c1e4985eef887e50185f1ba2e28d148e721be38782a542298be1fdff1294218f

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 22:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4a52794a8049b5a536306e33b93d1450_NeikiAnalytics.exe
Size

207KB
MD5

4a52794a8049b5a536306e33b93d1450
SHA1

f826479f48a3c4bb2d9f0d5eb2da3e7bd34f024b
SHA256

c1e4985eef887e50185f1ba2e28d148e721be38782a542298be1fdff1294218f
SHA512

a6df7e52d8e9bde571507ee1864a6aca5ce18c30907b5a064bccbc8a0a256bc617a96ac4c712b92f8be8a662034ae7fac02d132c65934e3cb5d870bf4db4c7d1
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLt:5vEN2U+T6i5LirrllHy4HUcMQY6Kt

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2152	explorer.exe
2744	spoolsv.exe
2932	svchost.exe
2472	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1976	4a52794a8049b5a536306e33b93d1450_NeikiAnalytics.exe
1976	4a52794a8049b5a536306e33b93d1450_NeikiAnalytics.exe
2152	explorer.exe
2152	explorer.exe
2744	spoolsv.exe
2744	spoolsv.exe
2932	svchost.exe
2932	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	4a52794a8049b5a536306e33b93d1450_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	4a52794a8049b5a536306e33b93d1450_NeikiAnalytics.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2152	explorer.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2932	svchost.exe
2152	explorer.exe
2152	explorer.exe
2932	svchost.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2932	svchost.exe
2152	explorer.exe
2152	explorer.exe
2932	svchost.exe
2932	svchost.exe
2152	explorer.exe
2932	svchost.exe
2152	explorer.exe
2152	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2152	explorer.exe
2932	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1976	4a52794a8049b5a536306e33b93d1450_NeikiAnalytics.exe
1976	4a52794a8049b5a536306e33b93d1450_NeikiAnalytics.exe
2152	explorer.exe
2152	explorer.exe
2744	spoolsv.exe
2744	spoolsv.exe
2932	svchost.exe
2932	svchost.exe
2472	spoolsv.exe
2472	spoolsv.exe
2152	explorer.exe
2152	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2152	1976	4a52794a8049b5a536306e33b93d1450_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 2152	1976	4a52794a8049b5a536306e33b93d1450_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 2152	1976	4a52794a8049b5a536306e33b93d1450_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 2152	1976	4a52794a8049b5a536306e33b93d1450_NeikiAnalytics.exe	28
PID 2152 wrote to memory of 2744	2152	explorer.exe	29
PID 2152 wrote to memory of 2744	2152	explorer.exe	29
PID 2152 wrote to memory of 2744	2152	explorer.exe	29
PID 2152 wrote to memory of 2744	2152	explorer.exe	29
PID 2744 wrote to memory of 2932	2744	spoolsv.exe	30
PID 2744 wrote to memory of 2932	2744	spoolsv.exe	30
PID 2744 wrote to memory of 2932	2744	spoolsv.exe	30
PID 2744 wrote to memory of 2932	2744	spoolsv.exe	30
PID 2932 wrote to memory of 2472	2932	svchost.exe	31
PID 2932 wrote to memory of 2472	2932	svchost.exe	31
PID 2932 wrote to memory of 2472	2932	svchost.exe	31
PID 2932 wrote to memory of 2472	2932	svchost.exe	31
PID 2932 wrote to memory of 2448	2932	svchost.exe	32
PID 2932 wrote to memory of 2448	2932	svchost.exe	32
PID 2932 wrote to memory of 2448	2932	svchost.exe	32
PID 2932 wrote to memory of 2448	2932	svchost.exe	32
PID 2932 wrote to memory of 312	2932	svchost.exe	36
PID 2932 wrote to memory of 312	2932	svchost.exe	36
PID 2932 wrote to memory of 312	2932	svchost.exe	36
PID 2932 wrote to memory of 312	2932	svchost.exe	36
PID 2932 wrote to memory of 2080	2932	svchost.exe	38
PID 2932 wrote to memory of 2080	2932	svchost.exe	38
PID 2932 wrote to memory of 2080	2932	svchost.exe	38
PID 2932 wrote to memory of 2080	2932	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\4a52794a8049b5a536306e33b93d1450_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a52794a8049b5a536306e33b93d1450_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2152
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2472
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2448
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:312
    - - C:\Windows\SysWOW64\at.exe
        
        at 22:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
cdc447bd76b600d57a8c0a90292c504a

SHA1
567b1b47b43249986c8ab2c3125840f05100c027

SHA256
53ad936a4f9edd52f95f2d0ef4cf5d364e1dc06676f7fc1fcf8b6c420ebca143

SHA512
6917708df529013118a35b4aaa89d612fc312e7ab7cf0ab5384ce3edf1c2da820244f8760897cb517b9b6bad1c029e9eed919548b361946047ed2ca197598abb

Download Submit
C:\Windows\system\explorer.exe

Filesize
206KB

MD5
262e4c0f7386f91966cd9d2bd344665e

SHA1
710e95ae721c5d3980b1cf9104237766acfd3ff9

SHA256
a400aeb76674d48199920ea40baf82b84947879ebe41f1627747ea43d1ffcf88

SHA512
34594c182b3fbe703cabae129797e19d67541f859877bab643dd97d02b4b3a7d519987ab547322bc4fe026e824a657cefef699e6eb5eb05113c1ae2e8a890718

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
e4b1a2edbfd02d74ccc0f5636119c560

SHA1
4644b6a8b5c9734a5bbc0734cb5ff26dda4d6e5a

SHA256
8f67816963cb01d13ec81da7ed8562ac384caca3f6e2b939ed4c25e5b1d4dec3

SHA512
d97f276facf4c9e6ded5342f5427a275f2b5d949f64d28e14a3f27cadcd3436ad7531fdf22f0fe6b36477a239872f616b92df644aa8cb57567cd02aec48c3630

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
0e3d1fecfb69a2965ebd71a243f36394

SHA1
4cd31fbaf50d7069afca65f2294ed2572deecb47

SHA256
8c96190784fc9cf7fdd2d5f266f3554517a93a060a6910dd509f239d81b3317d

SHA512
8634d3acd0e9e78436f2ee776263e76eef0963d329260a4180dd2b622119a6413c4ec02b53781f4fdb3a1321f51a7d3445f281cbbf0c7b43fe35856578bfd69e

Download Submit
memory/1976-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-14-0x0000000003110000-0x0000000003150000-memory.dmp

Filesize
256KB

Download
memory/1976-13-0x0000000003110000-0x0000000003150000-memory.dmp

Filesize
256KB

Download
memory/1976-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-51-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download