Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 07:48
Static task
static1
Behavioral task
behavioral1
Sample
499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe
-
Size
135KB
-
MD5
499dec953d90f081cf719664d8bdcc10
-
SHA1
85289055c7ba45c22e1ad0ba97e1ef5703a55160
-
SHA256
ebe8a31d3ff34744fcd2ec79d47b68ac130d206a9c153a1fb97755d1b08ffba9
-
SHA512
69b1b1a3472ca43b398fbed7ac4b847ac608799e252b2aee56f7e99716806ed966f45d3d59bb529686325782e362954350dd4c4e9981f11da729a84a1888da77
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVQUVVVVVVVVVVVVp:UVqoCl/YgjxEufVU0TbTyDDalKw
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4668 explorer.exe 744 spoolsv.exe 2372 svchost.exe 2884 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4668 explorer.exe 2372 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 4668 explorer.exe 4668 explorer.exe 744 spoolsv.exe 744 spoolsv.exe 2372 svchost.exe 2372 svchost.exe 2884 spoolsv.exe 2884 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1324 wrote to memory of 4668 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 82 PID 1324 wrote to memory of 4668 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 82 PID 1324 wrote to memory of 4668 1324 499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe 82 PID 4668 wrote to memory of 744 4668 explorer.exe 83 PID 4668 wrote to memory of 744 4668 explorer.exe 83 PID 4668 wrote to memory of 744 4668 explorer.exe 83 PID 744 wrote to memory of 2372 744 spoolsv.exe 85 PID 744 wrote to memory of 2372 744 spoolsv.exe 85 PID 744 wrote to memory of 2372 744 spoolsv.exe 85 PID 2372 wrote to memory of 2884 2372 svchost.exe 86 PID 2372 wrote to memory of 2884 2372 svchost.exe 86 PID 2372 wrote to memory of 2884 2372 svchost.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\499dec953d90f081cf719664d8bdcc10_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5515a5a3bbd4e605f42955780ac50d3d9
SHA17d268b253b51af859b866aacf0b1568859038dc6
SHA25673c8089ce33c3ff6fec3f314b60f670cdcc0190a889263e1350295bd9aa4e979
SHA512d72611cdc18bb73ed9062f75c6f6f8de1d12372c769bb8cc21bca4fa116f74d086200fa9f43e3ea6a97e169c551b4754be129444e71ada6aa9bd0ecd54fb9a55
-
Filesize
135KB
MD5a79da3266dc1a964d865529d4f3368ef
SHA15b6273dfe8d10917b28037aeaea9bcbae4de1873
SHA256800edafe4af4a3298be26c23f9fd665a1d94983e092f15ac033810f5c89d6ef3
SHA512e2853c03cad4e122ac2569890321a1e534fd0ba0017a2d37d2a66482a3a507b604fdddd46d4be911d87645fd12cd4591029b5cb6c4e8d2492e76702b785f46af
-
Filesize
135KB
MD5259be02d7d07cd9ef0e98dc4becd44d3
SHA1d10e8b35380d6d4572ce90d4429ae46496ca719e
SHA256ef66018281e1f391817c1d3bb59752fa9907c44a4a69bebe111b419d6b9db299
SHA512ec92db1139be5797c82ffbac3e9e34598a49081ae30379cc2069e0c15d1582194ab4d1b8ba168acdf72238ca89ef8b8e482da6dc8ca6f58cac2a57eccd8d6bf7