f15148c30cf48abc24bdd03f6724b8ffc88b30463277367fdb9b85b4a3203c62

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe
Size

224KB
MD5

46671b8c2835cfcd4eb2bf83f3f7d4a0
SHA1

8d8364460bcff84e32a9ead55be251b65b628ad2
SHA256

f15148c30cf48abc24bdd03f6724b8ffc88b30463277367fdb9b85b4a3203c62
SHA512

7a4d9b18a6b506f8b75999a43fd429fb6560de8fd240293c38bb9b084c1088868888b91d6188e1cbbc96638c6818f3a262dfc2bb1a929482cf6b16bf79b10199
SSDEEP

3072:PvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6uoyVPHSw3u/:PvEN2U+T6i5LirrllHy4HUcMQY6YVP38

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
3020	explorer.exe
2624	spoolsv.exe
2644	svchost.exe
2788	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2848	46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe
2848	46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe
3020	explorer.exe
3020	explorer.exe
2624	spoolsv.exe
2624	spoolsv.exe
2644	svchost.exe
2644	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2848	46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe
3020	explorer.exe
3020	explorer.exe
3020	explorer.exe
2644	svchost.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe
3020	explorer.exe
2644	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3020	explorer.exe
2644	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2848	46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe
2848	46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe
3020	explorer.exe
3020	explorer.exe
2624	spoolsv.exe
2624	spoolsv.exe
2644	svchost.exe
2644	svchost.exe
2788	spoolsv.exe
2788	spoolsv.exe
3020	explorer.exe
3020	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3020	2848	46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe	28
PID 2848 wrote to memory of 3020	2848	46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe	28
PID 2848 wrote to memory of 3020	2848	46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe	28
PID 2848 wrote to memory of 3020	2848	46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2624	3020	explorer.exe	29
PID 3020 wrote to memory of 2624	3020	explorer.exe	29
PID 3020 wrote to memory of 2624	3020	explorer.exe	29
PID 3020 wrote to memory of 2624	3020	explorer.exe	29
PID 2624 wrote to memory of 2644	2624	spoolsv.exe	30
PID 2624 wrote to memory of 2644	2624	spoolsv.exe	30
PID 2624 wrote to memory of 2644	2624	spoolsv.exe	30
PID 2624 wrote to memory of 2644	2624	spoolsv.exe	30
PID 2644 wrote to memory of 2788	2644	svchost.exe	31
PID 2644 wrote to memory of 2788	2644	svchost.exe	31
PID 2644 wrote to memory of 2788	2644	svchost.exe	31
PID 2644 wrote to memory of 2788	2644	svchost.exe	31
PID 2644 wrote to memory of 2524	2644	svchost.exe	32
PID 2644 wrote to memory of 2524	2644	svchost.exe	32
PID 2644 wrote to memory of 2524	2644	svchost.exe	32
PID 2644 wrote to memory of 2524	2644	svchost.exe	32
PID 2644 wrote to memory of 1280	2644	svchost.exe	36
PID 2644 wrote to memory of 1280	2644	svchost.exe	36
PID 2644 wrote to memory of 1280	2644	svchost.exe	36
PID 2644 wrote to memory of 1280	2644	svchost.exe	36
PID 2644 wrote to memory of 2140	2644	svchost.exe	38
PID 2644 wrote to memory of 2140	2644	svchost.exe	38
PID 2644 wrote to memory of 2140	2644	svchost.exe	38
PID 2644 wrote to memory of 2140	2644	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\46671b8c2835cfcd4eb2bf83f3f7d4a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2524
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1280
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
224KB

MD5
9174ff7bed9b7fb42f32aa479b5a79f6

SHA1
da700545f58f29279901d3b6738bed9f65d3a01a

SHA256
fbd53106af98558ea8f296d198635396b62e74896fe430eb9cc7d32d020fb431

SHA512
175b71c4b758672eceded6ffd74e148a509daa54fafe44abf27f7f40bba960f18b10a05a292a294e92a32c764e8855bdcf1aacbfb97537cdd295c08a8aa94f0f

Download Submit
\Windows\system\explorer.exe

Filesize
224KB

MD5
4c474fb55f79fe5b0c3360be0078181f

SHA1
809a6ab69559c2ade3aa7e5c45fc4a793fa12079

SHA256
36679bbe5e35f816a9f8c04f913855b575c84e0d3c18b6e94c8b08f7f4b5ac0e

SHA512
3e3b2ed64ec1893431cc2cdee2f06eb69a62892e60dfdeb168cefed6bfb7fcc6c4c8ba9425ff24651d73d429313fcba86cb3e7289f721bc32ca31d09503bb3bc

Download Submit
\Windows\system\spoolsv.exe

Filesize
224KB

MD5
78ea550d5174ecb060274c8f9a9dab04

SHA1
ce8be3fb8d92b5dafe4ca15e91a640087816cfc2

SHA256
e632a874df761b4e9d52907572fbda4ec1daeda8df0ea661b7e377d166f4fa71

SHA512
817e0bac1a915de063b05b5a4c08d9187fff022c6d3f8f8ddd66a8a3527da47d6b94fbd2f0b5b3c8491f609afca33fe358f2c1090c5222ca4c1304381a66ecbf

Download Submit
\Windows\system\svchost.exe

Filesize
224KB

MD5
486c27de8ce7db79c216936d1b9f85a4

SHA1
222fce2a52edcf812cd238f5dcf9ac3230d99b1a

SHA256
3a0b9db84fffd2daf6d5d44109f5341b7bba7efe8ec6f74fe27fd7297223cb87

SHA512
d5594e89dd71c73db1957f921c881b5415cc96f240c1c725887adbaec4dbdf85987e24fd13a7d52fdd4cc560887b1eeda54483949ca6e10f157e62e9c3157aae

Download Submit
memory/2624-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-12-0x0000000001DA0000-0x0000000001DD3000-memory.dmp

Filesize
204KB

Download
memory/2848-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-28-0x00000000026F0000-0x0000000002723000-memory.dmp

Filesize
204KB

Download