5d5e1d28884a44517f2af43e9278d825fa6c7f3f1368178d45f3ee114a6bda56

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
Size

1.2MB
MD5

358f42915cd9dc0fb43d7a74b26ae970
SHA1

1bd9c611e0dc42fd75fc912ed524158768a6aaba
SHA256

5d5e1d28884a44517f2af43e9278d825fa6c7f3f1368178d45f3ee114a6bda56
SHA512

eaf470cce00d6961d8b7d7ec636e1a28bc6fbba7b34a941e28f1fcb0648a1f7e321b29c6ffd27bc728f06aa0945c8b45f773122bd06afb2e856d2a35d78cef71
SSDEEP

24576:4j+cktriK2PVboYTicnT1SBb//wDKULTrhSFkOTu+FMs:pSPVboYTVABjRGtSFruNs

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
3024	explorer.exe
2160	spoolsv.exe
2584	svchost.exe
2828	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
3024	explorer.exe
3024	explorer.exe
2160	spoolsv.exe
2160	spoolsv.exe
2584	svchost.exe
2584	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs

pid	Process
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
3024	explorer.exe
2160	spoolsv.exe
2584	svchost.exe
2828	spoolsv.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1748	schtasks.exe
1476	schtasks.exe
1928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
2584	svchost.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
2584	svchost.exe
2584	svchost.exe
3024	explorer.exe
2584	svchost.exe
3024	explorer.exe
3024	explorer.exe
2584	svchost.exe
2584	svchost.exe
3024	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2584	svchost.exe
3024	explorer.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
3024	explorer.exe
3024	explorer.exe
3024	explorer.exe
2160	spoolsv.exe
2160	spoolsv.exe
2160	spoolsv.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2828	spoolsv.exe
2828	spoolsv.exe
2828	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 3024	2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe	28
PID 2916 wrote to memory of 3024	2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe	28
PID 2916 wrote to memory of 3024	2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe	28
PID 2916 wrote to memory of 3024	2916	358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe	28
PID 3024 wrote to memory of 2160	3024	explorer.exe	29
PID 3024 wrote to memory of 2160	3024	explorer.exe	29
PID 3024 wrote to memory of 2160	3024	explorer.exe	29
PID 3024 wrote to memory of 2160	3024	explorer.exe	29
PID 2160 wrote to memory of 2584	2160	spoolsv.exe	30
PID 2160 wrote to memory of 2584	2160	spoolsv.exe	30
PID 2160 wrote to memory of 2584	2160	spoolsv.exe	30
PID 2160 wrote to memory of 2584	2160	spoolsv.exe	30
PID 2584 wrote to memory of 2828	2584	svchost.exe	31
PID 2584 wrote to memory of 2828	2584	svchost.exe	31
PID 2584 wrote to memory of 2828	2584	svchost.exe	31
PID 2584 wrote to memory of 2828	2584	svchost.exe	31
PID 3024 wrote to memory of 2452	3024	explorer.exe	32
PID 3024 wrote to memory of 2452	3024	explorer.exe	32
PID 3024 wrote to memory of 2452	3024	explorer.exe	32
PID 3024 wrote to memory of 2452	3024	explorer.exe	32
PID 2584 wrote to memory of 1928	2584	svchost.exe	33
PID 2584 wrote to memory of 1928	2584	svchost.exe	33
PID 2584 wrote to memory of 1928	2584	svchost.exe	33
PID 2584 wrote to memory of 1928	2584	svchost.exe	33
PID 2584 wrote to memory of 1748	2584	svchost.exe	38
PID 2584 wrote to memory of 1748	2584	svchost.exe	38
PID 2584 wrote to memory of 1748	2584	svchost.exe	38
PID 2584 wrote to memory of 1748	2584	svchost.exe	38
PID 2584 wrote to memory of 1476	2584	svchost.exe	40
PID 2584 wrote to memory of 1476	2584	svchost.exe	40
PID 2584 wrote to memory of 1476	2584	svchost.exe	40
PID 2584 wrote to memory of 1476	2584	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\358f42915cd9dc0fb43d7a74b26ae970_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3024
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2584
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2828
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:03 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1928
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:04 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1748
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:05 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1476
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Resources\Themes\explorer.exe

Filesize
1.2MB

MD5
0cd42fcae9bd487c95cb9ed373548527

SHA1
10251a4bc5510edb90494616d40eb70277cf2268

SHA256
8ad6afd1d84456e05b21decd9f5e9278699832de2423288706299ca1b3f32abb

SHA512
6689bc8e8681fe497ab516ff61c2b206016b3079b9c704f4790bf4badb7a2cdf56fdfb5c6bd5774d1d595a292993b7238a3e898a97e6d82d4c040c66bc185a99

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
1.2MB

MD5
ec1e69239f4fda535efcb1a6ba57fc0e

SHA1
4729e7e2c29f3ca238290e3fc59578f094aa776d

SHA256
5c79fc578526779ba7417c28219b86e7d83cb1589097ddec771cc4938c847b18

SHA512
f8c48dccfb936fa2fd66c583016abf34263197c68e7a7058564f5d244a0a2caa877a6cb3e813848616ae96efd2b431b3da58b594e996a50f5d4baadf3c37cfcc

Download Submit
\Windows\Resources\svchost.exe

Filesize
1.2MB

MD5
4fc6ef046a11fff3dd15ed35efc08e0f

SHA1
fc7bca2a7356db4cf4edbda50ac1b273bbae8292

SHA256
181778b6854daf2af2b553f7207f8d4dfdeb5d11aedd3d35bfdfad719c483caa

SHA512
ceeebfbdf81e4cc443fc1fdd30ebe055665c457c8b0703e8c25869e7f82b7454de9b73dd5a8d98c7ddf6639fe71554ffe635b50ccb3ad2167e9c6ee3e72341e3

Download Submit
memory/2160-62-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2160-45-0x0000000003990000-0x0000000003D23000-memory.dmp

Filesize
3.6MB

Download
memory/2160-44-0x0000000003990000-0x0000000003D23000-memory.dmp

Filesize
3.6MB

Download
memory/2160-32-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-83-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-85-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-95-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-93-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-91-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-89-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-87-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-54-0x0000000003AC0000-0x0000000003E53000-memory.dmp

Filesize
3.6MB

Download
memory/2584-81-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-79-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-77-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-75-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-73-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-71-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-68-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2584-69-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2828-55-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2828-63-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2916-64-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2916-19-0x0000000003A10000-0x0000000003DA3000-memory.dmp

Filesize
3.6MB

Download
memory/2916-56-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2916-0-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/2916-13-0x0000000003A10000-0x0000000003DA3000-memory.dmp

Filesize
3.6MB

Download
memory/3024-82-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-86-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-76-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-80-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-65-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-70-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-74-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-84-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-28-0x0000000003900000-0x0000000003C93000-memory.dmp

Filesize
3.6MB

Download
memory/3024-78-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-66-0x0000000003900000-0x0000000003C93000-memory.dmp

Filesize
3.6MB

Download
memory/3024-88-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-72-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-90-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-15-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-92-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-67-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-94-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3024-30-0x0000000003900000-0x0000000003C93000-memory.dmp

Filesize
3.6MB

Download