Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:32
Static task
static1
Behavioral task
behavioral1
Sample
5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe
-
Size
206KB
-
MD5
5771889b251164837e9a6c608ac6d280
-
SHA1
1961588673fd950561906c26c237e98722aa5b0e
-
SHA256
9d62a406011dbe8aa463e912780962cbfa75d7a2ce55fd05241ad92e5eac257c
-
SHA512
005dc6d71b968bc2431d2331cae3281e45393b70cd137f7bf011c1abdccd408ef874ad8dfb50cd401994a06623a233c7f7a5592eadc6348d4ff83607976e26d3
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLl:5vEN2U+T6i5LirrllHy4HUcMQY6Kl
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2432 explorer.exe 2288 spoolsv.exe 2748 svchost.exe 2756 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2036 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 2036 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 2432 explorer.exe 2432 explorer.exe 2288 spoolsv.exe 2288 spoolsv.exe 2748 svchost.exe 2748 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2036 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2748 svchost.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe 2748 svchost.exe 2432 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2432 explorer.exe 2748 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2036 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 2036 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 2432 explorer.exe 2432 explorer.exe 2288 spoolsv.exe 2288 spoolsv.exe 2748 svchost.exe 2748 svchost.exe 2756 spoolsv.exe 2756 spoolsv.exe 2432 explorer.exe 2432 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2432 2036 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 28 PID 2036 wrote to memory of 2432 2036 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 28 PID 2036 wrote to memory of 2432 2036 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 28 PID 2036 wrote to memory of 2432 2036 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 28 PID 2432 wrote to memory of 2288 2432 explorer.exe 29 PID 2432 wrote to memory of 2288 2432 explorer.exe 29 PID 2432 wrote to memory of 2288 2432 explorer.exe 29 PID 2432 wrote to memory of 2288 2432 explorer.exe 29 PID 2288 wrote to memory of 2748 2288 spoolsv.exe 30 PID 2288 wrote to memory of 2748 2288 spoolsv.exe 30 PID 2288 wrote to memory of 2748 2288 spoolsv.exe 30 PID 2288 wrote to memory of 2748 2288 spoolsv.exe 30 PID 2748 wrote to memory of 2756 2748 svchost.exe 31 PID 2748 wrote to memory of 2756 2748 svchost.exe 31 PID 2748 wrote to memory of 2756 2748 svchost.exe 31 PID 2748 wrote to memory of 2756 2748 svchost.exe 31 PID 2748 wrote to memory of 2632 2748 svchost.exe 32 PID 2748 wrote to memory of 2632 2748 svchost.exe 32 PID 2748 wrote to memory of 2632 2748 svchost.exe 32 PID 2748 wrote to memory of 2632 2748 svchost.exe 32 PID 2748 wrote to memory of 1672 2748 svchost.exe 36 PID 2748 wrote to memory of 1672 2748 svchost.exe 36 PID 2748 wrote to memory of 1672 2748 svchost.exe 36 PID 2748 wrote to memory of 1672 2748 svchost.exe 36 PID 2748 wrote to memory of 2004 2748 svchost.exe 38 PID 2748 wrote to memory of 2004 2748 svchost.exe 38 PID 2748 wrote to memory of 2004 2748 svchost.exe 38 PID 2748 wrote to memory of 2004 2748 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
C:\Windows\SysWOW64\at.exeat 02:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2632
-
-
C:\Windows\SysWOW64\at.exeat 02:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1672
-
-
C:\Windows\SysWOW64\at.exeat 02:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2004
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD53f112b5d2636b918c77d13bd712a6977
SHA1e8bd19fed478de1974f077cf2c30535c99d910d1
SHA256b8309f3d63ea61f6ffd76822e1cbb4909d392bc03e87565b3de28b42d2c31548
SHA5123739e1b627ee1c85be50d075fff3d48f933399c371a1f08ca4e6460b97a00883fe37c33e9b362440040dfc5641b7a76955e2bee357467a1df9b5f17d68bc53cb
-
Filesize
206KB
MD5d6fab99d2f318e09e0f9bf03cac41173
SHA1a389f96d591c36153e4da245f0f3ccb6eae627d5
SHA2562dfadf8b320675695d239bfc451331bfcdb3ea81c4b8f8ee36eb814c43a90688
SHA512de772c18d69c56fcd44eb7ac9f6150327bd67932f40a104321ae0c862b0fc8113b2ce2cf5ca993066d82ada2cfd96090e7e6571efed15db6bfb7dcf8c54c64d2
-
Filesize
206KB
MD5bdd884b6d8781b63db2ea1851c939550
SHA167e70d4638fb4d03a9239273edd60e1bac13744f
SHA256dd96b47fda1e0e28a856760438632e226428a1c9749c014d4b7e9f31170cdd6b
SHA512cef2f2c8518ab704f5951ff12bf944f6dd1c50297117e50437e2b0533ca7de1a664475dab9bc837c6a9180e624dea285f80436c8e762545d9aed16e0c87944e1
-
Filesize
206KB
MD56e9bae3e8379b73e9aa19e411117652f
SHA1421e31a79976a09b943bbd923cb37b7cf7243adb
SHA25672f4bc9a4375cebbcca7cc6dbc5c253e4e928fba7b55b981a5d7707d6c6ef282
SHA512a6693939830cb5abdb82d2893aa95dfb89ff8ffe7f1e78643f9fb74eda61ee8754f887031e0d18644cce8b6d082a284dadb715625fafd9aa3d48687889dc17fd