Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11/06/2024, 22:42
Static task
static1
Behavioral task
behavioral1
Sample
09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe
-
Size
66KB
-
MD5
09c34b1deb789f1fba5a8dabf76b6740
-
SHA1
0e1590f2ab4cd4cdcf04988992809c6815bffbda
-
SHA256
8989a4e9cd5f257653eb4672e5fbd9998552e1f3521c1056ed5b8fc780e60ed8
-
SHA512
eaf91c1a1fb539d97b587d46b7116e81561275865c981e546248478e983aeb62d42800d7c02e63a5e52b879e99482468e4419e888b932857a925179199e1c44d
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiE:IeklMMYJhqezw/pXzH9iE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 2828 explorer.exe 2796 spoolsv.exe 2792 svchost.exe 2528 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1792 09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe 1792 09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe 2828 explorer.exe 2828 explorer.exe 2796 spoolsv.exe 2796 spoolsv.exe 2792 svchost.exe 2792 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1792 09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe 2828 explorer.exe 2828 explorer.exe 2828 explorer.exe 2792 svchost.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe 2828 explorer.exe 2792 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2828 explorer.exe 2792 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1792 09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe 1792 09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe 2828 explorer.exe 2828 explorer.exe 2796 spoolsv.exe 2796 spoolsv.exe 2792 svchost.exe 2792 svchost.exe 2528 spoolsv.exe 2528 spoolsv.exe 2828 explorer.exe 2828 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1792 wrote to memory of 2828 1792 09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe 28 PID 1792 wrote to memory of 2828 1792 09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe 28 PID 1792 wrote to memory of 2828 1792 09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe 28 PID 1792 wrote to memory of 2828 1792 09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe 28 PID 2828 wrote to memory of 2796 2828 explorer.exe 29 PID 2828 wrote to memory of 2796 2828 explorer.exe 29 PID 2828 wrote to memory of 2796 2828 explorer.exe 29 PID 2828 wrote to memory of 2796 2828 explorer.exe 29 PID 2796 wrote to memory of 2792 2796 spoolsv.exe 30 PID 2796 wrote to memory of 2792 2796 spoolsv.exe 30 PID 2796 wrote to memory of 2792 2796 spoolsv.exe 30 PID 2796 wrote to memory of 2792 2796 spoolsv.exe 30 PID 2792 wrote to memory of 2528 2792 svchost.exe 31 PID 2792 wrote to memory of 2528 2792 svchost.exe 31 PID 2792 wrote to memory of 2528 2792 svchost.exe 31 PID 2792 wrote to memory of 2528 2792 svchost.exe 31 PID 2792 wrote to memory of 1828 2792 svchost.exe 32 PID 2792 wrote to memory of 1828 2792 svchost.exe 32 PID 2792 wrote to memory of 1828 2792 svchost.exe 32 PID 2792 wrote to memory of 1828 2792 svchost.exe 32 PID 2792 wrote to memory of 1772 2792 svchost.exe 36 PID 2792 wrote to memory of 1772 2792 svchost.exe 36 PID 2792 wrote to memory of 1772 2792 svchost.exe 36 PID 2792 wrote to memory of 1772 2792 svchost.exe 36 PID 2792 wrote to memory of 376 2792 svchost.exe 38 PID 2792 wrote to memory of 376 2792 svchost.exe 38 PID 2792 wrote to memory of 376 2792 svchost.exe 38 PID 2792 wrote to memory of 376 2792 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\09c34b1deb789f1fba5a8dabf76b6740_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
C:\Windows\SysWOW64\at.exeat 22:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1828
-
-
C:\Windows\SysWOW64\at.exeat 22:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1772
-
-
C:\Windows\SysWOW64\at.exeat 22:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:376
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD532526a97653bae527bad9ca58d8a726b
SHA19c53bb99d6540bc5a086981aae8f5876481d9bd3
SHA256377631dc66c51bcf03ddf834e7018ff1f9240454c6a68658a42b8cf7223869ca
SHA512b4b2c8b56eecfc9cbbe79fc757c8595284068d4af2fc8cd12ce90703a95a99cb93f0604c89707fd8088eb9a42f521d4cecc20924bac85ed7f318a8b955e5431e
-
Filesize
66KB
MD5f797f5501d9091db3c26d1c03b03d1f0
SHA1e3c5f594f13ce38e7a63f66604a72a51549f2368
SHA256a4445ad6b978e2f16876bd1e293de635ef30d73310388a9499ad17323006cdd8
SHA51260ebb156c3aa57993c5022735a9233323d74de53d8e984a31d4ce5901a2bafdc1ae18039395b87d3e94fd103c79c1591c713827d9c0dc0de5aa9b1b9b01fcee6
-
Filesize
66KB
MD533ede6bccf9d2258514099d954c7df8f
SHA11a55de87288cce44199284d575270a4972d111ef
SHA2561629a5a2a8a826d00769b3e227ca0f289cf37ba8646f4533e9f57a28a043a610
SHA51247d545ea453ba1303752b21e2e39188e98d715b3eab2f2693c321a1d0d19f75c9ae06b2172df45d13dbe498e2f81badf592318e9bbf874ff7af6c045789b19e6
-
Filesize
66KB
MD5d8eb426fba529391001f1c7331a1ddca
SHA18de3be06160903f020d44be2c35f19886dc383c4
SHA2565dddfc9fd7d6f7fc4ad0812c9e70036a934daed82e4f7c301412f68134d47f40
SHA512e4354e9e993d9390c44c061dbb144276c0455ec931728f2652c6e5dffda261fc121b6f0ba67d865937ad70f0d1550e6e187c30ba925c20cf9c366f6fab3621cb