Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 11:46
Static task
static1
Behavioral task
behavioral1
Sample
37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe
-
Size
200KB
-
MD5
37cafec88ef43c1466e375348a25ca40
-
SHA1
3bc12b95e3c5f2ed1dbc20b09cbc79c4badb4958
-
SHA256
a8faf39a76ff711323dbce85117f3d33e4cfacf6975867cc232762345fc6ffe7
-
SHA512
f2193e8773e85134746c6f60eb02a3a1cccd93938488fd3c65056094e39bec1c85b4361e5557735e4babf011a2a72e3779f43b22c215c9be7c580699521e4792
-
SSDEEP
3072:7vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6uBL9i6:7vEN2U+T6i5LirrllHy4HUcMQY6C9i6
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2968 explorer.exe 2620 spoolsv.exe 2768 svchost.exe 2484 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 3000 37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe 3000 37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe 2968 explorer.exe 2968 explorer.exe 2620 spoolsv.exe 2620 spoolsv.exe 2768 svchost.exe 2768 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3000 37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe 2968 explorer.exe 2968 explorer.exe 2968 explorer.exe 2968 explorer.exe 2768 svchost.exe 2768 svchost.exe 2768 svchost.exe 2968 explorer.exe 2768 svchost.exe 2968 explorer.exe 2768 svchost.exe 2968 explorer.exe 2968 explorer.exe 2768 svchost.exe 2768 svchost.exe 2968 explorer.exe 2768 svchost.exe 2968 explorer.exe 2968 explorer.exe 2768 svchost.exe 2768 svchost.exe 2968 explorer.exe 2968 explorer.exe 2768 svchost.exe 2768 svchost.exe 2968 explorer.exe 2968 explorer.exe 2768 svchost.exe 2768 svchost.exe 2968 explorer.exe 2968 explorer.exe 2768 svchost.exe 2768 svchost.exe 2968 explorer.exe 2968 explorer.exe 2768 svchost.exe 2968 explorer.exe 2768 svchost.exe 2768 svchost.exe 2968 explorer.exe 2968 explorer.exe 2768 svchost.exe 2768 svchost.exe 2968 explorer.exe 2968 explorer.exe 2768 svchost.exe 2768 svchost.exe 2968 explorer.exe 2968 explorer.exe 2768 svchost.exe 2768 svchost.exe 2968 explorer.exe 2968 explorer.exe 2768 svchost.exe 2968 explorer.exe 2768 svchost.exe 2968 explorer.exe 2768 svchost.exe 2968 explorer.exe 2768 svchost.exe 2968 explorer.exe 2768 svchost.exe 2768 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2968 explorer.exe 2768 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3000 37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe 3000 37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe 2968 explorer.exe 2968 explorer.exe 2620 spoolsv.exe 2620 spoolsv.exe 2768 svchost.exe 2768 svchost.exe 2484 spoolsv.exe 2484 spoolsv.exe 2968 explorer.exe 2968 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2968 3000 37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe 28 PID 3000 wrote to memory of 2968 3000 37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe 28 PID 3000 wrote to memory of 2968 3000 37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe 28 PID 3000 wrote to memory of 2968 3000 37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe 28 PID 2968 wrote to memory of 2620 2968 explorer.exe 29 PID 2968 wrote to memory of 2620 2968 explorer.exe 29 PID 2968 wrote to memory of 2620 2968 explorer.exe 29 PID 2968 wrote to memory of 2620 2968 explorer.exe 29 PID 2620 wrote to memory of 2768 2620 spoolsv.exe 30 PID 2620 wrote to memory of 2768 2620 spoolsv.exe 30 PID 2620 wrote to memory of 2768 2620 spoolsv.exe 30 PID 2620 wrote to memory of 2768 2620 spoolsv.exe 30 PID 2768 wrote to memory of 2484 2768 svchost.exe 31 PID 2768 wrote to memory of 2484 2768 svchost.exe 31 PID 2768 wrote to memory of 2484 2768 svchost.exe 31 PID 2768 wrote to memory of 2484 2768 svchost.exe 31 PID 2768 wrote to memory of 2536 2768 svchost.exe 32 PID 2768 wrote to memory of 2536 2768 svchost.exe 32 PID 2768 wrote to memory of 2536 2768 svchost.exe 32 PID 2768 wrote to memory of 2536 2768 svchost.exe 32 PID 2768 wrote to memory of 1876 2768 svchost.exe 36 PID 2768 wrote to memory of 1876 2768 svchost.exe 36 PID 2768 wrote to memory of 1876 2768 svchost.exe 36 PID 2768 wrote to memory of 1876 2768 svchost.exe 36 PID 2768 wrote to memory of 2240 2768 svchost.exe 38 PID 2768 wrote to memory of 2240 2768 svchost.exe 38 PID 2768 wrote to memory of 2240 2768 svchost.exe 38 PID 2768 wrote to memory of 2240 2768 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\37cafec88ef43c1466e375348a25ca40_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2484
-
-
C:\Windows\SysWOW64\at.exeat 11:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2536
-
-
C:\Windows\SysWOW64\at.exeat 11:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1876
-
-
C:\Windows\SysWOW64\at.exeat 11:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2240
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5d553104ab473935aa225b67f3695e387
SHA18c03d1fa87255d43b888623073c16216aac81e29
SHA2567330ec22361034e3557e45f4f3e787bd9b28fb9ae77e83c7d022537938005fbe
SHA5126170ea9cdafbc56c72ddb9f131aff892766607ea73878e85adedda82e80f1e66c7b61767121dd0e84cb436a7b5f8dd17a132e55d9657016cb8bf0aed6972afde
-
Filesize
216KB
MD51f4cccfd2e0889cd7b6f8c380bf6eeb3
SHA11f1fe36a4bdc0af651801118d5e5c657f5dd26de
SHA25632260a1e9c590dc710a280e170062cc12f1b4dd5293ab3a7029d9134e419aaf6
SHA512128a305d19494d1e093cc17673c6bc800d41c3eb61a9b7b777227be668a19da0c2ff2bf758a7cfdf5f124ed9360b0e9047fe264b0ec43767afc270e854bb2f9a
-
Filesize
216KB
MD5f4e5ea8d4e26287264bcb7ce20700733
SHA18f9ee22835191d0af5dc56da3036ee437baa0e59
SHA25631bd7ec76b46b89365a19c819748000f2590e430eed08248f02af3d4c835168c
SHA512b071d7fd7494f2eef3a7dc719e4bc5e9a8db7876c42627e1562c5489c079e13ebbf4cb779499fd66f497a7ffdb6ea431575120316f517f1f811f191217fa25ee
-
Filesize
216KB
MD5ef0d5b4e05d44d0ce38f2373cc89e312
SHA157b4df415e09f60051e3b29f9578875371cf657c
SHA2560d855dc3cf589775d1692c138535be4a92e03b6c408bba006443bf227e365559
SHA51282df24eb39df2305372d3720e71a83a33514588b602bf2e17ba1082e2f607ede882fdb1add3dc192cc504a2edbceca10efac17cd7896d3358f92b85d9c1b9701