Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:32
Static task
static1
Behavioral task
behavioral1
Sample
5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe
-
Size
206KB
-
MD5
5771889b251164837e9a6c608ac6d280
-
SHA1
1961588673fd950561906c26c237e98722aa5b0e
-
SHA256
9d62a406011dbe8aa463e912780962cbfa75d7a2ce55fd05241ad92e5eac257c
-
SHA512
005dc6d71b968bc2431d2331cae3281e45393b70cd137f7bf011c1abdccd408ef874ad8dfb50cd401994a06623a233c7f7a5592eadc6348d4ff83607976e26d3
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unLl:5vEN2U+T6i5LirrllHy4HUcMQY6Kl
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3492 explorer.exe 4360 spoolsv.exe 2548 svchost.exe 1620 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 344 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 344 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe 2548 svchost.exe 2548 svchost.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe 3492 explorer.exe 3492 explorer.exe 2548 svchost.exe 2548 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3492 explorer.exe 2548 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 344 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 344 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 3492 explorer.exe 3492 explorer.exe 4360 spoolsv.exe 4360 spoolsv.exe 2548 svchost.exe 2548 svchost.exe 1620 spoolsv.exe 1620 spoolsv.exe 3492 explorer.exe 3492 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 344 wrote to memory of 3492 344 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 82 PID 344 wrote to memory of 3492 344 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 82 PID 344 wrote to memory of 3492 344 5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe 82 PID 3492 wrote to memory of 4360 3492 explorer.exe 83 PID 3492 wrote to memory of 4360 3492 explorer.exe 83 PID 3492 wrote to memory of 4360 3492 explorer.exe 83 PID 4360 wrote to memory of 2548 4360 spoolsv.exe 85 PID 4360 wrote to memory of 2548 4360 spoolsv.exe 85 PID 4360 wrote to memory of 2548 4360 spoolsv.exe 85 PID 2548 wrote to memory of 1620 2548 svchost.exe 87 PID 2548 wrote to memory of 1620 2548 svchost.exe 87 PID 2548 wrote to memory of 1620 2548 svchost.exe 87 PID 2548 wrote to memory of 1468 2548 svchost.exe 88 PID 2548 wrote to memory of 1468 2548 svchost.exe 88 PID 2548 wrote to memory of 1468 2548 svchost.exe 88 PID 2548 wrote to memory of 3916 2548 svchost.exe 98 PID 2548 wrote to memory of 3916 2548 svchost.exe 98 PID 2548 wrote to memory of 3916 2548 svchost.exe 98 PID 2548 wrote to memory of 3108 2548 svchost.exe 100 PID 2548 wrote to memory of 3108 2548 svchost.exe 100 PID 2548 wrote to memory of 3108 2548 svchost.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5771889b251164837e9a6c608ac6d280_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:344 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1620
-
-
C:\Windows\SysWOW64\at.exeat 02:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1468
-
-
C:\Windows\SysWOW64\at.exeat 02:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3916
-
-
C:\Windows\SysWOW64\at.exeat 02:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3108
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5b717ea7508c11b53d62deadc9bbfdc8e
SHA1c0bcb68a9c6e795ea5bfe98f59aa5f18f7a457da
SHA256b1fea8e96c8ce4ce725a9641955f3de9c4769b9a79b7e7fd8f945d55b76468d7
SHA512a989397584bd5c31490c817515f0dbd9f7a614508c4ab15ff2e352255ca3c908240dd4dfd7465e29dfe447c13f5a2829e0b6f72b8d4c627e6f36e6d6a7ecd22b
-
Filesize
206KB
MD5962a34034c931c83bb56e5691d584499
SHA18ba8e98eaf2ff22ac9dc9fde71c93614390c4f14
SHA256320344cb9ac4311938d0e19c58d2a1ff6b4237002dc7145fb5d446e59d297531
SHA512c5028dcf352f976818eb1ec2c9fa3b475f87217d553fb4d0f986cb1a63758d0758be78902c7c9915ee6ea7a95c751f48e9f84fe21e79b4fc947f132abd35f465
-
Filesize
206KB
MD5fa22c504e7aa79631902d5ea20ea0546
SHA1caac4cfba8e0b62a3306f057e550fa078f1412cd
SHA256494abd68eead0c9cc3a313305270ddd4ec162f2b31da0aa7deb635319801324b
SHA5126ad02f443d3c7cb5c15a893911caf9ced3dff49576cc31c9d44b2356d932eba077b005ad100079ef5229f259b25f9f129433ad6854278f92340415810b083187
-
Filesize
206KB
MD5f52fd3090da06bd5614c6d1d97f236f2
SHA1f88313835acd9ebada27103af8091cbb3e0839f2
SHA25625282e8edfb7e3dae0f677640f0001954032185e0321987e3892b6e30bb55c68
SHA51265fca2776719346785b9912af84d0ab428aa93eab4a1283d0107252775a89cd66afceda2c8d838b3ea91760a59f48cb2d3f01eb3011dd60be38764378de158c0