fbca5bf7c9222d3244b16c78e37c2c6e4a6ae13e9f6d9936e222753a698b476c

Analysis

max time kernel
150s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
Size

206KB
MD5

2a5d37ef371d04f388314db0d46fefc0
SHA1

6e499e82ee0aa7f0f490a6f6f83dfaa450fa76cc
SHA256

fbca5bf7c9222d3244b16c78e37c2c6e4a6ae13e9f6d9936e222753a698b476c
SHA512

19a3599cd87777557f84024189f251ca62ecf8f551b30fc17cc0348b2be30e468c029907fc2457219f6799092c01e0dcba087f6f81b84f6bbb9f4645019e066f
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL8:5vEN2U+T6i5LirrllHy4HUcMQY6K8

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1504	explorer.exe
3772	spoolsv.exe
1440	svchost.exe
4680	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
984	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
984	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1504	explorer.exe
1440	svchost.exe
1504	explorer.exe
1440	svchost.exe
1504	explorer.exe
1440	svchost.exe
1504	explorer.exe
1440	svchost.exe
1504	explorer.exe
1504	explorer.exe
1440	svchost.exe
1440	svchost.exe
1504	explorer.exe
1440	svchost.exe
1504	explorer.exe
1440	svchost.exe
1504	explorer.exe
1440	svchost.exe
1504	explorer.exe
1504	explorer.exe
1504	explorer.exe
1440	svchost.exe
1440	svchost.exe
1440	svchost.exe
1504	explorer.exe
1440	svchost.exe
1504	explorer.exe
1504	explorer.exe
1440	svchost.exe
1504	explorer.exe
1440	svchost.exe
1440	svchost.exe
1504	explorer.exe
1440	svchost.exe
1504	explorer.exe
1504	explorer.exe
1440	svchost.exe
1504	explorer.exe
1440	svchost.exe
1440	svchost.exe
1504	explorer.exe
1504	explorer.exe
1440	svchost.exe
1440	svchost.exe
1504	explorer.exe
1504	explorer.exe
1440	svchost.exe
1504	explorer.exe
1440	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1504	explorer.exe
1440	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
984	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
984	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
1504	explorer.exe
1504	explorer.exe
3772	spoolsv.exe
3772	spoolsv.exe
1440	svchost.exe
1440	svchost.exe
4680	spoolsv.exe
4680	spoolsv.exe
1504	explorer.exe
1504	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 1504	984	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe	82
PID 984 wrote to memory of 1504	984	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe	82
PID 984 wrote to memory of 1504	984	2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe	82
PID 1504 wrote to memory of 3772	1504	explorer.exe	83
PID 1504 wrote to memory of 3772	1504	explorer.exe	83
PID 1504 wrote to memory of 3772	1504	explorer.exe	83
PID 3772 wrote to memory of 1440	3772	spoolsv.exe	84
PID 3772 wrote to memory of 1440	3772	spoolsv.exe	84
PID 3772 wrote to memory of 1440	3772	spoolsv.exe	84
PID 1440 wrote to memory of 4680	1440	svchost.exe	86
PID 1440 wrote to memory of 4680	1440	svchost.exe	86
PID 1440 wrote to memory of 4680	1440	svchost.exe	86
PID 1440 wrote to memory of 4036	1440	svchost.exe	87
PID 1440 wrote to memory of 4036	1440	svchost.exe	87
PID 1440 wrote to memory of 4036	1440	svchost.exe	87
PID 1440 wrote to memory of 3684	1440	svchost.exe	98
PID 1440 wrote to memory of 3684	1440	svchost.exe	98
PID 1440 wrote to memory of 3684	1440	svchost.exe	98
PID 1440 wrote to memory of 4380	1440	svchost.exe	100
PID 1440 wrote to memory of 4380	1440	svchost.exe	100
PID 1440 wrote to memory of 4380	1440	svchost.exe	100

C:\Users\Admin\AppData\Local\Temp\2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2a5d37ef371d04f388314db0d46fefc0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:984
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1504
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4680
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:3684
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
102cdab7f6be90c0024f329d1e5fc5e2

SHA1
6812be0f7fab7bbb39b476a378b6900801a8816a

SHA256
ec383e20239a8f84e1b581455d417d1a823dd482159b368740dad71a7974a912

SHA512
098e29111e33b98c9aff8a813586eeba9965126e11e1f9c00f3e0ed6e652f4cdc233d65041e51c22f46b34cb0fdcb9f5bf8977329823bfc4ee3170e5ad0d5f2e

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
fc680b635e6b9ad4fddf06238e86dd34

SHA1
cb9a84f089a008df73423f9a0b432c3b265aac63

SHA256
7cfb9f3535738169ee6b2e425350cbac51b5402f03876118184fce04f85f1e8f

SHA512
5ef7999c300c5b0e01e751ea03486aaa55d6a59a559e8a04f23956b42b094896c68cca7741bd71d655f9f7812fc63ca1348a86ea3634d7cd34d7f1d8c43e2fa3

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
5949f75c30d3bbac5185f83ebb3320ac

SHA1
54a97d8c4e363013fa20cd4b771dde0196d8fd85

SHA256
8c842c23779471e523f537b38e03dd143909c397a8459d41b135fe14958c844f

SHA512
59e953f6faacc4d69c1656f6d141fc8755371288874f83338810feac938fdb04a2a51da2f9ae3b0dc718834fadeae482d0d6e928d2f0534d7387548b56190fb0

Download Submit
C:\Windows\System\svchost.exe

Filesize
207KB

MD5
6a0bc9874539c69f5add054ceb9ef1ae

SHA1
8f9b8fb3e2a3d6fd933d27a8df63da8f7cefc70c

SHA256
aec9ff0c1ddcd22c3d5d01a6205a042fead6d9b98030b7865402140b38e80719

SHA512
b2a04453f1224016469fea9e3b99d430a6d87201d23864dbf49739f18cb9ae3d6f7eb7d383a238154de6fb72eb3ef84b13b2fd47246068f261ee9a669ccbfe9a

Download Submit
memory/984-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/984-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1504-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3772-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4680-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download