Malware Analysis Report

2025-01-06 11:57

Sample ID 240603-fd7b3sbh5z
Target 9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe
SHA256 fd2594ccf52a599171a9d1d31e57f9048a14c5ba0f77b7dd946bd5424c7663ce
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd2594ccf52a599171a9d1d31e57f9048a14c5ba0f77b7dd946bd5424c7663ce

Threat Level: Known bad

The file 9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Detects BazaLoader malware

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:46

Reported

2024-06-03 04:49

Platform

win7-20240220-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2856 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2856 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2856 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2556 wrote to memory of 2540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2556 wrote to memory of 2540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2556 wrote to memory of 2540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2556 wrote to memory of 2540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2540 wrote to memory of 2660 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2540 wrote to memory of 2660 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2540 wrote to memory of 2660 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2540 wrote to memory of 2660 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2660 wrote to memory of 2492 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2660 wrote to memory of 2492 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2660 wrote to memory of 2492 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2660 wrote to memory of 2492 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2660 wrote to memory of 1584 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2660 wrote to memory of 1584 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2660 wrote to memory of 1584 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2660 wrote to memory of 1584 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2660 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2660 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2660 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2660 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2660 wrote to memory of 1940 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2660 wrote to memory of 1940 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2660 wrote to memory of 1940 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2660 wrote to memory of 1940 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2856-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2856-2-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2856-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2856-1-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2856-4-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 706ce6b6f3ed4f6f268fe26b59f1c676
SHA1 45228bdf056c7c20c20e9c5430702557b7a9ebb3
SHA256 ca20fffd02382e5dbe3e25e24fe921def12c054ba033b62a271d0869c02e6360
SHA512 a729c60af50c64ae845409093f56be9b2abfb57c1106adf9450cad94c7e3760c84b7c557b7001503640936cb99864ebfa015829c6f52d9a62941f4dd061baf7a

memory/2556-17-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2556-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2856-19-0x0000000002560000-0x0000000002591000-memory.dmp

\Windows\system\spoolsv.exe

MD5 2d387d99124c81cce4f5aa400c036a3f
SHA1 5cad048f1ea7f9d81eca15243b05d16fd5bf8f07
SHA256 306ee5335387ab03ae419f9aab454aa3822049698442372cb91e12872704b2af
SHA512 180c0ac78c3778090df9164ed72abbb4a22e66e503cf6cba4f0c8bf5d6041cab9eaf71ec5710a10edc97780fbce8e5937f660db978ddfeba4705733177805d17

memory/2540-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2556-34-0x0000000002590000-0x00000000025C1000-memory.dmp

memory/2540-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2540-40-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\system\svchost.exe

MD5 90238ddaf73d4e92525f191916209c0b
SHA1 c61b9024bfcc5372908e866f7f4d2e1ae5845df8
SHA256 8f2b86dd5138d732fea273c6baf29ac05598f9e4c475101a89e7f33c31f25ec9
SHA512 03fdd97665fdbc945b93cb079ee57f9ed540b42f507b2a4098b9c325d459c608de71532378a3daa3807e98d26df19841d1ddde81945cfd47af8de90c07313200

memory/2660-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2660-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2660-53-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2540-52-0x0000000001D80000-0x0000000001DB1000-memory.dmp

memory/2492-64-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2492-70-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2540-73-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2856-74-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2856-75-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 5a681f55f086f8adf1e151b8f392947e
SHA1 105e3df38c9f41660b6e9194548c41159edf04fe
SHA256 2202f015af83f0060422f9f11ff2af9ef95eb66c9f94da475063c906faffeee0
SHA512 96d30ac6d9302657b6f3b035547d0ee1db406818d19e1f106db369bb2e138b6efc3dc8a481ad1281074ef8ad1d1e977c34185621c4d215d74b6bfbdcf8b1e4fa

memory/2556-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2660-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2556-88-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:46

Reported

2024-06-03 04:49

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1496 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1496 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 4776 wrote to memory of 1564 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4776 wrote to memory of 1564 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4776 wrote to memory of 1564 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1564 wrote to memory of 1340 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1564 wrote to memory of 1340 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1564 wrote to memory of 1340 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1340 wrote to memory of 2780 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1340 wrote to memory of 2780 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1340 wrote to memory of 2780 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1340 wrote to memory of 1020 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1340 wrote to memory of 1020 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1340 wrote to memory of 1020 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1340 wrote to memory of 3296 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1340 wrote to memory of 3296 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1340 wrote to memory of 3296 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1340 wrote to memory of 4760 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1340 wrote to memory of 4760 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1340 wrote to memory of 4760 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9c04d26bc6595875ffdb5eb76eff6ec0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1496-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1496-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/1496-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1496-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1496-2-0x0000000075A00000-0x0000000075B5D000-memory.dmp

C:\Windows\System\explorer.exe

MD5 e53af6f6e974a12d4e56e8957301017b
SHA1 9f9ac186415170173ca9adecf5bab38a960fc983
SHA256 23d02b7d95f241647727044e9fdd2f860dc40fbba6c55f97db43fa3045a829f5
SHA512 1f5da59572bb032dee506eb671df53310fbd3f7c994c4deb6ff23521c4169e43d94146062ea20fdd89d238ff3bb86802c8fac0f243a89ec85c410884e93d557c

memory/4776-13-0x0000000075A00000-0x0000000075B5D000-memory.dmp

memory/4776-15-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 487c326902c98db85dca5514a654aac3
SHA1 69837b0e5f0652ccc927644cc7fbefcc9588cd9e
SHA256 4fa171e51d5721a3f66b6b0cd2b59ccfaf4788b7e5f3aa429a97ea95ab2f7035
SHA512 2e2463af517aee89828b357569ffd15adfbfce616f72358131b58470996c7f56b65c20f263aa9da52f9b8fbaf2e7043acbca5747c8c17caba84c39028a2cc628

memory/1564-24-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1564-25-0x0000000075A00000-0x0000000075B5D000-memory.dmp

memory/1564-30-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 def9608566bf90aca57156056d4949ed
SHA1 a14efcd1561ae6a2f428e5516a7f54d8ef137557
SHA256 f593c561ae4f5005f5ba26525b162d8bed5a12f250a49f779279136c31d45997
SHA512 c2ae7bf1a1045a0bf6f2882b053348da259f22e72a4331088052703067eff2aec4521856128ad12b9727c8593ecb916848a773b615367e4494f199c5ffbb0d73

memory/1340-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1340-37-0x0000000075A00000-0x0000000075B5D000-memory.dmp

memory/1340-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2780-44-0x0000000075A00000-0x0000000075B5D000-memory.dmp

memory/2780-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1564-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1496-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1496-57-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 73d6543ffb53b5d2ffa61e8dd8b0f82e
SHA1 db85f9acf82b9faa738d96acf58a363c2108371a
SHA256 64046e5ba4fecf82471ee7a44f35c891fa4669b1a0ff3b1192891516f5c7cab7
SHA512 0347479988c6089dd06a6e39c4c2457b6b639ea2ab7be9b89533e819f85c1d2587f8c0ed66b38e42ae0667d333a165e03112df677a87abc89c697fd9a1560210

memory/1496-56-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4776-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1340-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4776-70-0x0000000000400000-0x0000000000431000-memory.dmp