Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe
-
Size
206KB
-
MD5
5669dad4caa24be995a62af657b34270
-
SHA1
1d678b256f6d0c06d732346ba84e81815fc7efff
-
SHA256
5872ec205ce65b045bb15b876c42e4f5ecf10d66fcec5c61aac0d54c758df24f
-
SHA512
ff6b58442f788b8c19cc0902f2b116af50d67de49d885fc9d9da70f57ee5ff6c5060463ebdecf0b981106a4bd1a00b252543d265ef912b18f9edeba1a8b1b9ba
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL8VVVVVVVVVVVVVVVVVVVVu:5vEN2U+T6i5LirrllHy4HUcMQY6KP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 764 explorer.exe 5008 spoolsv.exe 556 svchost.exe 4884 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3744 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 3744 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 764 explorer.exe 556 svchost.exe 556 svchost.exe 556 svchost.exe 556 svchost.exe 764 explorer.exe 764 explorer.exe 556 svchost.exe 556 svchost.exe 764 explorer.exe 764 explorer.exe 556 svchost.exe 556 svchost.exe 764 explorer.exe 764 explorer.exe 556 svchost.exe 556 svchost.exe 764 explorer.exe 764 explorer.exe 556 svchost.exe 556 svchost.exe 764 explorer.exe 764 explorer.exe 556 svchost.exe 556 svchost.exe 764 explorer.exe 764 explorer.exe 556 svchost.exe 556 svchost.exe 764 explorer.exe 764 explorer.exe 556 svchost.exe 556 svchost.exe 764 explorer.exe 764 explorer.exe 556 svchost.exe 556 svchost.exe 764 explorer.exe 764 explorer.exe 556 svchost.exe 556 svchost.exe 764 explorer.exe 764 explorer.exe 556 svchost.exe 556 svchost.exe 764 explorer.exe 764 explorer.exe 556 svchost.exe 556 svchost.exe 764 explorer.exe 764 explorer.exe 556 svchost.exe 556 svchost.exe 764 explorer.exe 764 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 764 explorer.exe 556 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3744 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 3744 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 764 explorer.exe 764 explorer.exe 5008 spoolsv.exe 5008 spoolsv.exe 556 svchost.exe 556 svchost.exe 4884 spoolsv.exe 4884 spoolsv.exe 764 explorer.exe 764 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3744 wrote to memory of 764 3744 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 81 PID 3744 wrote to memory of 764 3744 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 81 PID 3744 wrote to memory of 764 3744 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe 81 PID 764 wrote to memory of 5008 764 explorer.exe 82 PID 764 wrote to memory of 5008 764 explorer.exe 82 PID 764 wrote to memory of 5008 764 explorer.exe 82 PID 5008 wrote to memory of 556 5008 spoolsv.exe 83 PID 5008 wrote to memory of 556 5008 spoolsv.exe 83 PID 5008 wrote to memory of 556 5008 spoolsv.exe 83 PID 556 wrote to memory of 4884 556 svchost.exe 84 PID 556 wrote to memory of 4884 556 svchost.exe 84 PID 556 wrote to memory of 4884 556 svchost.exe 84 PID 556 wrote to memory of 2008 556 svchost.exe 85 PID 556 wrote to memory of 2008 556 svchost.exe 85 PID 556 wrote to memory of 2008 556 svchost.exe 85 PID 556 wrote to memory of 3252 556 svchost.exe 93 PID 556 wrote to memory of 3252 556 svchost.exe 93 PID 556 wrote to memory of 3252 556 svchost.exe 93 PID 556 wrote to memory of 696 556 svchost.exe 97 PID 556 wrote to memory of 696 556 svchost.exe 97 PID 556 wrote to memory of 696 556 svchost.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4884
-
-
C:\Windows\SysWOW64\at.exeat 02:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2008
-
-
C:\Windows\SysWOW64\at.exeat 02:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3252
-
-
C:\Windows\SysWOW64\at.exeat 02:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:696
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD50ba6f9920d8eee7a12b2e35c83030b32
SHA1b70ad36fca27846247ced057e421a8940b3dd019
SHA2561de7d575389ad2a9823d7db34ed257cdb4d6591d69c8bc58cfa5a21e308a7416
SHA51234014db71aa601ead0ed775767c967bac81256b42c116d83703641529479ea4740632f2e32f70c0ba5dbc1a546ead8c210c45ddb61eca8dca10d1c998dddb776
-
Filesize
206KB
MD5e7d37222ac884efefda8c1b2b6bcd900
SHA1da2687c6c2987e24719063a7c2d35407fc503491
SHA256ebc3073ec10a58dfc60a6120ed208cc3e6991df3db325d6d9e935bd2e0c9c583
SHA512e3655081735a154f0f16d8eea4095ba706ad496b0eba7bfa6d3b589b771b0cc570fb65090cbced8a9ccac6cfdf9335968bd0c7d9212fe43a2f8ba73527dad49f
-
Filesize
206KB
MD52f308138401d15bf2f0ba7d883c53aee
SHA10416a48a48a9bbbc47120a38b087fc4c64874b4c
SHA25643d6ce5a104ecd9e1c3c4252588f7e9fcf866b36bc5ed40e03eebe6913ca2693
SHA512d50d425b56426e98104cbea31cc5c419b4ca15dc79d7302c66633b57bb6c24513dee16a4b29a4c757222d5ce5ce7fad9f05d059b63b21e5bf192b7fc9ecb2d1a
-
Filesize
207KB
MD52012a2a00cba661731062dfd2d6b8d87
SHA1dd4aab59ffff4bc541d019c5418940527155e0f7
SHA25638463cebf00fd138e286b5313bb43df6dc7befadfab5795db3254b19c61ea9aa
SHA512914aa8acba319a22acf6d60723efa20860cc03517fa9ff175e4b8b5261297f82f02d0d58c30dd47768dc7692988959fa8e88f1cbf0ea8df8f03efe8788014bfe