8c1446154d9ff5adfad2e4cbccf641b5e105e4cb820feb842c2d793e70b0e6f7

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
Size

206KB
MD5

934c6395fdbfaf3618cd75df51678720
SHA1

c24a012dc29e5d927a0ce107c5b68357faa4404e
SHA256

8c1446154d9ff5adfad2e4cbccf641b5e105e4cb820feb842c2d793e70b0e6f7
SHA512

86c1dbe6a66ffa7e81495891f56d84a2e93cb9c21ece76fc72f436a581558d5c92fe1bb2e2c87c41b76021f8c4d0f4350ad14fb9d7cbdf2aa58bcd446e1e794b
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unY:5vEN2U+T6i5LirrllHy4HUcMQY67

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
3876	explorer.exe
4496	spoolsv.exe
2824	svchost.exe
2448	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4440	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
4440	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
3876	explorer.exe
2824	svchost.exe
2824	svchost.exe
3876	explorer.exe
3876	explorer.exe
2824	svchost.exe
2824	svchost.exe
2824	svchost.exe
3876	explorer.exe
3876	explorer.exe
3876	explorer.exe
2824	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3876	explorer.exe
2824	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4440	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
4440	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
3876	explorer.exe
3876	explorer.exe
4496	spoolsv.exe
4496	spoolsv.exe
2824	svchost.exe
2824	svchost.exe
2448	spoolsv.exe
2448	spoolsv.exe
3876	explorer.exe
3876	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 3876	4440	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe	81
PID 4440 wrote to memory of 3876	4440	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe	81
PID 4440 wrote to memory of 3876	4440	934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe	81
PID 3876 wrote to memory of 4496	3876	explorer.exe	82
PID 3876 wrote to memory of 4496	3876	explorer.exe	82
PID 3876 wrote to memory of 4496	3876	explorer.exe	82
PID 4496 wrote to memory of 2824	4496	spoolsv.exe	83
PID 4496 wrote to memory of 2824	4496	spoolsv.exe	83
PID 4496 wrote to memory of 2824	4496	spoolsv.exe	83
PID 2824 wrote to memory of 2448	2824	svchost.exe	84
PID 2824 wrote to memory of 2448	2824	svchost.exe	84
PID 2824 wrote to memory of 2448	2824	svchost.exe	84
PID 2824 wrote to memory of 3892	2824	svchost.exe	86
PID 2824 wrote to memory of 3892	2824	svchost.exe	86
PID 2824 wrote to memory of 3892	2824	svchost.exe	86
PID 2824 wrote to memory of 768	2824	svchost.exe	100
PID 2824 wrote to memory of 768	2824	svchost.exe	100
PID 2824 wrote to memory of 768	2824	svchost.exe	100
PID 2824 wrote to memory of 1728	2824	svchost.exe	102
PID 2824 wrote to memory of 1728	2824	svchost.exe	102
PID 2824 wrote to memory of 1728	2824	svchost.exe	102

C:\Users\Admin\AppData\Local\Temp\934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\934c6395fdbfaf3618cd75df51678720_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3876
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2448
    - - C:\Windows\SysWOW64\at.exe
        
        at 06:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:3892
    - - C:\Windows\SysWOW64\at.exe
        
        at 06:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:768
    - - C:\Windows\SysWOW64\at.exe
        
        at 06:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
9133c741a2ab6d70ecfb2539fa5ffe27

SHA1
ce79c1307a521cd893ebd5d0d9fcafe52c29cfb0

SHA256
3ce0ac10554a650e6c80919a001a0e685e8270165c9a7d0235cf86a5fba05e0e

SHA512
9ee78f3f711cb2ab4b41d3a20e5c4a32569868e8a2de81f8b4535d9463b84e4b8ce1a2cd09bb7c9aeb88aeae6754e88d404b644e9bb100f78b9002715a084768

Download Submit
C:\Windows\System\explorer.exe

Filesize
207KB

MD5
d57f25cf4e7a8f499dd4a2019cef6469

SHA1
b288e145ab8bd3981c78589e9222ea7782bf009f

SHA256
66f928a7839ac4efe6618534a8e42160bd86d4c81f76a629d9ada3e0e5918ee8

SHA512
cdaeeb01a2e7e79be5713f2f5d66c06e3ae82ea09d0a3204bef2311526009af2ee90571922169ec8ab55977b8b9e11d7c3fb931ed57304a4974f7b2ea045b44a

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
ec30f99dcabe16266e219f152f4485c5

SHA1
e63096717c416c0463ffe1a3ed2cc65bd2a4cbf9

SHA256
90a29fe2b9114093503d13d31b57ce70fe0f810c733c2ebdbd2904f9f5331209

SHA512
3eb59367d7a6ae2faf3ee57150b81e4b4643bf20050c4c4006119bacf2ab2edc537a6ce3b0d6438a7ebaee9e1b730b51a23a5689e7355bb5fc23c69a59f0304b

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
9da3f58f6593e37c2b088df91b70c91a

SHA1
63bd4dbf41b337baf78b7a43f5e5c36caa306463

SHA256
184e3d24a29c87e3a456092ef57a57c26f13586efe88f045c6b1aa87bc08121f

SHA512
0041c467731a6ffe4473de3f8737237f470ead6113e61fc5b7bb616686fd8da0ce56e785286cb21de12681049568b8d042cf951aaa4723c96dc540e1fa8fb077

Download Submit
memory/2448-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download