Malware Analysis Report

2024-07-28 15:10

Sample ID 240613-1nkahsvfnq
Target 899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe
SHA256 76c57852aca00884f16f373d8e296c898da04ddac11a346960fa7d8ce07319d1
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76c57852aca00884f16f373d8e296c898da04ddac11a346960fa7d8ce07319d1

Threat Level: Known bad

The file 899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 21:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 21:47

Reported

2024-06-13 21:50

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1948 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1948 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1948 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2476 wrote to memory of 2816 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2476 wrote to memory of 2816 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2476 wrote to memory of 2816 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2476 wrote to memory of 2816 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2816 wrote to memory of 2684 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2816 wrote to memory of 2684 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2816 wrote to memory of 2684 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2816 wrote to memory of 2684 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2684 wrote to memory of 2404 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2684 wrote to memory of 2404 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2684 wrote to memory of 2404 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2684 wrote to memory of 2404 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2684 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2348 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2348 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2348 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2348 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2096 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2096 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2096 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2096 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 21:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 21:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 21:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1948-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1948-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1948-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1948-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1948-3-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\explorer.exe

MD5 56e49fcae677cf1462b52dd3aef9ee3c
SHA1 0e247961bcce060a699d12e283045ef1971cbe91
SHA256 76be6e303dd483f674fd14d2cfc7c013b68fe50e1d3920e4af2b6fef0c081705
SHA512 a044e8e2a3343d549f79d6c656db1e9104906be7e003825cb227d720541147ed5d490e298ef0e3771bc11e3cf158eceac17e0c8d031373464cfe977f2039b022

memory/1948-16-0x0000000002540000-0x0000000002571000-memory.dmp

memory/1948-17-0x0000000002540000-0x0000000002571000-memory.dmp

memory/2476-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2476-19-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\spoolsv.exe

MD5 7b0e6781a539aa0e61dd822aa836d95a
SHA1 97ee69adc3e908e8361c68ec5ea4c39b85033f9c
SHA256 d6eebf12633a1e73372aa8f0088008f37e782338c8ea434ba033d424c800da88
SHA512 8cbcde223f5eba54b99a14cb842adcc12738ad8cf2c8d77f4bc18e096c378debabb773fafab51e56aae09fbf283e865d82ebbb9606d40289cfdaccd049982655

memory/2816-37-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2476-36-0x0000000002590000-0x00000000025C1000-memory.dmp

memory/2476-35-0x0000000002590000-0x00000000025C1000-memory.dmp

memory/2816-38-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2816-46-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 fc188ae4fac10cf1cd054acdce54b4d7
SHA1 c2466bdfb90efd02955baf7b0acc9a592d600a21
SHA256 336cef1c328e23b12a8b587e27bab3f91be159733968d8756347c1c50766ab49
SHA512 2aa6987345a0d637d31c5679b2f93a215c86ad6df3050c4ab12b30065d9a80555768e98e5918aa83f66bcf6b8f7ef0819566aed355723303c97302f11f2fa185

memory/2684-54-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2684-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2684-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2684-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1948-68-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1948-66-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2816-58-0x0000000003160000-0x0000000003191000-memory.dmp

memory/2404-69-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2404-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1948-82-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1948-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2816-79-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 51ea3bbaeade90a17aff73bca1d0e464
SHA1 f721c62cb6d798d7f4866da9dc8f1cae541d8ef6
SHA256 23c4ca2e1c3b108622aed44f6785b58f995a6eb025082558e701f2a9f33a54b9
SHA512 12366ede772a2bbc842fca0362cc608f319757bc8e310f016d1d196d7690be30963c4a964379fe7fbb0c65a6abf8e30878ee880e4457ceea3b3bc56c13432abc

memory/2476-84-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2684-86-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2476-95-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 21:47

Reported

2024-06-13 21:50

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3336 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3336 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3336 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 4588 wrote to memory of 2440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4588 wrote to memory of 2440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4588 wrote to memory of 2440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2440 wrote to memory of 3912 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2440 wrote to memory of 3912 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2440 wrote to memory of 3912 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3912 wrote to memory of 3704 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3912 wrote to memory of 3704 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3912 wrote to memory of 3704 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3912 wrote to memory of 5288 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3912 wrote to memory of 5288 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3912 wrote to memory of 5288 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3912 wrote to memory of 4972 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3912 wrote to memory of 4972 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3912 wrote to memory of 4972 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3912 wrote to memory of 1876 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3912 wrote to memory of 1876 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3912 wrote to memory of 1876 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\899ce10476161f6ab2cf389b89cb3730_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 21:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 21:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 21:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3336-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3336-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3336-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3336-2-0x0000000075660000-0x00000000757BD000-memory.dmp

memory/3336-5-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 e55b2c79ebc11e1e82f252f613abe742
SHA1 c9138f6c931abde1bd58837e808787fa6ccee5ef
SHA256 7809eacff9d78d7ce0b299e0eb963415f8d9772216edcc84ef4c685ad7f70ddd
SHA512 17af393fe24fed86af379dd61d67f89a7cc1f2332869ca2dd5db89a9e2a29528c11353ae2de3c87040c2b3d504d35eaa8ced7750a5a28568420ad728d32f98e3

memory/4588-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4588-14-0x0000000075660000-0x00000000757BD000-memory.dmp

memory/4588-17-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 f068ee293fcb769c8dc52c2027d966ee
SHA1 2c60c2d1370680b45d8297c10b5fab59f618ed55
SHA256 a2391d47bc98af39f42a733a2e1a1037bfc909e13e86727472bfb8cf722101aa
SHA512 d5039d01874651451c5a61fb892383089bde225133a8d429d14b454802d95f907f82620f437784e28160237a26a29783671c8e841b8b810894fba18bb55e1aaa

memory/2440-25-0x0000000075660000-0x00000000757BD000-memory.dmp

memory/2440-29-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 de2694dfd5e317b4e719740af482d7b9
SHA1 cf4a74acc4f2f0415836d15ac76a453ef4d1b25a
SHA256 8cb3c1f3da2f80f3e06da2c1209cfade881fa23c8ba06f02ab73a30365555d40
SHA512 870ba3a6c3ccea93d46cf46d3ccf64f27c750836ba0f6fe412719cf820167c6afa8629e9038862e03785b158adac55c200958bfd5e07b697276162ead291436b

memory/3912-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3912-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3912-37-0x0000000075660000-0x00000000757BD000-memory.dmp

memory/3704-44-0x0000000075660000-0x00000000757BD000-memory.dmp

memory/3704-50-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2440-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3336-58-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 20c5710cc338f7cb98c1bcdf47c9fcd6
SHA1 3e1e0515601134335b65b2fcb427316c791e7e4e
SHA256 00f97690947919e3d25012164d5df28198ee8489d50773057c3760c61c307599
SHA512 acb0bf48f3537477df493eea04a22872cccc26f5f856eb5ebceab1bb90c49757b68b96efd4662e2810846bf157b418140ded73aa92a984efa1dae42ec3a97bc8

memory/3336-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3336-56-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4588-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3912-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4588-71-0x0000000000400000-0x0000000000431000-memory.dmp