Malware Analysis Report

2024-09-09 20:00

Sample ID 240613-2gcsjaxajr
Target 8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe
SHA256 e1f6a2755e5676ec0202df3b70252e6cbce63e6c7198eb2118ff3f10f7277ac0
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1f6a2755e5676ec0202df3b70252e6cbce63e6c7198eb2118ff3f10f7277ac0

Threat Level: Known bad

The file 8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:32

Reported

2024-06-13 22:35

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 912 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 912 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 912 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 912 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2108 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2108 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2108 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2568 wrote to memory of 2340 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2568 wrote to memory of 2340 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2568 wrote to memory of 2340 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2568 wrote to memory of 2340 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2340 wrote to memory of 2504 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2340 wrote to memory of 2504 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2340 wrote to memory of 2504 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2340 wrote to memory of 2504 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2340 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2076 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2076 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2076 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2076 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/912-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/912-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/912-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/912-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/912-2-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\explorer.exe

MD5 f545e717c93a5c4104500b2630660acc
SHA1 e4b51dad4d95985c0b544a188bfbb67b4dc981e7
SHA256 73d67f3ab29411f51a9cacedff4b7b4784a30155fdece02ab025e8a2ef019c05
SHA512 a25ee729f607f84c35c42dc4ca7f4d33083bb8e7063da7b2b536ceda8ee785318c41836c5e554944dbfea87717d073b0bac5f0f2a3b8bdfb2a1d324faa7a6433

memory/912-13-0x00000000030D0000-0x0000000003101000-memory.dmp

memory/912-17-0x00000000030D0000-0x0000000003101000-memory.dmp

memory/2108-19-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2108-23-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 c52ea4196064bdf6df5529a2d0197db9
SHA1 75227a99fe5aab1098dfcfaa1ba936ca9d5c452f
SHA256 da92ee1d91db3e1fcadccbfb35325377686b409a4ee823069afc6451d0a5bc39
SHA512 e9a0d1c55a798de666563110bf72a64041094a7a58677b2cd9e598f042f07a6b87cbeb5dc262c33a826e7a160dbf8cb09d47650d21b8abf640e7831083147a76

memory/2108-36-0x0000000002640000-0x0000000002671000-memory.dmp

memory/2108-35-0x0000000002640000-0x0000000002671000-memory.dmp

memory/2568-37-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2568-41-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 ae1a2e14097796f9e13556f97552f9f8
SHA1 4b1821affba2c43109b9f964e53fcaebd6332836
SHA256 6943d0a21fdad3330ff15d7dbbcf386ed988b464c5ae8d540b59d2c728872bf0
SHA512 435106c25cdb87b0160651a691fecadfeba0d0f728d286c7fca04c561a75071d88b494128cf2819018b0a64a588b29657e72eff558bd183fc766d0b98fe366ec

memory/2340-53-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2340-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/912-62-0x0000000000020000-0x0000000000024000-memory.dmp

memory/912-66-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2340-65-0x0000000002A40000-0x0000000002A71000-memory.dmp

memory/2340-64-0x0000000002A40000-0x0000000002A71000-memory.dmp

memory/2504-67-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2504-75-0x0000000000400000-0x0000000000431000-memory.dmp

memory/912-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2568-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/912-79-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 2d1da083d9254ce6a88b221eda0cf2ce
SHA1 71958006baa2b9e10459a1b293990750b6b5c0e7
SHA256 b6227da183f0b2575cba3d15250f72fac052a7f7eb8a95d22e37f91c12f31f2a
SHA512 03e61a24ef293fffb0c19e1318f6e26035c65537b8a0fb4a2dda29a38409cc0ab173324ff601732c3b7e5a540aceb76f6e79a17a4e66c35bc38ceea05e171642

memory/2108-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2340-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2108-92-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:32

Reported

2024-06-13 22:35

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1260 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1260 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 4856 wrote to memory of 1904 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4856 wrote to memory of 1904 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4856 wrote to memory of 1904 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1904 wrote to memory of 4356 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1904 wrote to memory of 4356 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1904 wrote to memory of 4356 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4356 wrote to memory of 216 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4356 wrote to memory of 216 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4356 wrote to memory of 216 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4356 wrote to memory of 4084 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4356 wrote to memory of 4084 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4356 wrote to memory of 4084 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4356 wrote to memory of 2016 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4356 wrote to memory of 2016 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4356 wrote to memory of 2016 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4356 wrote to memory of 3984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4356 wrote to memory of 3984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4356 wrote to memory of 3984 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8c78f687c3b90768775142ad9e32da50_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\at.exe

at 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.234:443 chromewebstore.googleapis.com tcp
GB 142.250.187.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/1260-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1260-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/1260-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1260-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1260-2-0x00000000754F0000-0x000000007564D000-memory.dmp

memory/1260-7-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\explorer.exe

MD5 a45cc5b37bb7b6b9cfa1080212a859e4
SHA1 fb11700bbf03eaf4f444a9aef6f3c2d6ebbd4f1a
SHA256 e7cfb91f4d4316ad512f91c4a2836c2c4f9fd582b8ac945eda0fc2ffaafca08d
SHA512 8eb66634c4ab683c1e03d98542b2c2a32581cae3e8097379e21e32483687b6d8351af28c0de6ceebcb1ffb030902790d33a515205cddd0b709cc09e6393b025d

memory/4856-14-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4856-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4856-15-0x00000000754F0000-0x000000007564D000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 4b3713d44c2c5e9b6a5581fb981fe3b2
SHA1 00cdb7e1c0f1d0ac0eb018827bbbbd1de6afda40
SHA256 5974bd3fd2289afe3b9c63e37b9b551117dd1f7ac11b5a48c089d6c789c2498c
SHA512 5d7b3777e3b9ecbe7fe4c254236eec35be597182fc08661ab46a58dd80efa2fabc3f303a1bacce8f6ede795716aa772f0336cf68ae029491450b0e11fa280a46

memory/1904-27-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1260-31-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1904-28-0x00000000754F0000-0x000000007564D000-memory.dmp

memory/1260-26-0x00000000001C0000-0x00000000001C4000-memory.dmp

C:\Windows\System\svchost.exe

MD5 62f2783f4902d5b8b6c566826c2868ad
SHA1 4fc1f72970952cf502dbf1d3612e3a00be64f05c
SHA256 0b206bc3a53dd1b1678c295d1ecf7a1d063f3516842036afe87e79871652daff
SHA512 5d15dc318e3b7e0ca60473037dcf2b0d5a11fbf3e74798bcbf5fd00d01b82efe0b9c90fc9e71bae38aa3b89e08b28e8777907b796b8994ae5ba6d56b72e28e04

memory/4356-39-0x00000000754F0000-0x000000007564D000-memory.dmp

memory/216-45-0x00000000754F0000-0x000000007564D000-memory.dmp

memory/216-50-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1904-53-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 9369eb4766fae1631e6bfb7294ff0a24
SHA1 e8434f0870ebb709ea290681e6166b8fb5e7a69c
SHA256 dbff88efcd1e67184a53f4a2bd653177c8d49621b8904bab1d7b3755164e1323
SHA512 c8f1c07bf3fa5a56c50f89910b1fe0466377949b3493e89b5e3323b94830ad92e2b8eddce14a256563833dba6d8a850b28db4cca983c7e7d4847c5e592460c59

memory/1260-55-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1260-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4856-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4356-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4856-70-0x0000000000400000-0x0000000000431000-memory.dmp