 2636 wrote to memory of 2524 2636 svchost.exe 33 PID 2636 wrote to memory of 2524 2636 svchost.exe 33 PID 2636 wrote to memory of 2524 2636 svchost.exe 33 PID 2636 wrote to memory of 1412 2636 svchost.exe 38 PID 2636 wrote to memory of 1412 2636 svchost.exe 38 PID 2636 wrote to memory of 1412 2636 svchost.exe 38 PID 2636 wrote to memory of 1412 2636 svchost.exe 38 PID 2636 wrote to memory of 2892 2636 svchost.exe 40 PID 2636 wrote to memory of 2892 2636 svchost.exe 40 PID 2636 wrote to memory of 2892 2636 svchost.exe 40 PID 2636 wrote to memory of 2892 2636 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9a7d8dffbf9c972fe412e27df603d550_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:352 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2712
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:50 /f5⤵
- Creates scheduled task(s)
PID:2524
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:51 /f5⤵
- Creates scheduled task(s)
PID:1412
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:52 /f5⤵
- Creates scheduled task(s)
PID:2892
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:3000
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5f12a628f29a00f809e6da37838ad4600
SHA1c7ba0d36dec3d7a777614ef9fade14b5d22c879c
SHA25651e03a872659ab577ff89a10d576d213ff6f1d7078bd4be0407563e67adfbb2f
SHA512f047b51f3d724f9cb7c9a64bfc4dc1be08e6e536d8241dd701cc7c73060b4005d9efc9683fc56f0109184b4240f46fd66488f22ce812cb48189eb6dfcc9f4975
-
Filesize
135KB
MD50fb2d4655bc6d3372b582ff3399c9972
SHA1859a39cc6775ff8c301b2e3f49f5e305fc23ecf8
SHA256fd2495958e36b91d6c52635fbc0d5020638591ea6e3f08190cf4da6d6eafb0ec
SHA5120eab38189c1cc1517fee9d038911f975d0aad8ad7ff394b7ebad307711bbd9cd247b040f7b1eae08df9e538cdf1985709aae1ebbaf90b38482c40668b15b9f3a
-
Filesize
135KB
MD5cf9122c79b5cf8b1711643d9a50ce79f
SHA1cedba3344596f0e934c2b73af54994b05d868ceb
SHA256115cf6e17d50d955e2eee29a0fa2f6fd6ff8c9623be0c9c62c8c75c2e6bdfc1d
SHA512e2b4ea0f96526e1c1ba87776d3760fdf3a4202826c3fe7bffcb6e81775f357ec293a15fd544672864a2f85933b3ce2adaf843043df9003dbd577e7cdf610d017