Analysis
-
max time kernel
159s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 03:50
Static task
static1
Behavioral task
behavioral1
Sample
9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe
-
Size
135KB
-
MD5
9a90e30cd449584c79538ba4089ed5d0
-
SHA1
3e87868e987c1e29655e101ee388dd3860a9d004
-
SHA256
bd9aff70e3b930f399364299a2e997d7ca316e5240be024292d46ec92c8843af
-
SHA512
85943ab0d8d880aead7d8891ba492f52284e7b31c8a2ce261ff744431b4f852f03ef595cc7283fa4499995709f180fa6666211a15361133bff2419669854b07a
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVqLI:UVqoCl/YgjxEufVU0TbTyDDaluI
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3812 explorer.exe 800 spoolsv.exe 488 svchost.exe 1856 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe 3812 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3812 explorer.exe 488 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 3812 explorer.exe 3812 explorer.exe 800 spoolsv.exe 800 spoolsv.exe 488 svchost.exe 488 svchost.exe 1856 spoolsv.exe 1856 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3080 wrote to memory of 3812 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 90 PID 3080 wrote to memory of 3812 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 90 PID 3080 wrote to memory of 3812 3080 9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe 90 PID 3812 wrote to memory of 800 3812 explorer.exe 91 PID 3812 wrote to memory of 800 3812 explorer.exe 91 PID 3812 wrote to memory of 800 3812 explorer.exe 91 PID 800 wrote to memory of 488 800 spoolsv.exe 92 PID 800 wrote to memory of 488 800 spoolsv.exe 92 PID 800 wrote to memory of 488 800 spoolsv.exe 92 PID 488 wrote to memory of 1856 488 svchost.exe 93 PID 488 wrote to memory of 1856 488 svchost.exe 93 PID 488 wrote to memory of 1856 488 svchost.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9a90e30cd449584c79538ba4089ed5d0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:488 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1856
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:3972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5f23d8e37439515064284d785eecd5c94
SHA173cef8c63c11346c3fefff4ecb64b6aa429cc06e
SHA2568a1dcffb3b8aae0724109c519630d9f59a6c27fd568d15dd050b82b3084496d2
SHA5125f7b10b01e5a2dca7d50e9266d47b5d7cf9fd35e94251d51fe5ca300cac233a7b1958d84d67474a6c2d6f02a0a7f8fa3d434dcdff87c2cbd817d53dde5c96554
-
Filesize
135KB
MD5b03d84cd3319438f970a3087e08c748a
SHA102f36f5e0bbf867bde07773de6b3aa2b4734a5e6
SHA256caec66a1733d7024c9d313a1c56da28099c2e82bc5db0c7539127a289720427d
SHA51291eff2c672525fda2b09c8605d031347d1da90655d2bf6d2f11460476280d96c2c53d6d1f28b0f9c6befa39a5545ba5c48646ccc924cf9e0ed6d7e52c09e8aec
-
Filesize
135KB
MD55949ac8ba0f9482bd55ff0d2891d0550
SHA1edef28b917a9b147cfcceff60e92452ce2017a67
SHA256538f055799695f27b94294ddc6861eaa0ef91bba02896fc84b7ce1f33d8f8f7d
SHA512d6b61fd5ba17258a935a14ff5b5ced64359a1c57269712e5f500d56b322cd439f1ccbbee897d7ca3e6cb3c6a2def46d0e42acc99b00f877c24a22a804c19323a