Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
05/06/2024, 07:48
Static task
static1
Behavioral task
behavioral1
Sample
499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe
-
Size
135KB
-
MD5
499dec953d90f081cf719664d8bdcc10
-
SHA1
85289055c7ba45c22e1ad0ba97e1ef5703a55160
-
SHA256
ebe8a31d3ff34744fcd2ec79d47b68ac130d206a9c153a1fb97755d1b08ffba9
-
SHA512
69b1b1a3472ca43b398fbed7ac4b847ac608799e252b2aee56f7e99716806ed966f45d3d59bb529686325782e362954350dd4c4e9981f11da729a84a1888da77
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVQUVVVVVVVVVVVVp:UVqoCl/YgjxEufVU0TbTyDDalKw
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1724 explorer.exe 2924 spoolsv.exe 2596 svchost.exe 2712 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1724 explorer.exe 2924 spoolsv.exe 2596 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 664 schtasks.exe 2784 schtasks.exe 1688 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 2596 svchost.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 1724 explorer.exe 2596 svchost.exe 2596 svchost.exe 1724 explorer.exe 2596 svchost.exe 1724 explorer.exe 2596 svchost.exe 1724 explorer.exe 2596 svchost.exe 1724 explorer.exe 2596 svchost.exe 1724 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1724 explorer.exe 2596 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1724 explorer.exe 1724 explorer.exe 2924 spoolsv.exe 2924 spoolsv.exe 2596 svchost.exe 2596 svchost.exe 2712 spoolsv.exe 2712 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 352 wrote to memory of 1724 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 28 PID 352 wrote to memory of 1724 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 28 PID 352 wrote to memory of 1724 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 28 PID 352 wrote to memory of 1724 352 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 28 PID 1724 wrote to memory of 2924 1724 explorer.exe 29 PID 1724 wrote to memory of 2924 1724 explorer.exe 29 PID 1724 wrote to memory of 2924 1724 explorer.exe 29 PID 1724 wrote to memory of 2924 1724 explorer.exe 29 PID 2924 wrote to memory of 2596 2924 spoolsv.exe 30 PID 2924 wrote to memory of 2596 2924 spoolsv.exe 30 PID 2924 wrote to memory of 2596 2924 spoolsv.exe 30 PID 2924 wrote to memory of 2596 2924 spoolsv.exe 30 PID 2596 wrote to memory of 2712 2596 svchost.exe 31 PID 2596 wrote to memory of 2712 2596 svchost.exe 31 PID 2596 wrote to memory of 2712 2596 svchost.exe 31 PID 2596 wrote to memory of 2712 2596 svchost.exe 31 PID 1724 wrote to memory of 2816 1724 explorer.exe 32 PID 1724 wrote to memory of 2816 1724 explorer.exe 32 PID 1724 wrote to memory of 2816 1724 explorer.exe 32 PID 1724 wrote to memory of 2816 1724 explorer.exe 32 PID 2596 wrote to memory of 2784 2596 svchost.exe 33 PID 2596 wrote to memory of 2784 2596 svchost.exe 33 PID 2596 wrote to memory of 2784 2596 svchost.exe 33 PID 2596 wrote to memory of 2784 2596 svchost.exe 33 PID 2596 wrote to memory of 1688 2596 svchost.exe 38 PID 2596 wrote to memory of 1688 2596 svchost.exe 38 PID 2596 wrote to memory of 1688 2596 svchost.exe 38 PID 2596 wrote to memory of 1688 2596 svchost.exe 38 PID 2596 wrote to memory of 664 2596 svchost.exe 40 PID 2596 wrote to memory of 664 2596 svchost.exe 40 PID 2596 wrote to memory of 664 2596 svchost.exe 40 PID 2596 wrote to memory of 664 2596 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:352 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2712
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:50 /f5⤵
- Creates scheduled task(s)
PID:2784
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:51 /f5⤵
- Creates scheduled task(s)
PID:1688
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:52 /f5⤵
- Creates scheduled task(s)
PID:664
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2816
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5dd56ba6ed051fe45ae4da1161e21c71b
SHA12defe0b01952f10091bbb97fcf7716467dce8cbf
SHA2563f3ead8b77dfa6be320374ba40f4d153436ae0af6a3235f8da0515bdf3e1ff84
SHA512bf160f1868e0c3318629268396a4f6dcb129c858e0703a8dd8ab0dd4814cbb417128cd868f61175b8ddbf30197b7c7941b21bb711b2f56810811422176b3a842
-
Filesize
135KB
MD532084c6433ee4141c9fd6100f87b684b
SHA1676e0420b9170cac46a9fb00a507882c2a36c613
SHA25652cce42302a584cbb495441fc765e09fd913234e9270131d06f7da6ed7e70753
SHA51263be0134090266c358a748a3e5a04561265c2793735e837cbc1f695a4b24d8ab25b53f27b59aff9b0cd148112b1ea54d253c0f5bf1b0fe33d49e5bc67dec2153
-
Filesize
135KB
MD508c8ba5cb8d1ff660640b71e663f40b0
SHA1985f705bf00268c7780023593cdfa0713c214329
SHA256d6dc47f29319ed249169c2b7b33d7ccbb07b698b0d9b0c576fc5928517db7557
SHA51284d4c82cfbcd0579590762476afdff1fba3aec3db04be59b8c70f6efa5e02f85e8fc5c0442a5343e3fcc7959ae98056f3c3ef06a9cd889c07580518175bdef88