Malware Analysis Report

2025-01-06 08:12

Sample ID 240604-b2t97sgg91
Target 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe
SHA256 8a97c0167aa6144e0f66aaa6f17a3ff1df9b5ef4d90ba749c65aad87b670c7ab
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a97c0167aa6144e0f66aaa6f17a3ff1df9b5ef4d90ba749c65aad87b670c7ab

Threat Level: Known bad

The file 1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Detects BazaLoader malware

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:38

Reported

2024-06-04 01:41

Platform

win7-20240220-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1992 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1992 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1992 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2504 wrote to memory of 2716 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2504 wrote to memory of 2716 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2504 wrote to memory of 2716 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2504 wrote to memory of 2716 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2716 wrote to memory of 2804 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2716 wrote to memory of 2804 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2716 wrote to memory of 2804 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2716 wrote to memory of 2804 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2804 wrote to memory of 2416 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2804 wrote to memory of 2416 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2804 wrote to memory of 2416 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2804 wrote to memory of 2416 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2804 wrote to memory of 1892 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2804 wrote to memory of 1892 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2804 wrote to memory of 1892 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2804 wrote to memory of 1892 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2804 wrote to memory of 2104 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2804 wrote to memory of 2104 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2804 wrote to memory of 2104 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2804 wrote to memory of 2104 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2804 wrote to memory of 2968 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2804 wrote to memory of 2968 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2804 wrote to memory of 2968 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2804 wrote to memory of 2968 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 01:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 01:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 01:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1992-2-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1992-1-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1992-6-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2504-19-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\spoolsv.exe

MD5 2979516a72119bb4d8745a626b4af285
SHA1 434de048dfc27209d758b6b75502f4d3ea6f5755
SHA256 54db52c8b8d7c285e7335c256626ae177419a1b0f0e5229e62cd89b3836fb9f0
SHA512 1e5096b1a4571cceede4d52c99fd806270a8b1d43a99f611fe6dd1a794ad5b57a37276ad75897bb17929c5e85a7a4a79726f0dfd2bf5548f3e443d4597fbc39e

memory/2716-40-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\system\svchost.exe

MD5 3539d32997123cb05d43a043840ba31c
SHA1 27b57261d17e8b7775012a51eef24f5312543700
SHA256 b635c720fe6f9612bf36315239d720a140a0c4725bb8852bb9d68bf60bdde997
SHA512 3d026a6265261a0247462151f3e040fd0e2d01f5d96cb4604911ef3fef8fc54889440b985d21ee191f7963bef3d1181d0fcfd7fbc04444330f1acd7776c87b39

memory/2416-69-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 737137a203618d13aba1af750429ca9f
SHA1 a0fcd4b51b03ceff5bc8a5150f954fe171089969
SHA256 983ac94a69dc3ab735ab100426aed8b1cc6e7ec39875471cfa64f025158c529a
SHA512 bdf3d6d09cc5ae0791174f6592cdb1402aae065fd6655e177c06fdf2d774a0f507efcbea483e9a8f8197340d3403a170f8858d63c6320d161727a060fbabf89c

memory/1992-76-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1992-75-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2716-73-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2416-64-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2804-63-0x00000000025A0000-0x00000000025D1000-memory.dmp

memory/1992-62-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2804-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2804-52-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2716-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2716-35-0x0000000000400000-0x0000000000431000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 1cf7c1d4f802e6e680b0c422df721a2d
SHA1 d6747981fa371b924dc20428fb49ff874404bb65
SHA256 f5c6fd710d089bbb83364c3a9407e9bde05be5078f10fc5fd92edddffaa90321
SHA512 ee79572e94c042c71d010ce8e08c4c4d25bc2793e1a4c9c75c064dadebcf295c42726f2bb4ca34a9a0c0452657510aad58174012200a207b0bcdd8d79ce97dd8

memory/2504-23-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2504-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1992-17-0x00000000026A0000-0x00000000026D1000-memory.dmp

memory/1992-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1992-0-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2504-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2504-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2804-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2504-90-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:38

Reported

2024-06-04 01:41

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe"

Signatures

Detects BazaLoader malware

trojan
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2900 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2900 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 4340 wrote to memory of 4148 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4340 wrote to memory of 4148 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4340 wrote to memory of 4148 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4148 wrote to memory of 3132 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4148 wrote to memory of 3132 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4148 wrote to memory of 3132 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3132 wrote to memory of 4764 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3132 wrote to memory of 4764 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3132 wrote to memory of 4764 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3132 wrote to memory of 1708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3132 wrote to memory of 1708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3132 wrote to memory of 1708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3132 wrote to memory of 2944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3132 wrote to memory of 2944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3132 wrote to memory of 2944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3132 wrote to memory of 1636 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3132 wrote to memory of 1636 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3132 wrote to memory of 1636 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1db53fb00e27e3b5cde19816d55800d0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 01:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 01:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 01:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/2900-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2900-2-0x0000000075080000-0x00000000751DD000-memory.dmp

memory/2900-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2900-0-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\explorer.exe

MD5 6e01434c2029151b66ff510533e51219
SHA1 def7f589f389f163d0480f3d70fcb32a6a371ca6
SHA256 6cd6b3dead41167cb64af16963ae609f7eef8e1ce7fb48976b3a092499863dc0
SHA512 61a26556abf553ec74a6b6ac414a57d71e5019a8386743e71ab9b248003bab39ce23aacc258c4772fa4f98abd438867d50b16d6331b26b71e54a9e6e56ff2b00

memory/4340-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4340-15-0x0000000075080000-0x00000000751DD000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 c461276f5b62d5772a133184a65dc76e
SHA1 ebdb787c03bd74291925c53a97844f3949538eff
SHA256 78d50bcd8ed4713c3640bd164bbefaf72ee6bea9b6358961922507f6ee006fa6
SHA512 ae55c33cc50e0f3c69f81f23780c16bf7ac03cdb10eba97da82fe5b42a09a36b88a933ac81e6f77e20b9e3680a95ec58beb791e5abcf1e1780974e8c4acdbab2

memory/4340-14-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4340-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4148-26-0x0000000075080000-0x00000000751DD000-memory.dmp

C:\Windows\System\svchost.exe

MD5 d1e296b0949c0b3f799d69ac02c27753
SHA1 bc48f774448d4fa5281d2fa98d161a71ee8449bd
SHA256 deb3d6c4e9776374b48da0fb2f0d90d92f67122e2f6b9d353f83dcd8c3710b7e
SHA512 84817ab6a9f3a54ba04ad683b6791a72d830f8a4a444e86679ad2007d69be00f32b1a95f5e561559c382720ba39ecf8e0995852cc5d4e41848333acce509433b

memory/3132-37-0x0000000075080000-0x00000000751DD000-memory.dmp

memory/3132-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2900-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4764-43-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4764-44-0x0000000075080000-0x00000000751DD000-memory.dmp

memory/4764-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2900-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2900-57-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 a4dc8632f57ce52bf85ac09545f714f8
SHA1 0e4a3a889cf767a0b472a546db059e7f0f20a40e
SHA256 cf14580843d7d04f1831c7dbddeea60fd077b97ad63113c06b6b000899b12c05
SHA512 11d176551362bcb9f29ae3a19bc386fb94b1a8b59bab9591e531a1d8868cdbcd42411506e63dfcbfac081c38e1ac529a0b4cf5407847105af43b9993b3e3fef4

memory/4148-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4340-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3132-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4340-70-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e