Malware Analysis Report

2024-09-09 20:14

Sample ID 240613-2tqj6axfpn
Target 8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe
SHA256 b94ba828a6c0b387882445f2bc344a339e1a55c031e173643462f4a95075144f
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b94ba828a6c0b387882445f2bc344a339e1a55c031e173643462f4a95075144f

Threat Level: Known bad

The file 8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:52

Reported

2024-06-13 22:55

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 912 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 912 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 912 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 912 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3060 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3060 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3060 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3060 wrote to memory of 2568 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2568 wrote to memory of 2340 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2568 wrote to memory of 2340 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2568 wrote to memory of 2340 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2568 wrote to memory of 2340 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2340 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2340 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2340 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2340 wrote to memory of 2572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2340 wrote to memory of 1960 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 1960 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 1960 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 1960 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 1828 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 1828 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 1828 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2340 wrote to memory of 1828 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/912-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/912-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/912-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/912-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/912-4-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 bd90939f8c18255710b1bb3ae2e23a1f
SHA1 b2569e5da708d05bc8b4c99e7ff2563f8d462e2f
SHA256 d75938df7321bef21c6ae2321673a987fd5c355b51a4dcd018ab0cc7ea74a5c6
SHA512 7a6c67da278877e3ca5b115e8151d9f41929f147c8c4a77eb6e695ba4f8241c11a60ef1be2550efb5e88a13e6d8f211012c4e9657fb7b468158ca112c73606d7

memory/3060-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3060-18-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/912-16-0x00000000006F0000-0x0000000000721000-memory.dmp

\Windows\system\spoolsv.exe

MD5 46f4583bf985036de76a90f75e4e2d09
SHA1 83d218b4fe7948d3190fa11f5e5d51d48f143409
SHA256 1f111fd63fb3a74e68a447d25aded880d1e2efe30c8534f983e37aea9870b240
SHA512 4660db55b25195de0be6c29893b1a8754eb95f2a70fb41fb668681917687eeb02b0fe61a805ced45787b950cf40e3324a209d674c07a419e44a65841e82b31ed

memory/2568-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3060-34-0x0000000002690000-0x00000000026C1000-memory.dmp

memory/2568-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2568-41-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 373e070e175a7819b1b5ea6618c0de92
SHA1 6717ad4e4b9dc496997f79526a04c02ba09d288a
SHA256 eb86d6cfa291510c73a5c336b8926032db26891b66ae73466f0d4b88713d08f3
SHA512 be83799e27ce42572770f00df938006514af5d258a0d6482d35a641271fd6a37177785063665057e8a416fb28c59f0e626be222ed173764c4128761b775fb44c

memory/2340-52-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2340-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2340-64-0x0000000000390000-0x00000000003C1000-memory.dmp

memory/912-63-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2340-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2568-55-0x0000000002620000-0x0000000002651000-memory.dmp

memory/2572-66-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2572-72-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2568-76-0x0000000000400000-0x0000000000431000-memory.dmp

memory/912-79-0x0000000000401000-0x000000000042E000-memory.dmp

memory/912-78-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 230e2f4f9c41c8abc57faf124b987134
SHA1 6e520af9ac42ca78fac317199aa44b4ae5251465
SHA256 c3e46f886c7b2d2bdec41d91d32dabcc86b862473b69bf5728516173edddbbdc
SHA512 d1114462fd8a465d6a73fd65791806f5729c44ad2b83e19d9b689ab85a11c4046686eb79c6d6b2f3d63fd799c2771bb7a87375d6559469e32c8f48b7916943e1

memory/3060-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2340-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3060-92-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:52

Reported

2024-06-13 22:55

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1680 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1680 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2672 wrote to memory of 1060 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2672 wrote to memory of 1060 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2672 wrote to memory of 1060 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1060 wrote to memory of 3984 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1060 wrote to memory of 3984 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1060 wrote to memory of 3984 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3984 wrote to memory of 1852 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3984 wrote to memory of 1852 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3984 wrote to memory of 1852 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3984 wrote to memory of 3904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3984 wrote to memory of 3904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3984 wrote to memory of 3904 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3984 wrote to memory of 4860 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3984 wrote to memory of 4860 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3984 wrote to memory of 4860 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3984 wrote to memory of 2280 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3984 wrote to memory of 2280 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3984 wrote to memory of 2280 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8dd2b1e33f02ca6eeb0f93757e194ce0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 22:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 22:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Files

memory/1680-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/1680-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1680-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1680-2-0x0000000075AB0000-0x0000000075C0D000-memory.dmp

memory/1680-4-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 eb939894e0a3c62c7b2fb6d27d836dde
SHA1 36d69cc35a407c66ab834c0da5357ab791284fbd
SHA256 2f25f33b47ece38bc0ea6ec3e3875ce730b10a987b59e97fa8d55027be3fd755
SHA512 eb2661002bb7d8928323aa98126c2ecbef86a04bb70047909dd78cda120a11c13443bf471dcb97f2c5e6f6ce6057966823a28d19110c371208d7c1242b5aac40

memory/2672-14-0x0000000075AB0000-0x0000000075C0D000-memory.dmp

memory/2672-16-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2672-13-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 f7d3abc5c534e5acf1936d1978831989
SHA1 17402ea1bee30aff6429d5837d7ae3846389f1dd
SHA256 2e3681c54f5cdbc14c78c20cfbe77b2f6722cea39c9fdf92d969faa50bc4f118
SHA512 5ba664244bc404029eeb08f27d5638bf45811c0128d0f32d1387a390302c077594ba6b1bb69e9b9d8311e2086c09809a1f61a4109c783f91f26c5856179cdad2

memory/1060-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1060-26-0x0000000075AB0000-0x0000000075C0D000-memory.dmp

memory/1060-31-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 84531e79f82d53112cd42be4cfa2a9d5
SHA1 e9d5c8ea15c9231a34a9626306979ebe86f5b70d
SHA256 e0aef42db09f8029640b11af023181e801e391414d41c32207860bfb2dc9e576
SHA512 e4e829768a497cd9c84df474c6bfdc182e10d70f2a5ffbac44d024cd5c80fa1f8d9d0d162b9b23d5449f569a766add49b6a87a49228f995fd06e683c7a1ada7d

memory/3984-37-0x0000000075AB0000-0x0000000075C0D000-memory.dmp

memory/1852-44-0x0000000075AB0000-0x0000000075C0D000-memory.dmp

memory/1852-43-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1852-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1060-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1680-56-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1680-55-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 1432f37ac10ee2e035ea8fba4bec3f00
SHA1 0f7d5bb644fc084c4df8f1d30ed2eb096441bb6b
SHA256 0c1e8f438a89004c5d39540f1837453d24db4264dbdc9ecac53ae9166bae43ab
SHA512 2191fd8e6347d9e2fdca50e9c6350ac1df94e9f5a00e0863db3e4480bfd153091bf6a18c258c9271d59f5e6150250610d209354672b1a4e7bb548d187cf058f8

memory/2672-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3984-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2672-69-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e