54f8b7b8425de0a32dae205e31fcf0085a3a4c283d2b1f6db75e03657e7d6aa6

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ab942052b9554564259fdef3f654d20_NeikiAnalytics.exe
Size

66KB
MD5

8ab942052b9554564259fdef3f654d20
SHA1

579a2642b8fcc530e058f695ececf04e28414642
SHA256

54f8b7b8425de0a32dae205e31fcf0085a3a4c283d2b1f6db75e03657e7d6aa6
SHA512

957dcc11e0100be4bea7ff4f75d9d037b788694cdc9906c6539ea56e1368aaf921205850c8634e035f5ef5e78c0a9713ca81cc09333a3da78ba845bb6a103332
SSDEEP

1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXix:IeklMMYJhqezw/pXzH9ix

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2080	explorer.exe
2660	spoolsv.exe
2652	svchost.exe
2492	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
3012	8ab942052b9554564259fdef3f654d20_NeikiAnalytics.exe
3012	8ab942052b9554564259fdef3f654d20_NeikiAnalytics.exe
2080	explorer.exe
2080	explorer.exe
2660	spoolsv.exe
2660	spoolsv.exe
2652	svchost.exe
2652	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	8ab942052b9554564259fdef3f654d20_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	8ab942052b9554564259fdef3f654d20_NeikiAnalytics.exe
2080	explorer.exe
2080	explorer.exe
2080	explorer.exe
2080	explorer.exe
2652	svchost.exe
2652	svchost.exe
2080	explorer.exe
2652	svchost.exe
2652	svchost.exe
2080	explorer.exe
2652	svchost.exe
2080	explorer.exe
2080	explorer.exe
2652	svchost.exe
2652	svchost.exe
2080	explorer.exe
2652	svchost.exe
2080	explorer.exe
2080	explorer.exe
2652	svchost.exe
2080	explorer.exe
2652	svchost.exe
2080	explorer.exe
2652	svchost.exe
2652	svchost.exe
2080	explorer.exe
2080	explorer.exe
2652	svchost.exe
2652	svchost.exe
2080	explorer.exe
2080	explorer.exe
2652	svchost.exe
2080	explorer.exe
2652	svchost.exe
2080	explorer.exe
2652	svchost.exe
2652	svchost.exe
2080	explorer.exe
2080	explorer.exe
2652	svchost.exe
2080	explorer.exe
2652	svchost.exe
2080	explorer.exe
2652	svchost.exe
2652	svchost.exe
2080	explorer.exe
2080	explorer.exe
2652	svchost.exe
2652	svchost.exe
2080	explorer.exe
2080	explorer.exe
2652	svchost.exe
2080	explorer.exe
2652	svchost.exe
2652	svchost.exe
2080	explorer.exe
2080	explorer.exe
2652	svchost.exe
2080	explorer.exe
2652	svchost.exe
2080	explorer.exe
2652	svchost.exe
2652	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2080	explorer.exe
2652	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3012	8ab942052b9554564259fdef3f654d20_NeikiAnalytics.exe
3012	8ab942052b9554564259fdef3f654d20_NeikiAnalytics.exe
2080	explorer.exe
2080	explorer.exe
2660	spoolsv.exe
2660	spoolsv.exe
2652	svchost.exe
2652	svchost.exe
2492	spoolsv.exe
2492	spoolsv.exe
2080	explorer.exe
2080	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2080	3012	8ab942052b9554564259fdef3f654d20_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 2080	3012	8ab942052b9554564259fdef3f654d20_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 2080	3012	8ab942052b9554564259fdef3f654d20_NeikiAnalytics.exe	28
PID 3012 wrote to memory of 2080	3012	8ab942052b9554564259fdef3f654d20_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2660	2080	explorer.exe	29
PID 2080 wrote to memory of 2660	2080	explorer.exe	29
PID 2080 wrote to memory of 2660	2080	explorer.exe	29
PID 2080 wrote to memory of 2660	2080	explorer.exe	29
PID 2660 wrote to memory of 2652	2660	spoolsv.exe	30
PID 2660 wrote to memory of 2652	2660	spoolsv.exe	30
PID 2660 wrote to memory of 2652	2660	spoolsv.exe	30
PID 2660 wrote to memory of 2652	2660	spoolsv.exe	30
PID 2652 wrote to memory of 2492	2652	svchost.exe	31
PID 2652 wrote to memory of 2492	2652	svchost.exe	31
PID 2652 wrote to memory of 2492	2652	svchost.exe	31
PID 2652 wrote to memory of 2492	2652	svchost.exe	31
PID 2652 wrote to memory of 112	2652	svchost.exe	32
PID 2652 wrote to memory of 112	2652	svchost.exe	32
PID 2652 wrote to memory of 112	2652	svchost.exe	32
PID 2652 wrote to memory of 112	2652	svchost.exe	32
PID 2652 wrote to memory of 1396	2652	svchost.exe	36
PID 2652 wrote to memory of 1396	2652	svchost.exe	36
PID 2652 wrote to memory of 1396	2652	svchost.exe	36
PID 2652 wrote to memory of 1396	2652	svchost.exe	36
PID 2652 wrote to memory of 2432	2652	svchost.exe	38
PID 2652 wrote to memory of 2432	2652	svchost.exe	38
PID 2652 wrote to memory of 2432	2652	svchost.exe	38
PID 2652 wrote to memory of 2432	2652	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\8ab942052b9554564259fdef3f654d20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8ab942052b9554564259fdef3f654d20_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2080
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2492
    - - C:\Windows\SysWOW64\at.exe
        
