8c1446154d9ff5adfad2e4cbccf641b5e105e4cb820feb842c2d793e70b0e6f7

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
Size

206KB
MD5

934c6395fdbfaf3618cd75df51678720
SHA1

c24a012dc29e5d927a0ce107c5b68357faa4404e
SHA256

8c1446154d9ff5adfad2e4cbccf641b5e105e4cb820feb842c2d793e70b0e6f7
SHA512

86c1dbe6a66ffa7e81495891f56d84a2e93cb9c21ece76fc72f436a581558d5c92fe1bb2e2c87c41b76021f8c4d0f4350ad14fb9d7cbdf2aa58bcd446e1e794b
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unY:5vEN2U+T6i5LirrllHy4HUcMQY67

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2736	explorer.exe
2672	spoolsv.exe
2740	svchost.exe
2692	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1312	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
1312	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
2736	explorer.exe
2736	explorer.exe
2672	spoolsv.exe
2672	spoolsv.exe
2740	svchost.exe
2740	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1312	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2740	svchost.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe
2736	explorer.exe
2740	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2736	explorer.exe
2740	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1312	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
1312	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
2736	explorer.exe
2736	explorer.exe
2672	spoolsv.exe
2672	spoolsv.exe
2740	svchost.exe
2740	svchost.exe
2692	spoolsv.exe
2692	spoolsv.exe
2736	explorer.exe
2736	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2736	1312	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe	28
PID 1312 wrote to memory of 2736	1312	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe	28
PID 1312 wrote to memory of 2736	1312	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe	28
PID 1312 wrote to memory of 2736	1312	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe	28
PID 2736 wrote to memory of 2672	2736	explorer.exe	29
PID 2736 wrote to memory of 2672	2736	explorer.exe	29
PID 2736 wrote to memory of 2672	2736	explorer.exe	29
PID 2736 wrote to memory of 2672	2736	explorer.exe	29
PID 2672 wrote to memory of 2740	2672	spoolsv.exe	30
PID 2672 wrote to memory of 2740	2672	spoolsv.exe	30
PID 2672 wrote to memory of 2740	2672	spoolsv.exe	30
PID 2672 wrote to memory of 2740	2672	spoolsv.exe	30
PID 2740 wrote to memory of 2692	2740	svchost.exe	31
PID 2740 wrote to memory of 2692	2740	svchost.exe	31
PID 2740 wrote to memory of 2692	2740	svchost.exe	31
PID 2740 wrote to memory of 2692	2740	svchost.exe	31
PID 2740 wrote to memory of 2468	2740	svchost.exe	32
PID 2740 wrote to memory of 2468	2740	svchost.exe	32
PID 2740 wrote to memory of 2468	2740	svchost.exe	32
PID 2740 wrote to memory of 2468	2740	svchost.exe	32
PID 2740 wrote to memory of 1804	2740	svchost.exe	36
PID 2740 wrote to memory of 1804	2740	svchost.exe	36
PID 2740 wrote to memory of 1804	2740	svchost.exe	36
PID 2740 wrote to memory of 1804	2740	svchost.exe	36
PID 2740 wrote to memory of 1760	2740	svchost.exe	38
PID 2740 wrote to memory of 1760	2740	svchost.exe	38
PID 2740 wrote to memory of 1760	2740	svchost.exe	38
PID 2740 wrote to memory of 1760	2740	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2736
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2692
    - - C:\Windows\SysWOW64\at.exe
        
        at 06:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2468
    - - C:\Windows\SysWOW64\at.exe
        
        at 06:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1804
    - - C:\Windows\SysWOW64\at.exe
        
        at 06:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
60db2f15985ce0291254334bb967268c

SHA1
69c82f8049802614bbb255cfae4c7f4c16f88742

SHA256
c5bbf51d2f500ef9c497de4dcb591c523be5122bb415b970bd57ff53409fd778

SHA512
1432924d8ba847a0ca323702afe21a646a05ebed8a85696cfb895d4cc8b747cc7d43e619d4d4b83dbcd8a9ff4930ff7081b9bc5adc73160bd314fc865d831a8e

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
8e701a89da54ff2480f3b8f3e6710d24

SHA1
a881f48e73d6a881d3d27d4d50a6b17e02c70dae

SHA256
f34c31d19860cc0cc8269920d36ba8452a9c3dbc60748bbbfb521669f613ede8

SHA512
255d643af7ade428cdec5dd4687ff1a56f94173f735ba054226e97b72b717016b458fc675c454fa5ea582f2234563901a3c6f93aaee23599643d6250c3e672ad

Download Submit
\Windows\system\spoolsv.exe

Filesize
207KB

MD5
e7237fb343777e049ceea296a4e8a26e

SHA1
41d5377f71c1a08d56abaa652fa169ea5013c40f

SHA256
86d97928ae425441dbee5a9692179febe41a9dd608d621ea9ba05072f1287f44

SHA512
f21b7f882e35c5da7bb45b06aaaef5847ddd8464bcedc752d9ecfcc0f71bd81707db9e45346da1d8b79eb16caae4aa8f8722e0455fce7f93c93025ab7d122835

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
8d8019c744f0da92222f23823c4a56e7

SHA1
5b308ae28cc0fe2918a9640d620a1f0892abc4d6

SHA256
91ba2ffbe126814547cfe68777c54e71ef5460220787bdc6f009f3a3cfb0ac02

SHA512
6b4c7447a49c1758a373634e67cd9d4a4e0f37be192818c473367dbc93add926c5431c41ac4731d566050e05ca17a1b88172a26c8a50be3f4016cbbe4fd84e76

Download Submit
memory/1312-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-12-0x0000000002C10000-0x0000000002C50000-memory.dmp

Filesize
256KB

Download
memory/1312-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2692-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-27-0x0000000002BF0000-0x0000000002C30000-memory.dmp

Filesize
256KB

Download
memory/2740-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download