f420a0469fbb130f5eb87d02e71f10f462f04f2981f041f466171154c0594167

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

131369f3a7e80b3a00560cd3570416e0_NeikiAnalytics.exe
Size

206KB
MD5

131369f3a7e80b3a00560cd3570416e0
SHA1

48baaa94fbf7723ca3074472013571da33bbe8d9
SHA256

f420a0469fbb130f5eb87d02e71f10f462f04f2981f041f466171154c0594167
SHA512

3b24f4e20c9f13f165108a3704dee0ebbfdf35ed06fd25d5d6b5b5dfedfcf84b4f011f8a82df18808404311aa0017e8a7a366e3b1734b1251d15b6494a261d3f
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLf:5vEN2U+T6i5LirrllHy4HUcMQY6Kf

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
1580	explorer.exe
2136	spoolsv.exe
2672	svchost.exe
2828	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2456	131369f3a7e80b3a00560cd3570416e0_NeikiAnalytics.exe
2456	131369f3a7e80b3a00560cd3570416e0_NeikiAnalytics.exe
1580	explorer.exe
1580	explorer.exe
2136	spoolsv.exe
2136	spoolsv.exe
2672	svchost.exe
2672	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	131369f3a7e80b3a00560cd3570416e0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	131369f3a7e80b3a00560cd3570416e0_NeikiAnalytics.exe
1580	explorer.exe
1580	explorer.exe
1580	explorer.exe
2672	svchost.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe
1580	explorer.exe
2672	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1580	explorer.exe
2672	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2456	131369f3a7e80b3a00560cd3570416e0_NeikiAnalytics.exe
2456	131369f3a7e80b3a00560cd3570416e0_NeikiAnalytics.exe
1580	explorer.exe
1580	explorer.exe
2136	spoolsv.exe
2136	spoolsv.exe
2672	svchost.exe
2672	svchost.exe
2828	spoolsv.exe
2828	spoolsv.exe
1580	explorer.exe
1580	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1580	2456	131369f3a7e80b3a00560cd3570416e0_NeikiAnalytics.exe	28
PID 2456 wrote to memory of 1580	2456	131369f3a7e80b3a00560cd3570416e0_NeikiAnalytics.exe	28
PID 2456 wrote to memory of 1580	2456	131369f3a7e80b3a00560cd3570416e0_NeikiAnalytics.exe	28
PID 2456 wrote to memory of 1580	2456	131369f3a7e80b3a00560cd3570416e0_NeikiAnalytics.exe	28
PID 1580 wrote to memory of 2136	1580	explorer.exe	29
PID 1580 wrote to memory of 2136	1580	explorer.exe	29
PID 1580 wrote to memory of 2136	1580	explorer.exe	29
PID 1580 wrote to memory of 2136	1580	explorer.exe	29
PID 2136 wrote to memory of 2672	2136	spoolsv.exe	30
PID 2136 wrote to memory of 2672	2136	spoolsv.exe	30
PID 2136 wrote to memory of 2672	2136	spoolsv.exe	30
PID 2136 wrote to memory of 2672	2136	spoolsv.exe	30
PID 2672 wrote to memory of 2828	2672	svchost.exe	31
PID 2672 wrote to memory of 2828	2672	svchost.exe	31
PID 2672 wrote to memory of 2828	2672	svchost.exe	31
PID 2672 wrote to memory of 2828	2672	svchost.exe	31
PID 2672 wrote to memory of 2580	2672	svchost.exe	32
PID 2672 wrote to memory of 2580	2672	svchost.exe	32
PID 2672 wrote to memory of 2580	2672	svchost.exe	32
PID 2672 wrote to memory of 2580	2672	svchost.exe	32
PID 2672 wrote to memory of 2164	2672	svchost.exe	36
PID 2672 wrote to memory of 2164	2672	svchost.exe	36
PID 2672 wrote to memory of 2164	2672	svchost.exe	36
PID 2672 wrote to memory of 2164	2672	svchost.exe	36
PID 2672 wrote to memory of 768	2672	svchost.exe	38
PID 2672 wrote to memory of 768	2672	svchost.exe	38
PID 2672 wrote to memory of 768	2672	svchost.exe	38
PID 2672 wrote to memory of 768	2672	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\131369f3a7e80b3a00560cd3570416e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\131369f3a7e80b3a00560cd3570416e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1580
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2828
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2580
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2164
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
1b48463d57437e1f602f92d4bc124758

SHA1
59a929fd26e2dbc4c8d7c30e25a9e510f3b239a9

SHA256
1bed5c42b1996aa5bc80a96f7b6d47d3f13749e35977468e26e421c3cea94219

SHA512
8efebd9bb844f0af4489bace4f58a0f2e1149bf9732d3ffa82c0c162b9d9bfefc5d86445f370ab6793af4d81a8f6f949558a1abbb04d19ad29c30c0538c77402

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
c3036c45dad673cea23c97ed93515a58

SHA1
f9c46d8f2e906035c403d350e502cab1ae1b100a

SHA256
870702e1bdcf271304915c5d59633c2219e187869af52d9a0fd9e5759b9f9356

SHA512
0dfd645cff82105a67895eb369c01aa3a2be518db35bc65ae30eae01ebe706c0a721b25432b337b3857b42f69a3647405082a97b6c0af6fc633443be79505b35

Download Submit
\Windows\system\spoolsv.exe

Filesize
207KB

MD5
9ed958a856f282339a89d30179e00c09

SHA1
f5ce36d8d6c2366e10ce9f82aecce3d300e59413

SHA256
0e6c38fbaad3f3af6f7ad4478f27ed8f71efbb16a145d49420d0a8af95f6d352

SHA512
08f061d35c5601564b079b0ac273aeeb82c270af00033ba4ff7755812c9c22622e8180f6ea5ea3ce73f2066f3d2715c6ebebcd2bac3d6e3a24327a90941daf33

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
f2a773fbb796e4fcc2bba34d7326c271

SHA1
cc6bfc5b25ff786da9e33d79b2f36859705fb0fa

SHA256
9c170ab816d54ee634a48df6b844465c8a2066cb6ba44f0cae28a632de21dad3

SHA512
d5487a26574f29bb12606c5c371c67e80b5357ff64f29534b2e008c57eb0a3e614d36bf8854d9db3fde886521f5c8ffec04634324356480d80a460ac715f3376

Download Submit
memory/1580-26-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/1580-25-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/2136-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-51-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download