Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe
-
Size
206KB
-
MD5
5669dad4caa24be995a62af657b34270
-
SHA1
1d678b256f6d0c06d732346ba84e81815fc7efff
-
SHA256
5872ec205ce65b045bb15b876c42e4f5ecf10d66fcec5c61aac0d54c758df24f
-
SHA512
ff6b58442f788b8c19cc0902f2b116af50d67de49d885fc9d9da70f57ee5ff6c5060463ebdecf0b981106a4bd1a00b252543d265ef912b18f9edeba1a8b1b9ba
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL8VVVVVVVVVVVVVVVVVVVVu:5vEN2U+T6i5LirrllHy4HUcMQY6KP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2388 explorer.exe 2776 spoolsv.exe 2708 svchost.exe 2092 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2200 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 2200 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 2388 explorer.exe 2388 explorer.exe 2776 spoolsv.exe 2776 spoolsv.exe 2708 svchost.exe 2708 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2200 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2708 svchost.exe 2708 svchost.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2388 explorer.exe 2708 svchost.exe 2708 svchost.exe 2388 explorer.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2708 svchost.exe 2388 explorer.exe 2388 explorer.exe 2708 svchost.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2388 explorer.exe 2708 svchost.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe 2388 explorer.exe 2708 svchost.exe 2708 svchost.exe 2388 explorer.exe 2388 explorer.exe 2708 svchost.exe 2388 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2388 explorer.exe 2708 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2200 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 2200 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 2388 explorer.exe 2388 explorer.exe 2776 spoolsv.exe 2776 spoolsv.exe 2708 svchost.exe 2708 svchost.exe 2092 spoolsv.exe 2092 spoolsv.exe 2388 explorer.exe 2388 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2388 2200 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 28 PID 2200 wrote to memory of 2388 2200 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 28 PID 2200 wrote to memory of 2388 2200 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 28 PID 2200 wrote to memory of 2388 2200 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 28 PID 2388 wrote to memory of 2776 2388 explorer.exe 29 PID 2388 wrote to memory of 2776 2388 explorer.exe 29 PID 2388 wrote to memory of 2776 2388 explorer.exe 29 PID 2388 wrote to memory of 2776 2388 explorer.exe 29 PID 2776 wrote to memory of 2708 2776 spoolsv.exe 30 PID 2776 wrote to memory of 2708 2776 spoolsv.exe 30 PID 2776 wrote to memory of 2708 2776 spoolsv.exe 30 PID 2776 wrote to memory of 2708 2776 spoolsv.exe 30 PID 2708 wrote to memory of 2092 2708 svchost.exe 31 PID 2708 wrote to memory of 2092 2708 svchost.exe 31 PID 2708 wrote to memory of 2092 2708 svchost.exe 31 PID 2708 wrote to memory of 2092 2708 svchost.exe 31 PID 2708 wrote to memory of 2496 2708 svchost.exe 32 PID 2708 wrote to memory of 2496 2708 svchost.exe 32 PID 2708 wrote to memory of 2496 2708 svchost.exe 32 PID 2708 wrote to memory of 2496 2708 svchost.exe 32 PID 2708 wrote to memory of 1864 2708 svchost.exe 36 PID 2708 wrote to memory of 1864 2708 svchost.exe 36 PID 2708 wrote to memory of 1864 2708 svchost.exe 36 PID 2708 wrote to memory of 1864 2708 svchost.exe 36 PID 2708 wrote to memory of 2252 2708 svchost.exe 38 PID 2708 wrote to memory of 2252 2708 svchost.exe 38 PID 2708 wrote to memory of 2252 2708 svchost.exe 38 PID 2708 wrote to memory of 2252 2708 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2092
-
-
C:\Windows\SysWOW64\at.exeat 02:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2496
-
-
C:\Windows\SysWOW64\at.exeat 02:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1864
-
-
C:\Windows\SysWOW64\at.exeat 02:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2252
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207KB
MD5bc57a92e4785249fd922e26a3060cb0f
SHA1e8f951161192a9de15f1f0362dd41b890c6755c5
SHA256e1bc24587515115b7ed90be43ec507d0c93bbeda9ed84240c839c6b9bad217f5
SHA5128caf6e99f90e74f05d9ea1133c9c25fa9eb4651c0e2776e986ac02ea76b30802baa74b73f50d66b4199a3babcb97b467409ebed4750389aa384b0feb6ca2d118
-
Filesize
206KB
MD5a4be40c2016aff42532cb1d4eee0cc8b
SHA1d0998912fb67abf4a8b38ab03213c624735ba776
SHA25697fa10b0469ac0548855d826459544aaca75c051539641193d397f0d42cfa768
SHA512118eb7b77ffa5e582a89f5a7d7264e8094424ab20139f29ae7e0f8c035259b15492d3bdecbeaab25c5c040fcd5051c80a331e86c2148b95167b02c4d535e6628
-
Filesize
207KB
MD5dda0666db1f2f42244a2166b7799ef6f
SHA1943457c8907d5f497d536d05296597b463f4fd89
SHA2566d05169bfeff7c2eb120d029ebd18cac1f32af89f3c820115dad3783572b09fc
SHA5122a1108c9b663f9e7c3dfd665f746f1b25aebc1670fff28de7d58736415413ca943460823ee5c459795a497d0662333628e29e5d0de81e5b30c2b729490c1ec2c
-
Filesize
206KB
MD5f37a5c2e8238f63a4d99e5265ece55e9
SHA18b2fc95493236ad9a26c56d15a10bc72d8868844
SHA256a5eb06ad407c8c1ae908b770ee7cdcb29cdd20b8a9378bfe8b2a10453886dff8
SHA5120330903a6f8148e55faefeb0ca66610713fa4ffd23d3b9ded0949a442b6050c899e38f0df6be3759c80db1c6423f9c6e315249e4bd0a3565271d39234576c332