0a5f650d08391906d4f14546cd3f310d74dbf95d76d8e84c7c9b978d34949af7

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

943dd2309d23460b802919b6eedf06e0_NeikiAnalytics.exe
Size

200KB
MD5

943dd2309d23460b802919b6eedf06e0
SHA1

5a0acc98887c9b374d1051789e430ccdc8cafa01
SHA256

0a5f650d08391906d4f14546cd3f310d74dbf95d76d8e84c7c9b978d34949af7
SHA512

ef004a1fb7e910c9ca9c214cfc288a56329a93e29188dd46079129918a64c04dfbd05661746d7bee484ab38f6a575a4697978a6f3d36d12365a19dfd14a19023
SSDEEP

3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6uBL9iw:7vEN2U+T6i5LirrllHy4HUcMQY6C9iw

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1180	explorer.exe
3208	spoolsv.exe
4984	svchost.exe
4952	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	943dd2309d23460b802919b6eedf06e0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	943dd2309d23460b802919b6eedf06e0_NeikiAnalytics.exe
2792	943dd2309d23460b802919b6eedf06e0_NeikiAnalytics.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
4984	svchost.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
4984	svchost.exe
1180	explorer.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
4984	svchost.exe
4984	svchost.exe
1180	explorer.exe
1180	explorer.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
4984	svchost.exe
1180	explorer.exe
1180	explorer.exe
4984	svchost.exe
4984	svchost.exe
1180	explorer.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
4984	svchost.exe
1180	explorer.exe
1180	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1180	explorer.exe
4984	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2792	943dd2309d23460b802919b6eedf06e0_NeikiAnalytics.exe
2792	943dd2309d23460b802919b6eedf06e0_NeikiAnalytics.exe
1180	explorer.exe
1180	explorer.exe
3208	spoolsv.exe
3208	spoolsv.exe
4984	svchost.exe
4984	svchost.exe
4952	spoolsv.exe
4952	spoolsv.exe
1180	explorer.exe
1180	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1180	2792	943dd2309d23460b802919b6eedf06e0_NeikiAnalytics.exe	82
PID 2792 wrote to memory of 1180	2792	943dd2309d23460b802919b6eedf06e0_NeikiAnalytics.exe	82
PID 2792 wrote to memory of 1180	2792	943dd2309d23460b802919b6eedf06e0_NeikiAnalytics.exe	82
PID 1180 wrote to memory of 3208	1180	explorer.exe	83
PID 1180 wrote to memory of 3208	1180	explorer.exe	83
PID 1180 wrote to memory of 3208	1180	explorer.exe	83
PID 3208 wrote to memory of 4984	3208	spoolsv.exe	85
PID 3208 wrote to memory of 4984	3208	spoolsv.exe	85
PID 3208 wrote to memory of 4984	3208	spoolsv.exe	85
PID 4984 wrote to memory of 4952	4984	svchost.exe	86
PID 4984 wrote to memory of 4952	4984	svchost.exe	86
PID 4984 wrote to memory of 4952	4984	svchost.exe	86
PID 4984 wrote to memory of 2452	4984	svchost.exe	88
PID 4984 wrote to memory of 2452	4984	svchost.exe	88
PID 4984 wrote to memory of 2452	4984	svchost.exe	88
PID 4984 wrote to memory of 664	4984	svchost.exe	98
PID 4984 wrote to memory of 664	4984	svchost.exe	98
PID 4984 wrote to memory of 664	4984	svchost.exe	98
PID 4984 wrote to memory of 4508	4984	svchost.exe	100
PID 4984 wrote to memory of 4508	4984	svchost.exe	100
PID 4984 wrote to memory of 4508	4984	svchost.exe	100

C:\Users\Admin\AppData\Local\Temp\943dd2309d23460b802919b6eedf06e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\943dd2309d23460b802919b6eedf06e0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1180
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4952
    - - C:\Windows\SysWOW64\at.exe
        
        at 10:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2452
    - - C:\Windows\SysWOW64\at.exe
        
        at 10:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:664
    - - C:\Windows\SysWOW64\at.exe
        
        at 10:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
216KB

MD5
8188737b527f5b6c70ce41eeee372904

SHA1
0caa4ca4c03a399edbd221cfac4f5763681fe29a

SHA256
bdab4da52b40c6294e38da257dbaa98bb9f528728f41dab6a87f153f2fd66a18

SHA512
e1f5aec31042ae76b81856d030c8c362f5978b7d9e978d80382180bc960c715aac9c11693f4255f1be3cd50598b3b2c31e64e2f06265256e8266213633214a92

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
216KB

MD5
795c9d418cce36e6a9f7714f4ab84bd8

SHA1
bb7b678809a6176b4515651ea1d51d42949ba786

SHA256
8c36a773a878e4dc1220543dbf0d3582969d572e789f508af1a4ea3cf6699187

SHA512
5ed15390fda9e819d50aff5f4447056d6b3eea99a994b5fa50d082398279c4bb8765d1828879aacef9ff2b70c2c06fa896cfd8eb22c21139cee69ce75ce22e1d

Download Submit
C:\Windows\System\svchost.exe

Filesize
216KB

MD5
d5230bfd2113f8356799b89a9617b563

SHA1
8ffce0632f9946d45e8ee7b7260461fb7cea4c38

SHA256
78fe6f002714e0fc5f94360f7e46f1804c02aa95a8c25a2ac5aa1e70288cc2ff

SHA512
e058d20dd47ef35d1adb8912eaf2d8f8ff70d6f361bcf1cd89705966aa91a2b8ac978c3c28b8572db534fe7ce58b23e972f011a77cce9a5863103e8afe34eb67

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
216KB

MD5
1339701fb28123b20a5b62f32ba1e840

SHA1
dab987c82868a4bd0cb079d126b3db39cb01349b

SHA256
fbf70dd07650355b6e995d0d330eb16a54897b20b4534867236cf605f67864ae

SHA512
ad607e2f0eea7478d6231fef39240e68dd065ec3d1b6f15feeae27040bbe66e488cf647fb65e2065dfa397abeb86857d46c6b99f0edd72a868a41a85953df7de

Download Submit
memory/2792-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2792-37-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3208-17-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3208-36-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4952-33-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download