Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
05/06/2024, 07:48
Static task
static1
Behavioral task
behavioral1
Sample
49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe
-
Size
206KB
-
MD5
49a987fc6b3f7f5d1e9db05f3e2a4250
-
SHA1
0dfc6804f1db3dbd390c3689adbc0eac6c96e006
-
SHA256
50a33c105b3addbd2444dfa2c176ac686bc41bc92e1a2e3866bab1c262088033
-
SHA512
52ef5f4c787cd12e55e87e189971632a48d1113736b44dd459fa0f855aeb92edde0e74102babad06b4ff3f84f495a69de94273242dbfdd21482b76d54434a470
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLp:5vEN2U+T6i5LirrllHy4HUcMQY6Kp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2900 explorer.exe 2580 spoolsv.exe 2780 svchost.exe 2472 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2764 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 2764 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 2900 explorer.exe 2900 explorer.exe 2580 spoolsv.exe 2580 spoolsv.exe 2780 svchost.exe 2780 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2764 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 2900 explorer.exe 2900 explorer.exe 2900 explorer.exe 2780 svchost.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe 2900 explorer.exe 2780 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2900 explorer.exe 2780 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2764 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 2764 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 2900 explorer.exe 2900 explorer.exe 2580 spoolsv.exe 2580 spoolsv.exe 2780 svchost.exe 2780 svchost.exe 2472 spoolsv.exe 2472 spoolsv.exe 2900 explorer.exe 2900 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2900 2764 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 28 PID 2764 wrote to memory of 2900 2764 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 28 PID 2764 wrote to memory of 2900 2764 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 28 PID 2764 wrote to memory of 2900 2764 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 28 PID 2900 wrote to memory of 2580 2900 explorer.exe 29 PID 2900 wrote to memory of 2580 2900 explorer.exe 29 PID 2900 wrote to memory of 2580 2900 explorer.exe 29 PID 2900 wrote to memory of 2580 2900 explorer.exe 29 PID 2580 wrote to memory of 2780 2580 spoolsv.exe 30 PID 2580 wrote to memory of 2780 2580 spoolsv.exe 30 PID 2580 wrote to memory of 2780 2580 spoolsv.exe 30 PID 2580 wrote to memory of 2780 2580 spoolsv.exe 30 PID 2780 wrote to memory of 2472 2780 svchost.exe 31 PID 2780 wrote to memory of 2472 2780 svchost.exe 31 PID 2780 wrote to memory of 2472 2780 svchost.exe 31 PID 2780 wrote to memory of 2472 2780 svchost.exe 31 PID 2780 wrote to memory of 2440 2780 svchost.exe 32 PID 2780 wrote to memory of 2440 2780 svchost.exe 32 PID 2780 wrote to memory of 2440 2780 svchost.exe 32 PID 2780 wrote to memory of 2440 2780 svchost.exe 32 PID 2780 wrote to memory of 2248 2780 svchost.exe 36 PID 2780 wrote to memory of 2248 2780 svchost.exe 36 PID 2780 wrote to memory of 2248 2780 svchost.exe 36 PID 2780 wrote to memory of 2248 2780 svchost.exe 36 PID 2780 wrote to memory of 2756 2780 svchost.exe 38 PID 2780 wrote to memory of 2756 2780 svchost.exe 38 PID 2780 wrote to memory of 2756 2780 svchost.exe 38 PID 2780 wrote to memory of 2756 2780 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2472
-
-
C:\Windows\SysWOW64\at.exeat 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2440
-
-
C:\Windows\SysWOW64\at.exeat 07:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2248
-
-
C:\Windows\SysWOW64\at.exeat 07:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2756
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5394026253fa41da68c233311533ea0c1
SHA1d651655df113c890b67a2bbdc46a2c99ac4c2547
SHA2567af9a8712364e9c6a5122ebfdf8701a3bc2702cf1b1701c70877ec0a6ee5408c
SHA5125a142958e35e432957ec4d58d0d0e49c6a315a3941649032849c09a60b95f86ed1e2be2e919c472797fdd5ae8bdf61034b345d9e79c79e4b6755c2c9559d7e12
-
Filesize
206KB
MD535e307c702778cf7819474ba144c9cbf
SHA12a6be08ea511314c3c305baefbaf7569248c2027
SHA2567aa19c41289678d1f9d1b843c0aca5b82e320fbd62072b1a325962fb192867f7
SHA512312965bac4539424bef997cc9183a970da66991c4edbc86efa2cb5433cda822050ca3c594eaf4d9cd3a21f6ea5d3d47fad3616eeb425b839edaeaaf16339fdd6
-
Filesize
206KB
MD56dd3ca693b77832059aaadada64ce94a
SHA189346e4f99c6f54a0e11abd6f9c0c7cb23352946
SHA256db6124d6b76e07aea7b5d6540807087582fc7041b710c80a7eae8d224c5d642b
SHA512a2f2e96b06bcdacc13fe7c21c2595a1e5cdfe4a1036bc21d769e0da63efa3155169acd2ba90966227f8a71ccc9567d699b775e70b2b5211159c3ddbe73e9ad89
-
Filesize
206KB
MD563c906f7b2d0835fcab8c9fb30c0bfca
SHA1c1b7dd8c74cb5bd1aeea5f8b3e8ce1d06d0e22ef
SHA256c1ff9d66c7e5070a6a3bdd7ad8bf077b435667e629aae2b785a7baa7f4f23013
SHA51256afc52f9d9463d66ae10b84ce908fb8033b28b06e00bf0c1d61ac9768a7c54ba4535af8ba110112661360c230291ca617320e367b4249999f7447f02c69fdb2