        at 04:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:112
    - - C:\Windows\SysWOW64\at.exe
        
        at 04:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1396
    - - C:\Windows\SysWOW64\at.exe
        
        at 04:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
66KB

MD5
8fb645eae23f7c9ff05bb974ce01bc61

SHA1
620e3e7d0afed43b2c44224b43db714e4a857c6d

SHA256
3e64056615104d2a0944dac1f4f4e26440cc86ce6d8e60bfa90e14e662f2bf8c

SHA512
4823cb6c08f675083c2d2ad74ca6c66cdc243e1c09c05b97786ec4aa7aa63e6e7b87e6072dc5b5c2979f51cccfb3386a0849036a03cda842498c8241a75fa79f

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
66KB

MD5
59df6c5bae0ddd36258446cdfbcb1700

SHA1
7cd6be15be2104395a92fa046d3c88ecc1951672

SHA256
c9c96394cc5bf7504a99601a7e38ff187fad8f8e89913fbffda5153c81d00942

SHA512
c8557072308ef5ef923f6caaa316d86762ac531a3b64d48edd8101403dfcd842ff5c85a010f052e3ff3bf5c6bcbf54b5700a44608d57c7832aae5eb178a20d34

Download Submit
\Windows\system\explorer.exe

Filesize
66KB

MD5
486d898495c50e0fc6416045b3405e6f

SHA1
8c624d86c152b489f2ca5b1684efe9406d568905

SHA256
224151918131686295d86127b7221328bb78ce7c3a2d48a070558886ce527f40

SHA512
3c578cfde6c8afd0a7c09b030b251955dbd48e15bdd360a28377904ce7410a3f52847f682ad97394804b7a06acdc040da4119af01ac10246e38004400bc8a2d6

Download Submit
\Windows\system\spoolsv.exe

Filesize
66KB

MD5
91e69a6d3ca2782379ec7d92e586a9f2

SHA1
8298b002566675a447d5f1a1605d9dc2c48e7798

SHA256
75bfdbda12b3d125efbac12b90cc3fad63550f3ebef868599bc034eef61eb29b

SHA512
011c4caf4a35117fa1233b1ecbec60289aca5da6e8bc4fc911e14a8380e14e770eb08a43643a35784383d8295b77651c1e401cc1a29f06493640f47cc888f378

Download Submit
memory/2080-94-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2080-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2080-21-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2080-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2080-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2080-20-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2080-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2492-67-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2492-73-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2652-57-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2652-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2652-85-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2652-61-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2660-38-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2660-37-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2660-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2660-44-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3012-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3012-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3012-54-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/3012-5-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3012-56-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3012-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3012-18-0x0000000002600000-0x0000000002631000-memory.dmp

Filesize
196KB

Download
memory/3012-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/3012-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/3012-80-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3012-11-0x0000000002600000-0x0000000002631000-memory.dmp

Filesize
196KB

Download