69296ab0cb190d814fee224de6fcd14ebf7894b165cc8fec750690559379dc09

General

Target

4651390cce6ca4ff2990897e76a9f150_NeikiAnalytics.exe
Size

66KB
MD5

4651390cce6ca4ff2990897e76a9f150
SHA1

6844d704a06807b18016cffadc359861aafcc239
SHA256

69296ab0cb190d814fee224de6fcd14ebf7894b165cc8fec750690559379dc09
SHA512

599fbedb0db8895a4a2508b57bb868ee80cad5c5bcaea71822bcee2bb345dc41af313c3e3142bc67ead20a45d349baca6b0b05c8ac549b1ccecf6890567cc0ab
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiv:IeklMMYJhqezw/pXzH9iv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4920	explorer.exe
4444	spoolsv.exe
1576	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	4651390cce6ca4ff2990897e76a9f150_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4948	4651390cce6ca4ff2990897e76a9f150_NeikiAnalytics.exe
4948	4651390cce6ca4ff2990897e76a9f150_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4948	4651390cce6ca4ff2990897e76a9f150_NeikiAnalytics.exe
4948	4651390cce6ca4ff2990897e76a9f150_NeikiAnalytics.exe
4920	explorer.exe
4920	explorer.exe
4444	spoolsv.exe
4444	spoolsv.exe
1576	svchost.exe
1576	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 4920	4948	4651390cce6ca4ff2990897e76a9f150_NeikiAnalytics.exe	81
PID 4948 wrote to memory of 4920	4948	4651390cce6ca4ff2990897e76a9f150_NeikiAnalytics.exe	81
PID 4948 wrote to memory of 4920	4948	4651390cce6ca4ff2990897e76a9f150_NeikiAnalytics.exe	81
PID 4920 wrote to memory of 4444	4920	explorer.exe	82
PID 4920 wrote to memory of 4444	4920	explorer.exe	82
PID 4920 wrote to memory of 4444	4920	explorer.exe	82
PID 4444 wrote to memory of 1576	4444	spoolsv.exe	84
PID 4444 wrote to memory of 1576	4444	spoolsv.exe	84
PID 4444 wrote to memory of 1576	4444	spoolsv.exe	84

C:\Users\Admin\AppData\Local\Temp\4651390cce6ca4ff2990897e76a9f150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4651390cce6ca4ff2990897e76a9f150_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4920
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        
        PID:372
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4668
    - - C:\Windows\SysWOW64\at.exe
        
        at 09:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
66KB

MD5
8f362b64906487a94f6a35d9759b854f

SHA1
9f02d81db9601d2471bf268f25345e073acda525

SHA256
bff3bc79bc4f358f97b1461687a05e98b34cf0b5879dd6368822457f744a5359

SHA512
7b5b183e32b19a428a1d39bfd5599b1ec0a206de7d0740fb38922c59b265fdebdbc965f878d6046cf48d5686327c2693bf9fe5ad06ab934a3aa33dac453f5ab8

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
66KB

MD5
d21de824660d074abeaaa3b002df005b

SHA1
1a5901535935eb67aea5a060cfc553a55f0f0526

SHA256
9fbef1ad11b07f814270fd611593434bbeb0ff1eb6f532ad453d7e938b7f6352

SHA512
31cda993d421fed6a79b73ec031f39292394fd4198e16f1b1f24e2f5a991548e7732c217a37b1dc83a2e01c2e092dc9c62c7bd91b442e0f4a847e839035ef650

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
66KB

MD5
3d56421f5c56752e8f58d7b260f8d375

SHA1
6adc588e6b391e4e995ed3c0cde7f3de9264e0bf

SHA256
3f472cd1a8c1c537883c4af74bb66655127658854d7ea262024ce1ba238d0162

SHA512
dd4c3a6bfacc59350a09ce9cc263252f1bb676e55bcbd9b85ce50fb82ec762638c85fd6778f1053a783b1c77a8d2ce8df262ad57da4addac76fdd5106d242d37

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
66KB

MD5
b063f4906f019c7179f9c31a79a78792

SHA1
6d5c67e568b8cec023190d944d572b0a56310772

SHA256
3bf17da7e412c31dc28fb37d974f9b59f5ac9d4df3590b1e244c51f45275587f

SHA512
6b7060b5a4bcef0bfc3718d75092ab14bba9be8de82dc4cfba7c5bd469f8be1f5b9595870ed504783ef345780ed03e8487f7c0c9ec2d6c2b1f2a00ab4472325a

Download Submit
memory/372-52-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/372-44-0x0000000075370000-0x00000000754CD000-memory.dmp

Filesize
1.4MB

Download
memory/1576-37-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1576-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1576-38-0x0000000075370000-0x00000000754CD000-memory.dmp

Filesize
1.4MB

Download
memory/4444-31-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4444-53-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4444-26-0x0000000075370000-0x00000000754CD000-memory.dmp

Filesize
1.4MB

Download
memory/4920-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4920-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4920-15-0x0000000075370000-0x00000000754CD000-memory.dmp

Filesize
1.4MB

Download
memory/4920-13-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4920-58-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4920-69-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4948-2-0x0000000075370000-0x00000000754CD000-memory.dmp

Filesize
1.4MB

Download
memory/4948-55-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/4948-5-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/4948-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4948-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/4948-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4948-56-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing