Malware Analysis Report

2024-09-09 20:15

Sample ID 240613-2cscessgjg
Target 8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe
SHA256 e8a18138bbf6382520c7f36a32c33d5f7a490041158b8f4984e50d0016af7f93
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8a18138bbf6382520c7f36a32c33d5f7a490041158b8f4984e50d0016af7f93

Threat Level: Known bad

The file 8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:26

Reported

2024-06-13 22:29

Platform

win7-20240508-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2208 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2208 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2208 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2916 wrote to memory of 2700 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2916 wrote to memory of 2700 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2916 wrote to memory of 2700 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2916 wrote to memory of 2700 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2700 wrote to memory of 2784 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2700 wrote to memory of 2784 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2700 wrote to memory of 2784 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2700 wrote to memory of 2784 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2784 wrote to memory of 2476 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2784 wrote to memory of 2476 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2784 wrote to memory of 2476 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2784 wrote to memory of 2476 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2784 wrote to memory of 372 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2784 wrote to memory of 372 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2784 wrote to memory of 372 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2784 wrote to memory of 372 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2784 wrote to memory of 2504 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2784 wrote to memory of 2504 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2784 wrote to memory of 2504 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2784 wrote to memory of 2504 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2784 wrote to memory of 2020 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2784 wrote to memory of 2020 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2784 wrote to memory of 2020 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2784 wrote to memory of 2020 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2208-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2208-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2208-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2208-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2208-3-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\explorer.exe

MD5 b4acc851c06649dfb5d444b0f9569b0e
SHA1 a70163605ebb5758b5f86a98c6a8044fe3c22306
SHA256 478c422c877111c34f0beef48a436bd47506b5f05d4364146b77898cab0aab45
SHA512 c3136f992a790aa1ccb4284802e578112f9f69becf72cbb819d5fe87a351716a6f3f4ed1171a3d7687ba78eafb2dcb09991bcbfa492f4a3db722c1a72ac9263f

memory/2208-18-0x0000000002660000-0x0000000002691000-memory.dmp

memory/2208-17-0x0000000002660000-0x0000000002691000-memory.dmp

memory/2916-19-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2916-21-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 857b70eaa80ff3f452354e6fb76873f2
SHA1 ec5531e765471bbd161e9a7169e3e231192f4bca
SHA256 76dd7e60e7455a54117ce34e34e228f6fea0addf8a4ca789ac8c1c0b6dd8c3b5
SHA512 d04cea5827f71713cd60e688780390cf53bc463ca086e7c536a310805906e4f28d75f53ede2c5f6ac6a9749bcf12231b254fe1f43b38d718e398cea0f95bb33b

memory/2916-35-0x00000000026D0000-0x0000000002701000-memory.dmp

memory/2916-36-0x00000000026D0000-0x0000000002701000-memory.dmp

memory/2700-37-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2700-42-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 4b28c4ab2e45d3af62e3444dd7fb4647
SHA1 76675ae9288d50152607261f1288694c1cdee0f2
SHA256 c053ae661f4a823b3e55cf7f2377ca75a9bfb63e4660493521800cf924dc16b3
SHA512 e696a5424484b66757ff6133597b96432681e161c5df917350c98f8f4bb585fc019bbf27804a84422ec8d28654cb072bab1dfc05c00b8dad51ba6f91ddce01e1

memory/2700-49-0x00000000025C0000-0x00000000025F1000-memory.dmp

memory/2784-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2784-55-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2784-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2208-60-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2784-67-0x0000000001F20000-0x0000000001F51000-memory.dmp

memory/2476-69-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2784-68-0x0000000001F20000-0x0000000001F51000-memory.dmp

memory/2208-66-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2476-70-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2476-76-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2700-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2208-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2208-82-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 8eb2086cae6a82d4b9d65a014e860746
SHA1 53d9504a25e55926e7577616d6a043ed4176a4b9
SHA256 e03ff07ab829ba2454810cd0a1e87fa913ac754eab42210ad2230fd626c9fd16
SHA512 438a9b0deda976caa3406933d807545eedd33992908f46caa98d2e92520c5e7b671267e813f4c9b0b452312a36435dd37d1a8973aa89a88ab6fa27b9882326bf

memory/2916-84-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2784-86-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2916-95-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:26

Reported

2024-06-13 22:29

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3688 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3688 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3688 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 4596 wrote to memory of 4880 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4596 wrote to memory of 4880 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4596 wrote to memory of 4880 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4880 wrote to memory of 1908 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4880 wrote to memory of 1908 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4880 wrote to memory of 1908 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1908 wrote to memory of 1116 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1908 wrote to memory of 1116 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1908 wrote to memory of 1116 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1908 wrote to memory of 4952 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1908 wrote to memory of 4952 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1908 wrote to memory of 4952 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1908 wrote to memory of 4784 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1908 wrote to memory of 4784 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1908 wrote to memory of 4784 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1908 wrote to memory of 4276 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1908 wrote to memory of 4276 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1908 wrote to memory of 4276 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8c18a403b9c421c2766337291b207470_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,11749492925348081608,8895412282206755658,262144 --variations-seed-version --mojo-platform-channel-handle=1284 /prefetch:8

C:\Windows\SysWOW64\at.exe

at 22:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3688-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3688-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3688-2-0x00000000759C0000-0x0000000075B1D000-memory.dmp

memory/3688-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3688-4-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 66eaaa911fad7b1ccd0489047d65dc8b
SHA1 c745b151d1159a4715afe0fea1ec6d02b313dafc
SHA256 2de05d66f692da7d104bae70c75d6a33a859c6d06ae8f6004624dd277633a051
SHA512 3d29f3670d0078c718f25f8fd938cce91f8232e77e5e1adc59015043c509f7e2a5949b5a694fb4683a04feee055b0155a6c107337b53800eafa5b4a5ed991816

memory/4596-13-0x00000000759C0000-0x0000000075B1D000-memory.dmp

memory/4596-15-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 9edec073e5f770e38281e44488501db7
SHA1 1e38375f03728694ad0f914f92a67aaaaee27a06
SHA256 5d3049d2c7f850282dfe1801b7d03819ceae4b93149bea8ea981542a9bcd36b9
SHA512 74503d925c8773951cd48d5c1d029c9eacdc5b474d86e0e46443c02112081eaa9063b433e868a4adec89a430241bbaeb7bc7ffca43baeac0d2ad2826068e97f2

memory/4880-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4880-24-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4880-26-0x00000000759C0000-0x0000000075B1D000-memory.dmp

C:\Windows\System\svchost.exe

MD5 4662862de45e5e882bff34dd37b7aacf
SHA1 42ff2cf413dc1d391794c511e1bda1bb03c1a549
SHA256 59413e38d3fc773ef67de66b88515d3ab86e4a4953c10d49ab7cd01190b46963
SHA512 627cf7cb3779de2590456a06df53f5392587e7dc4b7879144027d6b75380e07dd67fd39e000c4ef504bc71aad894741d5e019df8507a204ed9320f7fa8225916

memory/1908-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1908-37-0x00000000759C0000-0x0000000075B1D000-memory.dmp

memory/1908-42-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1116-44-0x00000000759C0000-0x0000000075B1D000-memory.dmp

memory/1116-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3688-55-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 0e52d83c2d1ef6230138a0f9fdc9a634
SHA1 81430cd483135e489dc0dc0e833520f6fba6dc26
SHA256 10d4c60227aa2bf74abd0a40be1d3dd0c8eb1a479c264bbadf1aac13cdb3c59c
SHA512 a8230c5c3f56706201a6bd9a2f07111a2d1e685392f683440377187c0dbac8140f84334fcbd4dd4de72187c98ccfba853e4433f3cd6e9d0ebc880d0cbca8eec2

memory/4880-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3688-57-0x0000000000401000-0x000000000042E000-memory.dmp

memory/4596-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1908-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4596-69-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e