Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 07:50
Static task
static1
Behavioral task
behavioral1
Sample
49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe
-
Size
135KB
-
MD5
49caa5edfc4e78f44f545d175ba9b5b0
-
SHA1
ee61df54a4095b0b8c44541ce2409db8e69be51f
-
SHA256
2d69a5b80c686a8297c15671404a80e39fe9c5d056d0a4e4cd717dbbb105c1c2
-
SHA512
0b49b84199800d15eac0baeb754e91e01faaa27157843608555d8b7034159486052c658807217571a1e376631a281020e7d821511a47aefe99b0caa1a0fda34e
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVgt:UVqoCl/YgjxEufVU0TbTyDDalit
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4048 explorer.exe 4396 spoolsv.exe 4084 svchost.exe 1188 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe 4048 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4048 explorer.exe 4084 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 4048 explorer.exe 4048 explorer.exe 4396 spoolsv.exe 4396 spoolsv.exe 4084 svchost.exe 4084 svchost.exe 1188 spoolsv.exe 1188 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5076 wrote to memory of 4048 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 90 PID 5076 wrote to memory of 4048 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 90 PID 5076 wrote to memory of 4048 5076 49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe 90 PID 4048 wrote to memory of 4396 4048 explorer.exe 91 PID 4048 wrote to memory of 4396 4048 explorer.exe 91 PID 4048 wrote to memory of 4396 4048 explorer.exe 91 PID 4396 wrote to memory of 4084 4396 spoolsv.exe 92 PID 4396 wrote to memory of 4084 4396 spoolsv.exe 92 PID 4396 wrote to memory of 4084 4396 spoolsv.exe 92 PID 4084 wrote to memory of 1188 4084 svchost.exe 93 PID 4084 wrote to memory of 1188 4084 svchost.exe 93 PID 4084 wrote to memory of 1188 4084 svchost.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\49caa5edfc4e78f44f545d175ba9b5b0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1188
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4416 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:3460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5afab835f7a48d1dbf9ff4d0119da01d6
SHA1123c472e9b2c5ea771a19f0921886b374beed25c
SHA256a1182a6478f68d65bb13c1f1aacf8f00f3fd5e3058cae888aa5ea7abe159fe6f
SHA512941e0ea98c8ebb9e6a5afaf495ff91f19db020a5e7ac455a68808df3f2acc157ca1a337577bd2fad5bdfb16e939a54ac0269855ed9185028f1ad836f4e30f283
-
Filesize
135KB
MD5cd801fa2355f9a3f96f128b20cd6b91e
SHA1a82cdc0831a86dd9b200ebe76fec3e94ee70937e
SHA25698ff8197093387fada74a7532bfb886a0cd1aef96580e4374e78a8959732e4dd
SHA51203992fcbe332df93ed5f70ef56663e2541e0717e7b717f7e43a522e2fbdf7806c0ee9b7eec52eeace403c1606b4cec5baa94453ceb83b2bd452dccb5880f8376
-
Filesize
135KB
MD5a49ada2a8fef5db138bfd09f2750d909
SHA16f9d3ceee88250148c29d1cf350b824591b85b27
SHA25667339aeb0256fd48f851d459047661bf2f4324fe3ba06a18d32b82b080a2194e
SHA51279fb5b28200359709dd80c655bd4dbb52ac1c73509966e60421dabc3c447917e5afba22df5fdf6ca5f3181da39c72775a13d61b9b4c9edcc990358e6ed8fab35