fe81b64b2e4bb74f0c344bf3af29d8e2547ce9f01da369049d4dbda0fa71a451

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f3904b52ff24800975b5ddea8ecd200_NeikiAnalytics.exe
Size

65KB
MD5

0f3904b52ff24800975b5ddea8ecd200
SHA1

54620573d395f664f748aa1ec00e9914d0af5ca3
SHA256

fe81b64b2e4bb74f0c344bf3af29d8e2547ce9f01da369049d4dbda0fa71a451
SHA512

1d9d306df50113ebf552c9175423f330fb55b56c8234e7b16441bdd1b1010431a9a4c90af12a93b26b8b06c3edecda952334a33bc0d24fcc6b9521eebec0d665
SSDEEP

1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ouu:7WNqkOJWmo1HpM0MkTUmuu

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2908	explorer.exe
2532	spoolsv.exe
2868	svchost.exe
2460	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1616	0f3904b52ff24800975b5ddea8ecd200_NeikiAnalytics.exe
1616	0f3904b52ff24800975b5ddea8ecd200_NeikiAnalytics.exe
2908	explorer.exe
2908	explorer.exe
2532	spoolsv.exe
2532	spoolsv.exe
2868	svchost.exe
2868	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	0f3904b52ff24800975b5ddea8ecd200_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1616	0f3904b52ff24800975b5ddea8ecd200_NeikiAnalytics.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2868	svchost.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe
2908	explorer.exe
2868	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2908	explorer.exe
2868	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1616	0f3904b52ff24800975b5ddea8ecd200_NeikiAnalytics.exe
1616	0f3904b52ff24800975b5ddea8ecd200_NeikiAnalytics.exe
2908	explorer.exe
2908	explorer.exe
2532	spoolsv.exe
2532	spoolsv.exe
2868	svchost.exe
2868	svchost.exe
2460	spoolsv.exe
2460	spoolsv.exe
2908	explorer.exe
2908	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2908	1616	0f3904b52ff24800975b5ddea8ecd200_NeikiAnalytics.exe	28
PID 1616 wrote to memory of 2908	1616	0f3904b52ff24800975b5ddea8ecd200_NeikiAnalytics.exe	28
PID 1616 wrote to memory of 2908	1616	0f3904b52ff24800975b5ddea8ecd200_NeikiAnalytics.exe	28
PID 1616 wrote to memory of 2908	1616	0f3904b52ff24800975b5ddea8ecd200_NeikiAnalytics.exe	28
PID 2908 wrote to memory of 2532	2908	explorer.exe	29
PID 2908 wrote to memory of 2532	2908	explorer.exe	29
PID 2908 wrote to memory of 2532	2908	explorer.exe	29
PID 2908 wrote to memory of 2532	2908	explorer.exe	29
PID 2532 wrote to memory of 2868	2532	spoolsv.exe	30
PID 2532 wrote to memory of 2868	2532	spoolsv.exe	30
PID 2532 wrote to memory of 2868	2532	spoolsv.exe	30
PID 2532 wrote to memory of 2868	2532	spoolsv.exe	30
PID 2868 wrote to memory of 2460	2868	svchost.exe	31
PID 2868 wrote to memory of 2460	2868	svchost.exe	31
PID 2868 wrote to memory of 2460	2868	svchost.exe	31
PID 2868 wrote to memory of 2460	2868	svchost.exe	31
PID 2868 wrote to memory of 2292	2868	svchost.exe	32
PID 2868 wrote to memory of 2292	2868	svchost.exe	32
PID 2868 wrote to memory of 2292	2868	svchost.exe	32
PID 2868 wrote to memory of 2292	2868	svchost.exe	32
PID 2868 wrote to memory of 3040	2868	svchost.exe	36
PID 2868 wrote to memory of 3040	2868	svchost.exe	36
PID 2868 wrote to memory of 3040	2868	svchost.exe	36
PID 2868 wrote to memory of 3040	2868	svchost.exe	36
PID 2868 wrote to memory of 1004	2868	svchost.exe	38
PID 2868 wrote to memory of 1004	2868	svchost.exe	38
PID 2868 wrote to memory of 1004	2868	svchost.exe	38
PID 2868 wrote to memory of 1004	2868	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\0f3904b52ff24800975b5ddea8ecd200_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0f3904b52ff24800975b5ddea8ecd200_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2908
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2460
    - - C:\Windows\SysWOW64\at.exe
        
        at 11:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\at.exe
        
        at 11:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:3040
    - - C:\Windows\SysWOW64\at.exe
        
        at 11:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
65KB

MD5
4db8582e5bd3869eff413547ce73cac8

SHA1
80990f161ffc3a62eb723a596425ded8566b51e8

SHA256
b498d67e571da75b02d21f858e60847adf4c1e816c92bf9e29eda4fb04b90e8f

SHA512
50bea521708169fda5ae53377d422e002312b2e7ae4a47d0c40f7aa8a8e29f72bea74215c0f1146828c967264beef1fd639732ef5f70c5f7991c3cececc2cbf8

Download Submit
\Windows\system\explorer.exe

Filesize
65KB

MD5
ddaf1fc340658040b5af249c24c0524d

SHA1
47ad90975ef17760f1280868e49f328d20662c52

SHA256
53e76238905cc20141826ac40cbf17c26bcd070b73a79b9ca1c2c5ca345ae16f

SHA512
ce329b08ac510bf5a06d6d4e3a86574bf33d2e1f840f6bf8622588c3c80636a44847a1e89fe7088be611f1858cf09968583a45f610951067e0a8fad52c6af15e

Download Submit
\Windows\system\spoolsv.exe

Filesize
65KB

MD5
67d57216eb97b81d5e87c31415e9cd93

SHA1
7d0944af0b3d95953bf6b183031391cafa841382

SHA256
117f81bbebe9f86fa23fe6fd5e7bc2c03c56cbbe434e499824a626e4bdf331b1

SHA512
16a1cbe3adb141bf517b8685a3b5e7e317efe71790102d329f024807b395ba81218403b0930e8bcc21f02112535a7f4c4d4b016c285ad9ec70c9a8335dac5fc6

Download Submit
\Windows\system\svchost.exe

Filesize
65KB

MD5
19bcaf0014e1650baef099b5516173d0

SHA1
c9c0e138fd056d98bdca4e6b77d05f9fba618bd1

SHA256
787a6667b5ab47053b7be14b26613f64fb9164df7d848a1012cf3b01bc48fb9c

SHA512
da9eb522881fd9b072dd5808e03a7a1d4e9c5d14c98ae9a67ee575afc082341e89328af21eebcd0417bfac4ef9aa8ac5081354da056a628515603bd144765411

Download Submit
memory/1616-17-0x00000000032B0000-0x00000000032E1000-memory.dmp

Filesize
196KB

Download
memory/1616-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1616-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1616-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1616-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1616-75-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1616-76-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1616-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2460-64-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2460-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2532-54-0x0000000001DD0000-0x0000000001E01000-memory.dmp

Filesize
196KB

Download
memory/2532-37-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2532-74-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2532-52-0x0000000001DD0000-0x0000000001E01000-memory.dmp

Filesize
196KB

Download
memory/2868-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2868-53-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2868-80-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2908-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2908-35-0x00000000026F0000-0x0000000002721000-memory.dmp

Filesize
196KB

Download
memory/2908-36-0x00000000026F0000-0x0000000002721000-memory.dmp

Filesize
196KB

Download
memory/2908-19-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2908-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2908-89-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2908-21-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download