0662e158c48644abcdaa4be054335bd4a67d08821db5c4188371a2ba078515f2

Analysis

max time kernel
58s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
Size

135KB
MD5

1f43d00309888b12dedfb42689412f70
SHA1

5aa4505dc51811d042ac9f9f11fd08443e1e2fba
SHA256

0662e158c48644abcdaa4be054335bd4a67d08821db5c4188371a2ba078515f2
SHA512

15c13d3bd25772452fbfafb331a5a1c04d2c6c72f5ec58208807e18521d9573e9bf2c4c1bbaeec96df24229f394110ad5e3ddfa4167d9e855cac44a974edc73e
SSDEEP

1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVVKR:UVqoCl/YgjxEufVU0TbTyDDalLKR

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2868	explorer.exe
2476	spoolsv.exe
2988	svchost.exe
2668	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2868	explorer.exe
2476	spoolsv.exe
2988	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2512	schtasks.exe
860	schtasks.exe
1984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2988	svchost.exe
2868	explorer.exe
2868	explorer.exe
2868	explorer.exe
2988	svchost.exe
2988	svchost.exe
2868	explorer.exe
2988	svchost.exe
2868	explorer.exe
2988	svchost.exe
2868	explorer.exe
2988	svchost.exe
2868	explorer.exe
2988	svchost.exe
2868	explorer.exe
2988	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2868	explorer.exe
2988	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
2868	explorer.exe
2868	explorer.exe
2476	spoolsv.exe
2476	spoolsv.exe
2988	svchost.exe
2988	svchost.exe
2668	spoolsv.exe
2668	spoolsv.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2868	2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 2868	2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 2868	2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 2868	2320	1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2476	2868	explorer.exe	29
PID 2868 wrote to memory of 2476	2868	explorer.exe	29
PID 2868 wrote to memory of 2476	2868	explorer.exe	29
PID 2868 wrote to memory of 2476	2868	explorer.exe	29
PID 2476 wrote to memory of 2988	2476	spoolsv.exe	30
PID 2476 wrote to memory of 2988	2476	spoolsv.exe	30
PID 2476 wrote to memory of 2988	2476	spoolsv.exe	30
PID 2476 wrote to memory of 2988	2476	spoolsv.exe	30
PID 2988 wrote to memory of 2668	2988	svchost.exe	31
PID 2988 wrote to memory of 2668	2988	svchost.exe	31
PID 2988 wrote to memory of 2668	2988	svchost.exe	31
PID 2988 wrote to memory of 2668	2988	svchost.exe	31
PID 2868 wrote to memory of 2528	2868	explorer.exe	32
PID 2868 wrote to memory of 2528	2868	explorer.exe	32
PID 2868 wrote to memory of 2528	2868	explorer.exe	32
PID 2868 wrote to memory of 2528	2868	explorer.exe	32
PID 2988 wrote to memory of 2512	2988	svchost.exe	33
PID 2988 wrote to memory of 2512	2988	svchost.exe	33
PID 2988 wrote to memory of 2512	2988	svchost.exe	33
PID 2988 wrote to memory of 2512	2988	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f43d00309888b12dedfb42689412f70_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2868
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2988
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2668
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:56 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2512
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:57 /f
        5⤵
        Creates scheduled task(s)
        
        PID:860
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:58 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1984
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
0fe8e90dd535ecf414e29b86ccf714a9

SHA1
4e43114d52d52a9b846b9baeeaf1fbe4f2edd90e

SHA256
f10a700798b19624e9dd4c337dc2785a4492426f4f578097529ffbdc749516ee

SHA512
189550b54980374c16c5c8c9ec3b77f0b22f7f530ee382cfbb82771686406957ff9df33f9eb08a1657be310f707aec0099493671812583f3fc51086224add49c

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
207099c68250206187cb0a54d92675dd

SHA1
4bfb0a10a2f983c36ce1e20e9bf3db815f973ff7

SHA256
e594b04d0e9a7953d83eef559cb4b3a373184f490bb049cb3b671341ac0cb831

SHA512
45288d23b8c0d289db63299de4421ae6f229e3ac9eb68643a03d6c2b503bd909bb03bd2ade74cd0bd0b84e4c924e1239b5d10546b65df5b72c978b5c424a9269

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
ee5876294d8e0e871587333ad641adda

SHA1
903439aa619de3e640859fb978485e5397b15bb4

SHA256
ffcfaf3853e0d68ea577984f0802b7d77f861a45361c99043804f7ac79b11652

SHA512
06acacb53e5b856376066d558e451d6e63cdde9e4d6685114b7dc5a5ea2935e65e0514cf3f4dde4de2e68c1d008b1f797005dd775ebda5af8d56810edda3b6f1

Download Submit
memory/2320-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2320-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2476-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2668-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2868-20-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/2988-39-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2988-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download