Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 03:50
Static task
static1
Behavioral task
behavioral1
Sample
9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe
-
Size
135KB
-
MD5
9a90e30cd449584c79538ba4089ed5d0
-
SHA1
3e87868e987c1e29655e101ee388dd3860a9d004
-
SHA256
bd9aff70e3b930f399364299a2e997d7ca316e5240be024292d46ec92c8843af
-
SHA512
85943ab0d8d880aead7d8891ba492f52284e7b31c8a2ce261ff744431b4f852f03ef595cc7283fa4499995709f180fa6666211a15361133bff2419669854b07a
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVqLI:UVqoCl/YgjxEufVU0TbTyDDaluI
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 320 explorer.exe 2912 spoolsv.exe 2616 svchost.exe 2620 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 320 explorer.exe 2912 spoolsv.exe 2616 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2492 schtasks.exe 1672 schtasks.exe 2164 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 2616 svchost.exe 320 explorer.exe 320 explorer.exe 320 explorer.exe 2616 svchost.exe 2616 svchost.exe 320 explorer.exe 2616 svchost.exe 320 explorer.exe 2616 svchost.exe 320 explorer.exe 2616 svchost.exe 320 explorer.exe 2616 svchost.exe 320 explorer.exe 2616 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 320 explorer.exe 2616 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 320 explorer.exe 320 explorer.exe 2912 spoolsv.exe 2912 spoolsv.exe 2616 svchost.exe 2616 svchost.exe 2620 spoolsv.exe 2620 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2404 wrote to memory of 320 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 28 PID 2404 wrote to memory of 320 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 28 PID 2404 wrote to memory of 320 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 28 PID 2404 wrote to memory of 320 2404 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 28 PID 320 wrote to memory of 2912 320 explorer.exe 29 PID 320 wrote to memory of 2912 320 explorer.exe 29 PID 320 wrote to memory of 2912 320 explorer.exe 29 PID 320 wrote to memory of 2912 320 explorer.exe 29 PID 2912 wrote to memory of 2616 2912 spoolsv.exe 30 PID 2912 wrote to memory of 2616 2912 spoolsv.exe 30 PID 2912 wrote to memory of 2616 2912 spoolsv.exe 30 PID 2912 wrote to memory of 2616 2912 spoolsv.exe 30 PID 2616 wrote to memory of 2620 2616 svchost.exe 31 PID 2616 wrote to memory of 2620 2616 svchost.exe 31 PID 2616 wrote to memory of 2620 2616 svchost.exe 31 PID 2616 wrote to memory of 2620 2616 svchost.exe 31 PID 320 wrote to memory of 2752 320 explorer.exe 32 PID 320 wrote to memory of 2752 320 explorer.exe 32 PID 320 wrote to memory of 2752 320 explorer.exe 32 PID 320 wrote to memory of 2752 320 explorer.exe 32 PID 2616 wrote to memory of 2492 2616 svchost.exe 33 PID 2616 wrote to memory of 2492 2616 svchost.exe 33 PID 2616 wrote to memory of 2492 2616 svchost.exe 33 PID 2616 wrote to memory of 2492 2616 svchost.exe 33 PID 2616 wrote to memory of 1672 2616 svchost.exe 38 PID 2616 wrote to memory of 1672 2616 svchost.exe 38 PID 2616 wrote to memory of 1672 2616 svchost.exe 38 PID 2616 wrote to memory of 1672 2616 svchost.exe 38 PID 2616 wrote to memory of 2164 2616 svchost.exe 40 PID 2616 wrote to memory of 2164 2616 svchost.exe 40 PID 2616 wrote to memory of 2164 2616 svchost.exe 40 PID 2616 wrote to memory of 2164 2616 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2620
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:52 /f5⤵
- Creates scheduled task(s)
PID:2492
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:53 /f5⤵
- Creates scheduled task(s)
PID:1672
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:54 /f5⤵
- Creates scheduled task(s)
PID:2164
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2752
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5c467bfe5fadf8b990018007375fca8f3
SHA1f8643cdb3b51ab890fe8e839bea7e02dcc5aa12b
SHA256e6af4421188a236f7e1598234be1c412f71715ba574b14e31e5eb8f78e345b8e
SHA512430129ebf673891850c57aa85bbdb21e8c157ade0b4538dfddd3d2712ebd22d841199f05d850caeac296e290e418bec27c1b4e548b743588dcae327cfc7f24e4
-
Filesize
135KB
MD51f53cc134e3add8aa898b4038f36021d
SHA1a848b6e6f191db8bdc78bb7b2b1dbc8fb35b05c0
SHA2569abae1f10ff12f11f32b97aabfa40e728e6f87bf19b85888a27161fb145466f8
SHA512d399ecfc99f6d3c96d7ed8e531dac338ee9f858e8447b235dffb32e59b0ae7023111299e02b1a1f6c7143ca41ca312c69b22508b09c446f6e622c9669cd5ff65
-
Filesize
135KB
MD5dcef10cbdc1f9e3b46eb901668eccf17
SHA13863d2f1b03d01ef73b4ddaba24ca75e9717a7d9
SHA25625b8e7935b46a545c72ca914680dc16908290837f2402ec78f26d289bbac6865
SHA512db245b9e29bf5a4677b31300bd460c2806ca2e2f40adc476fe11c073cf1a9ab811ea4933f73b3a00cfb43689b0d81cb9cb2e34357d27ea710a7847a32f7b368a