Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 08:38
Static task
static1
Behavioral task
behavioral1
Sample
4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe
-
Size
274KB
-
MD5
4bf917aabe6d5488411defae0ebf28e0
-
SHA1
4d3f53805b46e3fea83c924264e733c41d0e75f9
-
SHA256
8a9ea014b45c6b85e465de1f6120932700031f03bf9a45504220839dfa4534e2
-
SHA512
f924be78cf218f4aa2a3fa95e1c2f4e47e61f420eaf2b87cbd5037314aa36e1e0824c1e468b99d9ffd42ccd1913aa04d1e8bec93b2827cc71a50551ed9450163
-
SSDEEP
6144:FvEN2U+T6i5LirrllHy4HUcMQY66bThVcHs:lENN+T5xYrllrU7QY68Thp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 4880 explorer.exe 4124 spoolsv.exe 1188 svchost.exe 2828 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4000 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 4000 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 4880 explorer.exe 4880 explorer.exe 4880 explorer.exe 4880 explorer.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe 4880 explorer.exe 4880 explorer.exe 1188 svchost.exe 1188 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4880 explorer.exe 1188 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4000 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 4000 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 4880 explorer.exe 4880 explorer.exe 4124 spoolsv.exe 4124 spoolsv.exe 1188 svchost.exe 1188 svchost.exe 2828 spoolsv.exe 2828 spoolsv.exe 4880 explorer.exe 4880 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4000 wrote to memory of 4880 4000 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 82 PID 4000 wrote to memory of 4880 4000 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 82 PID 4000 wrote to memory of 4880 4000 4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe 82 PID 4880 wrote to memory of 4124 4880 explorer.exe 84 PID 4880 wrote to memory of 4124 4880 explorer.exe 84 PID 4880 wrote to memory of 4124 4880 explorer.exe 84 PID 4124 wrote to memory of 1188 4124 spoolsv.exe 86 PID 4124 wrote to memory of 1188 4124 spoolsv.exe 86 PID 4124 wrote to memory of 1188 4124 spoolsv.exe 86 PID 1188 wrote to memory of 2828 1188 svchost.exe 88 PID 1188 wrote to memory of 2828 1188 svchost.exe 88 PID 1188 wrote to memory of 2828 1188 svchost.exe 88 PID 1188 wrote to memory of 4404 1188 svchost.exe 89 PID 1188 wrote to memory of 4404 1188 svchost.exe 89 PID 1188 wrote to memory of 4404 1188 svchost.exe 89 PID 1188 wrote to memory of 1836 1188 svchost.exe 100 PID 1188 wrote to memory of 1836 1188 svchost.exe 100 PID 1188 wrote to memory of 1836 1188 svchost.exe 100 PID 1188 wrote to memory of 316 1188 svchost.exe 102 PID 1188 wrote to memory of 316 1188 svchost.exe 102 PID 1188 wrote to memory of 316 1188 svchost.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4bf917aabe6d5488411defae0ebf28e0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2828
-
-
C:\Windows\SysWOW64\at.exeat 08:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4404
-
-
C:\Windows\SysWOW64\at.exeat 08:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1836
-
-
C:\Windows\SysWOW64\at.exeat 08:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:316
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD53b2e2d4d3cc83c6378f7dcfcc250f0d6
SHA1aa1fae2e981180cd6d9854d93c253bf84a8faa8d
SHA256d5e75f857d2d58a17d1a335e9da7897e991eeb4741d9f7da2fe1bda5370816ff
SHA5124c4306c5109628770f65c04e465a8c1c97937d474e85bae66f52245806654c6999d0ab28488b62ad9af9626cabeae1ddc73102272cd2b70c91e5c85713452efc
-
Filesize
274KB
MD56a61c5bf3bc5d1550e4306dca41599e3
SHA1e710453410400b65394353ac55331253688996ea
SHA256796dea69738805f044f972a1da669de2eaa7927e64e824d925c40650fbec1db6
SHA51280c6fc9523625beeeebfd9ae5d080786fd4e6089a20202d76ba46cb30b6a65fc9e8c5ffb42a9b687531b45bdf989931dd33f60d096870a7fe5b40778e74676bc
-
Filesize
274KB
MD5e979ce3855ca8fd4ee1f4d387ae37724
SHA1761bd21ef34b9bbf4153c742cc6bb303ddafc619
SHA25633ec019ba4b7f079fb534f312f1611c381f649ade8e11f772ca47f9ed9b8bd58
SHA51233114ea6a09a344e8f4d4495776f263547d0175ca94a1aad9e798c6be7a1e8d64f2cec8f48aed2cab97c9d9ca7eaf8e7dca2381b0c069338956d756a34a78646
-
Filesize
274KB
MD51e9fb5aa013d32ffbc346e4604ae7bcb
SHA13957e97770f61559ed7f693fbc22616a2e6e8047
SHA2560e7121044837ac6ffe4e88093fb7d769150a951c6b6dfc53f5ad3b22ed974b71
SHA5125b7f5b8c0399c8c99cffc6c7aef514545b94351a1f0fdd6cb72d0628d6c729b767e2062b384d57fa5157badac8ee2f28f69be6ed151ab0e4e28b0f43d8d3c8d3