Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
05/06/2024, 08:38
Static task
static1
Behavioral task
behavioral1
Sample
4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe
-
Size
274KB
-
MD5
4bf917aabe6d5488411defae0ebf28e0
-
SHA1
4d3f53805b46e3fea83c924264e733c41d0e75f9
-
SHA256
8a9ea014b45c6b85e465de1f6120932700031f03bf9a45504220839dfa4534e2
-
SHA512
f924be78cf218f4aa2a3fa95e1c2f4e47e61f420eaf2b87cbd5037314aa36e1e0824c1e468b99d9ffd42ccd1913aa04d1e8bec93b2827cc71a50551ed9450163
-
SSDEEP
6144:FvEN2U+T6i5LirrllHy4HUcMQY66bThVcHs:lENN+T5xYrllrU7QY68Thp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2012 explorer.exe 2368 spoolsv.exe 2744 svchost.exe 2628 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1444 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 1444 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 2012 explorer.exe 2012 explorer.exe 2368 spoolsv.exe 2368 spoolsv.exe 2744 svchost.exe 2744 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1444 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 2012 explorer.exe 2012 explorer.exe 2012 explorer.exe 2744 svchost.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe 2012 explorer.exe 2744 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2012 explorer.exe 2744 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1444 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 1444 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 2012 explorer.exe 2012 explorer.exe 2368 spoolsv.exe 2368 spoolsv.exe 2744 svchost.exe 2744 svchost.exe 2628 spoolsv.exe 2628 spoolsv.exe 2012 explorer.exe 2012 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1444 wrote to memory of 2012 1444 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 28 PID 1444 wrote to memory of 2012 1444 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 28 PID 1444 wrote to memory of 2012 1444 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 28 PID 1444 wrote to memory of 2012 1444 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 28 PID 2012 wrote to memory of 2368 2012 explorer.exe 29 PID 2012 wrote to memory of 2368 2012 explorer.exe 29 PID 2012 wrote to memory of 2368 2012 explorer.exe 29 PID 2012 wrote to memory of 2368 2012 explorer.exe 29 PID 2368 wrote to memory of 2744 2368 spoolsv.exe 30 PID 2368 wrote to memory of 2744 2368 spoolsv.exe 30 PID 2368 wrote to memory of 2744 2368 spoolsv.exe 30 PID 2368 wrote to memory of 2744 2368 spoolsv.exe 30 PID 2744 wrote to memory of 2628 2744 svchost.exe 31 PID 2744 wrote to memory of 2628 2744 svchost.exe 31 PID 2744 wrote to memory of 2628 2744 svchost.exe 31 PID 2744 wrote to memory of 2628 2744 svchost.exe 31 PID 2744 wrote to memory of 2728 2744 svchost.exe 32 PID 2744 wrote to memory of 2728 2744 svchost.exe 32 PID 2744 wrote to memory of 2728 2744 svchost.exe 32 PID 2744 wrote to memory of 2728 2744 svchost.exe 32 PID 2744 wrote to memory of 788 2744 svchost.exe 36 PID 2744 wrote to memory of 788 2744 svchost.exe 36 PID 2744 wrote to memory of 788 2744 svchost.exe 36 PID 2744 wrote to memory of 788 2744 svchost.exe 36 PID 2744 wrote to memory of 1344 2744 svchost.exe 38 PID 2744 wrote to memory of 1344 2744 svchost.exe 38 PID 2744 wrote to memory of 1344 2744 svchost.exe 38 PID 2744 wrote to memory of 1344 2744 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
C:\Windows\SysWOW64\at.exeat 08:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2728
-
-
C:\Windows\SysWOW64\at.exeat 08:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:788
-
-
C:\Windows\SysWOW64\at.exeat 08:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1344
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD56fef04bfc0cc13d80580888f6f8363e7
SHA1b9eec361f75511b0e3a1f5fc09c5a59cd92f72da
SHA2560590c57d25710788c7ea0910831a3db491ca6081f2118442c8a370570e1245ca
SHA5120d279586a93c77ca3128c450ee3c3c4abe466d560dde2f1800d183edf67ff103c067f1dba3518ad594982f5ef5e977fae9898c3234f1fac29d81fb2c4e4e3ab0
-
Filesize
274KB
MD58ed4f75c228b76f1313834336b3e227f
SHA1421e15b0c14acfa550958d5f9ee34ca721b8308e
SHA2560d643afcf8c40876fd92bc23b666f5e58d374eb463dab0f3045bd06c0ed94ac3
SHA512923c45bd42550ad0223d1e3e5a9c41107343a1f5951ef487afaf68c82a0ade78185f82263ecf408950c6ff17d6f21aa4ea7cd4515fe822eef6c578aa5f8c5a34
-
Filesize
274KB
MD580a08836e231d64984aae7ad966434c1
SHA1d7fd181fd458a7da87fbfc7923db470524ffa103
SHA256ad0cf9275af08d5d6284fd68289181d16e3d99318754ee1b57568e891714b2a0
SHA512a9927d41e169ccb073493fb88e53026d14f96b45dd1dfa37ac384c14364bdcb1eb16dd78f8fdfabc47210389a0cac9db265e8309fbeb4385420c4b2df65dfb84
-
Filesize
274KB
MD5b707a3fe1588a6a0ccc1ed11786a9963
SHA1d6d7a8c2fc0cbbb3cd343c2a3c7a26b0ab0cec75
SHA256c38bafdec96b9ee33b788218ee13e92c14f1d03ce38978b32a5b8a6bc225e85e
SHA51247a95980c16ae2f6c3efbf688cd78e19c86441420668a120d287c4d6272533407de7c3f2248d50ef9cf89340ac21628400e8f76ce9e9a6ee890beffbe2108303