4fcdf79f20f2fe69fcaa06ff482792e04d261458e7c3d886d97d930a7aafa739

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29d45e5776f1b4a86b60801675068100_NeikiAnalytics.exe
Size

206KB
MD5

29d45e5776f1b4a86b60801675068100
SHA1

177483aa3f62d554e7b1f9b7450cf92d54300289
SHA256

4fcdf79f20f2fe69fcaa06ff482792e04d261458e7c3d886d97d930a7aafa739
SHA512

fd1dcfa7a1d1d4af0f5e818ede6b105636f7f92aad4e923bcf5ad1916c081da24031fa450c50a745b1eac7a676680d272862dde16f60af41a0add167608fb972
SSDEEP

3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL2:5vEN2U+T6i5LirrllHy4HUcMQY6K2

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2424	explorer.exe
1300	spoolsv.exe
2748	svchost.exe
2664	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
3056	29d45e5776f1b4a86b60801675068100_NeikiAnalytics.exe
3056	29d45e5776f1b4a86b60801675068100_NeikiAnalytics.exe
2424	explorer.exe
2424	explorer.exe
1300	spoolsv.exe
1300	spoolsv.exe
2748	svchost.exe
2748	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	29d45e5776f1b4a86b60801675068100_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	29d45e5776f1b4a86b60801675068100_NeikiAnalytics.exe
2424	explorer.exe
2424	explorer.exe
2424	explorer.exe
2748	svchost.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe
2424	explorer.exe
2748	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2424	explorer.exe
2748	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3056	29d45e5776f1b4a86b60801675068100_NeikiAnalytics.exe
3056	29d45e5776f1b4a86b60801675068100_NeikiAnalytics.exe
2424	explorer.exe
2424	explorer.exe
1300	spoolsv.exe
1300	spoolsv.exe
2748	svchost.exe
2748	svchost.exe
2664	spoolsv.exe
2664	spoolsv.exe
2424	explorer.exe
2424	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2424	3056	29d45e5776f1b4a86b60801675068100_NeikiAnalytics.exe	28
PID 3056 wrote to memory of 2424	3056	29d45e5776f1b4a86b60801675068100_NeikiAnalytics.exe	28
PID 3056 wrote to memory of 2424	3056	29d45e5776f1b4a86b60801675068100_NeikiAnalytics.exe	28
PID 3056 wrote to memory of 2424	3056	29d45e5776f1b4a86b60801675068100_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 1300	2424	explorer.exe	29
PID 2424 wrote to memory of 1300	2424	explorer.exe	29
PID 2424 wrote to memory of 1300	2424	explorer.exe	29
PID 2424 wrote to memory of 1300	2424	explorer.exe	29
PID 1300 wrote to memory of 2748	1300	spoolsv.exe	30
PID 1300 wrote to memory of 2748	1300	spoolsv.exe	30
PID 1300 wrote to memory of 2748	1300	spoolsv.exe	30
PID 1300 wrote to memory of 2748	1300	spoolsv.exe	30
PID 2748 wrote to memory of 2664	2748	svchost.exe	31
PID 2748 wrote to memory of 2664	2748	svchost.exe	31
PID 2748 wrote to memory of 2664	2748	svchost.exe	31
PID 2748 wrote to memory of 2664	2748	svchost.exe	31
PID 2748 wrote to memory of 2552	2748	svchost.exe	32
PID 2748 wrote to memory of 2552	2748	svchost.exe	32
PID 2748 wrote to memory of 2552	2748	svchost.exe	32
PID 2748 wrote to memory of 2552	2748	svchost.exe	32
PID 2748 wrote to memory of 1868	2748	svchost.exe	36
PID 2748 wrote to memory of 1868	2748	svchost.exe	36
PID 2748 wrote to memory of 1868	2748	svchost.exe	36
PID 2748 wrote to memory of 1868	2748	svchost.exe	36
PID 2748 wrote to memory of 1640	2748	svchost.exe	38
PID 2748 wrote to memory of 1640	2748	svchost.exe	38
PID 2748 wrote to memory of 1640	2748	svchost.exe	38
PID 2748 wrote to memory of 1640	2748	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\29d45e5776f1b4a86b60801675068100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\29d45e5776f1b4a86b60801675068100_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2424
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2664
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2552
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\at.exe
        
        at 08:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
0323be71b58acf4ddde04b45fe8f6706

SHA1
9aefcfb3b89d19ef21b09ed09b3146083dc809d3

SHA256
8d0b06573faee79f55010248633d74c489f869ac64d807c478042927c5b69b04

SHA512
604ead9582eb52b87d4fead66476dc6c4a67223288b1a063ff5e0cf11f297661250003790154e7f8f1f71f06213cec0f493eefd5a871ad27c18bdc0bea073f75

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
6b434613ca2bbc81465755c2d306e82c

SHA1
e8aa5e48598946119546258a511e65e5b3899db5

SHA256
b54d90a823e980df8e6d1a45c111a801d44e51fb6f27a373368c64104709a338

SHA512
409dbdbb6bee368ed135506bc13ba3bb4e5c02e67ca312c80fa413e6cff6cf14096944f1de57ba15d6844f35256f4974d87ebb82578f04818f38024ea9b13581

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
8ec8aa2564a0ad2fbd51ba70d23d6921

SHA1
b721ed5ad257d091de6535da76180a753acd1dca

SHA256
6431911bf6fe6b912b20b12be743e65fa0678ca167b995d93d8d5313059edd2e

SHA512
1ce0a6558c1ca9d785519341d6ae8b629665ab15a98dbd5765e7c354460e6de7a0403ee62d1dc519cb8096c5fbf9097edac2d5bf0a61dd2f44ede8274296ea62

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
ccf969aadb8386022351ce2bc781b5c2

SHA1
3b0c3d0ab201807340701339de9ec41efb6bff81

SHA256
ef7072082bef6082b4acd7ac1024ec0f9c9bdb19135f4521a7f95e2febd88c8a

SHA512
fda3ebcf5eca4329876a1ea6e275ab29d295989b2ef7ffb976ea65b4c3ee26ba4d1fb28dc331785ceabeac42d06f50adc24109fc4f3c0d845e0853e600880a74

Download Submit
memory/1300-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-13-0x0000000001DB0000-0x0000000001DF0000-memory.dmp

Filesize
256KB

Download
memory/3056-12-0x0000000001DB0000-0x0000000001DF0000-memory.dmp

Filesize
256KB

Download
memory/3056-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download