Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 07:48
Static task
static1
Behavioral task
behavioral1
Sample
49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe
-
Size
206KB
-
MD5
49a987fc6b3f7f5d1e9db05f3e2a4250
-
SHA1
0dfc6804f1db3dbd390c3689adbc0eac6c96e006
-
SHA256
50a33c105b3addbd2444dfa2c176ac686bc41bc92e1a2e3866bab1c262088033
-
SHA512
52ef5f4c787cd12e55e87e189971632a48d1113736b44dd459fa0f855aeb92edde0e74102babad06b4ff3f84f495a69de94273242dbfdd21482b76d54434a470
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLp:5vEN2U+T6i5LirrllHy4HUcMQY6Kp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2192 explorer.exe 2828 spoolsv.exe 624 svchost.exe 3520 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 448 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 448 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe 624 svchost.exe 624 svchost.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe 2192 explorer.exe 2192 explorer.exe 624 svchost.exe 624 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2192 explorer.exe 624 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 448 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 448 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 2192 explorer.exe 2192 explorer.exe 2828 spoolsv.exe 2828 spoolsv.exe 624 svchost.exe 624 svchost.exe 3520 spoolsv.exe 3520 spoolsv.exe 2192 explorer.exe 2192 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 448 wrote to memory of 2192 448 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 81 PID 448 wrote to memory of 2192 448 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 81 PID 448 wrote to memory of 2192 448 49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe 81 PID 2192 wrote to memory of 2828 2192 explorer.exe 82 PID 2192 wrote to memory of 2828 2192 explorer.exe 82 PID 2192 wrote to memory of 2828 2192 explorer.exe 82 PID 2828 wrote to memory of 624 2828 spoolsv.exe 84 PID 2828 wrote to memory of 624 2828 spoolsv.exe 84 PID 2828 wrote to memory of 624 2828 spoolsv.exe 84 PID 624 wrote to memory of 3520 624 svchost.exe 85 PID 624 wrote to memory of 3520 624 svchost.exe 85 PID 624 wrote to memory of 3520 624 svchost.exe 85 PID 624 wrote to memory of 4832 624 svchost.exe 87 PID 624 wrote to memory of 4832 624 svchost.exe 87 PID 624 wrote to memory of 4832 624 svchost.exe 87 PID 624 wrote to memory of 4932 624 svchost.exe 98 PID 624 wrote to memory of 4932 624 svchost.exe 98 PID 624 wrote to memory of 4932 624 svchost.exe 98 PID 624 wrote to memory of 4788 624 svchost.exe 100 PID 624 wrote to memory of 4788 624 svchost.exe 100 PID 624 wrote to memory of 4788 624 svchost.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\49a987fc6b3f7f5d1e9db05f3e2a4250_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3520
-
-
C:\Windows\SysWOW64\at.exeat 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4832
-
-
C:\Windows\SysWOW64\at.exeat 07:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4932
-
-
C:\Windows\SysWOW64\at.exeat 07:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4788
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD54f87674cc1b8d184efec485936bd952f
SHA1e32129ae07059509f39c5a73dcc810ddf478c165
SHA256f570616751cb223434b8505abe3bf11e4492cc0a58532f7c1e2d39b8e4d71993
SHA51231282e0fbfc0cfb34bf2c338ac053fe075dcc12494d3480b7ed0106b30bbe6f0c68e33effe73ba1d5d29b2955b277ece3643e89b0fd6aa712f3a5f6f3782dec7
-
Filesize
206KB
MD5f5153b09d3b813c89ae6d2d8562994c7
SHA15747d3f6732b9f9a0185d0384ffd39dc59080075
SHA256c7438fec5dae6806c92049b7e318bdebc3464f587772cf1030c2effd02b5541b
SHA512da630c84510c681da512866be1a33080d9244914539b7c514a739bf260b543bab3f4b3a768f4cb60f41fc16bdc89c51f1debfaa70b8f88b6b65e5ff7dd493dca
-
Filesize
206KB
MD59439afa542fdbbed7fc90289f1fb6f7e
SHA1f7bb0dec44eb788bceb725d15f202f959294091b
SHA25651d60dda67a49e43b7ab61c0087d62996e7794b54ad333f7283e771a3eda1937
SHA512c839a2d25bc424fa0f80f6ad9a6314d084703907e17d8b93bdf1ef3883b2baeb597a750e1cdcbfd66fffb06173ba4124028d97043a36c1797c08f061a77a073a
-
Filesize
206KB
MD5612ca0d608377f7c8f06d3873c22725e
SHA108cbe9dfc24c6f3ec0f7860827197d3ec3268c56
SHA2561fabb3f3b6a71e7507daeba564d6a6161e32556719631de249c0f578c56b155e
SHA5125c19c63bb4e8fa8aebccd54ffe4dc4205e24b54e7f8c109e3f18dcd8eadf4c718e36824da3101824798ee5d8a3c3bf61bf3cc17eb2f2dd82f82307297601c1c1