Malware Analysis Report

2025-01-06 08:55

Sample ID 240604-a7wvjsfd3y
Target 1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe
SHA256 f093cb38f28950f0ff426d0bdb82bb9c90591c80b67305399ee28cccb3064ebb
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f093cb38f28950f0ff426d0bdb82bb9c90591c80b67305399ee28cccb3064ebb

Threat Level: Known bad

The file 1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:51

Reported

2024-06-04 00:54

Platform

win7-20240221-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2084 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2084 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2084 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2728 wrote to memory of 2548 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2728 wrote to memory of 2548 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2728 wrote to memory of 2548 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2728 wrote to memory of 2548 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2548 wrote to memory of 2684 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2548 wrote to memory of 2684 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2548 wrote to memory of 2684 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2548 wrote to memory of 2684 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2684 wrote to memory of 3052 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2684 wrote to memory of 3052 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2684 wrote to memory of 3052 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2684 wrote to memory of 3052 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2728 wrote to memory of 2584 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2728 wrote to memory of 2584 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2728 wrote to memory of 2584 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2728 wrote to memory of 2584 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2684 wrote to memory of 2572 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2572 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2572 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2572 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2920 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2920 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2920 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2920 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 1940 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 1940 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 1940 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 1940 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:53 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:54 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:55 /f

Network

N/A

Files

memory/2084-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 3ecb2bde0593c8459a5c1e007d5c9805
SHA1 3e36edf2cbb55daf0beb137626aeb8e292f47176
SHA256 bc1b0e83dadb9b6e9c209a549e8443daf3a0dab28b6978f0478ac4f4663cc177
SHA512 79747ad83b1d80c089deef592f214db32693a022568aa70573567368a031e31de3f6bc2bd7fdbbeffef56172e86c85deff4a1983b64a821c352d472c37d4d864

memory/2084-10-0x00000000002F0000-0x000000000030F000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 fd1ce85bb3d9c1bd7e1a122498f75062
SHA1 d08e81dd8f882160cba73cdf7462b97418048698
SHA256 8506a2a18e7b0595ac6935a894eac37d6e0f6dff3f877d7f4eb3cbde7c31b1de
SHA512 550c9b414ad81995fe82d33b6c8dbec58c14e34159017bea2e8a3f88c3ea9e39f63d623561d56867f04cdff73d38c56c54f123610da68faf1413aa5c11e747f9

\Windows\Resources\svchost.exe

MD5 a115444c2dab32903c81da883f87323c
SHA1 19061b90af3b229cb8f768837574401d1914a6c4
SHA256 345e1e3f68f2bb01683a3d970cf416856efe81740d085c6c139ab930685c66d0
SHA512 ce252d283a64f12efa9dea005448765ec1cc954c4fcb59758ce41e1f2b08005d74e9aec840c109919677a5e328eb303c1ab7676ced79c000a2eb818f8c47d9b0

memory/2548-29-0x0000000000340000-0x000000000035F000-memory.dmp

memory/2684-38-0x0000000000280000-0x000000000029F000-memory.dmp

memory/2684-37-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3052-43-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2548-44-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2084-45-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:51

Reported

2024-06-04 00:54

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4852 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4852 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4852 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2808 wrote to memory of 1320 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2808 wrote to memory of 1320 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2808 wrote to memory of 1320 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1320 wrote to memory of 4552 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1320 wrote to memory of 4552 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1320 wrote to memory of 4552 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4552 wrote to memory of 3396 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4552 wrote to memory of 3396 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4552 wrote to memory of 3396 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1968aac98ee2a50137aa013d797c5380_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4852-0-0x0000000000400000-0x000000000041F000-memory.dmp

\??\c:\windows\resources\themes\explorer.exe

MD5 3972543f632c4084631cbbdb9c605e6c
SHA1 2ac9bec7bb3467a43cf5801b706ecb34d97399fe
SHA256 a234d4af605f44e402826cb027acbd325ddea27db82f0e04e112c593119f2ed1
SHA512 33424cd1b1be1ce252f4b91ef595f57c04014a1649dc0570f296f5389fb999465b4d4a031473f6ffb40a280c87018f96bf708098191ee3522099c0a8c8e171fd

memory/2808-9-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 26ad44662769c68ac84a9fcd594eb3b6
SHA1 fce6890f0001ff9ca3df7e3ff8bcff3578042233
SHA256 b9abc1ae6d3c4e658b6c71b52b70c105db02e4db92d02815440fa1884117c00f
SHA512 51ff881934dea18435288682b845ed7fc100c9e06f5d539101b749926350308627e18d24b86926e95037feb08ef980dcb01a4e7cdd1ab8d9c4470489a31789a4

C:\Windows\Resources\svchost.exe

MD5 77fc131ac181746223783c23d2099abf
SHA1 53c080f4068d88ea59c9a24415932f46aceefff9
SHA256 6b237871a2f373fbaab6c67a7561ca6bac148722602bd17babf580f22f6c5251
SHA512 fc90f95bcfd802d9229fe6d18341945088b848d0238b6942f9059519b130006e3bbf7dbbe5a288ca73f1f2a1cd362ab7fbc003befb73c2af5c5b058ebe07ce7a

memory/3396-33-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1320-34-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4852-35-0x0000000000400000-0x000000000041F000-memory.dmp