fbca5bf7c9222d3244b16c78e37c2c6e4a6ae13e9f6d9936e222753a698b476c

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
Size

206KB
MD5

2a5d37ef371d04f388314db0d46fefc0
SHA1

6e499e82ee0aa7f0f490a6f6f83dfaa450fa76cc
SHA256

fbca5bf7c9222d3244b16c78e37c2c6e4a6ae13e9f6d9936e222753a698b476c
SHA512

19a3599cd87777557f84024189f251ca62ecf8f551b30fc17cc0348b2be30e468c029907fc2457219f6799092c01e0dcba087f6f81b84f6bbb9f4645019e066f
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL8:5vEN2U+T6i5LirrllHy4HUcMQY6K8

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2592	explorer.exe
3060	spoolsv.exe
2084	svchost.exe
2776	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
1252	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
1252	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
2592	explorer.exe
2592	explorer.exe
3060	spoolsv.exe
3060	spoolsv.exe
2084	svchost.exe
2084	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1252	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2592	explorer.exe
2084	svchost.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe
2592	explorer.exe
2084	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2592	explorer.exe
2084	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1252	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
1252	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
2592	explorer.exe
2592	explorer.exe
3060	spoolsv.exe
3060	spoolsv.exe
2084	svchost.exe
2084	svchost.exe
2776	spoolsv.exe
2776	spoolsv.exe
2592	explorer.exe
2592	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2592	1252	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe	28
PID 1252 wrote to memory of 2592	1252	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe	28
PID 1252 wrote to memory of 2592	1252	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe	28
PID 1252 wrote to memory of 2592	1252	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe	28
PID 2592 wrote to memory of 3060	2592	explorer.exe	29
PID 2592 wrote to memory of 3060	2592	explorer.exe	29
PID 2592 wrote to memory of 3060	2592	explorer.exe	29
PID 2592 wrote to memory of 3060	2592	explorer.exe	29
PID 3060 wrote to memory of 2084	3060	spoolsv.exe	30
PID 3060 wrote to memory of 2084	3060	spoolsv.exe	30
PID 3060 wrote to memory of 2084	3060	spoolsv.exe	30
PID 3060 wrote to memory of 2084	3060	spoolsv.exe	30
PID 2084 wrote to memory of 2776	2084	svchost.exe	31
PID 2084 wrote to memory of 2776	2084	svchost.exe	31
PID 2084 wrote to memory of 2776	2084	svchost.exe	31
PID 2084 wrote to memory of 2776	2084	svchost.exe	31
PID 2084 wrote to memory of 2956	2084	svchost.exe	32
PID 2084 wrote to memory of 2956	2084	svchost.exe	32
PID 2084 wrote to memory of 2956	2084	svchost.exe	32
PID 2084 wrote to memory of 2956	2084	svchost.exe	32
PID 2084 wrote to memory of 2032	2084	svchost.exe	36
PID 2084 wrote to memory of 2032	2084	svchost.exe	36
PID 2084 wrote to memory of 2032	2084	svchost.exe	36
PID 2084 wrote to memory of 2032	2084	svchost.exe	36
PID 2084 wrote to memory of 2288	2084	svchost.exe	38
PID 2084 wrote to memory of 2288	2084	svchost.exe	38
PID 2084 wrote to memory of 2288	2084	svchost.exe	38
PID 2084 wrote to memory of 2288	2084	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2592
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2032
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
e22201c5eba32881dcd911834885571d

SHA1
0e5dea67447ef3ab3752153dbb43863034edb2e7

SHA256
cb584f9806fffeb68c377a004fb37300d0c8182439353a03d1cf5b81706b643d

SHA512
14bdc96335888a9bb3b0c77e892a5d391c87e860fe39201ff18cba29a94a20cbdcb9dc4fef8378ad7c40e073c30abd67048403f149d587b555d54610bfe8a4b8

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
042e943b08cd37d5337cc952602fec17

SHA1
17d2b92942c178ba900b34a14a99b8da6c7dcef8

SHA256
c08526681c39043a579ae4659ad07217cadb694158278ff7739343d74983000f

SHA512
5132d7886d46177610333bcb6803a7857eae1f320855e7c3cae9b5deeee1f1898da72804e3ada906573d86a3d80510f84e82755bac2fd2fb038446163f6b2ecc

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
1e1070f27d94f7ba268e970e0270e772

SHA1
0f3b01c02376fa36365b29ed3832c8e4dc685ab0

SHA256
21ad7b73f48223b8c68667ff6ed1fde2323977cbd7dcacfa917d619ed40bdcec

SHA512
96c3d3a72450711ff84fd80f1f38423eff031f12eac92cdfe76b5797070b6f1eed272c01c1dba2b071a37e01dda74cee29b67eba228a9d27921610e63d20d336

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
0e7a32c6baeb009843291dd773dbf2d3

SHA1
254b3daa68151326e6c3c69153ccfcd25af09873

SHA256
9037e158478e55a26acbc18fee46d757d3e9d1b6247e13e917dc416182d0e5ef

SHA512
2cb056cae2afa25cc2fb65da0865207798db0b80eeffa5f4bf11298770fd56f868f2aed038bd4104c80d6b3b0a262ed7b724a19c82bb6c9655d4b11216cc99da

Download Submit
memory/1252-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1252-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2592-27-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/2592-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-43-0x0000000002C50000-0x0000000002C90000-memory.dmp

Filesize
256KB

Download
memory/3060-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download