Malware Analysis Report

2025-01-18 14:05

Sample ID 240613-cqpq1svbql
Target 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe
SHA256 5872ec205ce65b045bb15b876c42e4f5ecf10d66fcec5c61aac0d54c758df24f
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5872ec205ce65b045bb15b876c42e4f5ecf10d66fcec5c61aac0d54c758df24f

Threat Level: Known bad

The file 5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:17

Reported

2024-06-13 02:19

Platform

win7-20231129-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2200 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2200 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2200 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2388 wrote to memory of 2776 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2388 wrote to memory of 2776 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2388 wrote to memory of 2776 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2388 wrote to memory of 2776 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2776 wrote to memory of 2708 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2776 wrote to memory of 2708 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2776 wrote to memory of 2708 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2776 wrote to memory of 2708 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2708 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2708 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2708 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2708 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2708 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2496 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 1864 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 1864 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 1864 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 1864 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2708 wrote to memory of 2252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 02:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2200-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\system\explorer.exe

MD5 a4be40c2016aff42532cb1d4eee0cc8b
SHA1 d0998912fb67abf4a8b38ab03213c624735ba776
SHA256 97fa10b0469ac0548855d826459544aaca75c051539641193d397f0d42cfa768
SHA512 118eb7b77ffa5e582a89f5a7d7264e8094424ab20139f29ae7e0f8c035259b15492d3bdecbeaab25c5c040fcd5051c80a331e86c2148b95167b02c4d535e6628

memory/2200-12-0x0000000002750000-0x0000000002790000-memory.dmp

\Windows\system\spoolsv.exe

MD5 dda0666db1f2f42244a2166b7799ef6f
SHA1 943457c8907d5f497d536d05296597b463f4fd89
SHA256 6d05169bfeff7c2eb120d029ebd18cac1f32af89f3c820115dad3783572b09fc
SHA512 2a1108c9b663f9e7c3dfd665f746f1b25aebc1670fff28de7d58736415413ca943460823ee5c459795a497d0662333628e29e5d0de81e5b30c2b729490c1ec2c

memory/2776-27-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\system\svchost.exe

MD5 f37a5c2e8238f63a4d99e5265ece55e9
SHA1 8b2fc95493236ad9a26c56d15a10bc72d8868844
SHA256 a5eb06ad407c8c1ae908b770ee7cdcb29cdd20b8a9378bfe8b2a10453886dff8
SHA512 0330903a6f8148e55faefeb0ca66610713fa4ffd23d3b9ded0949a442b6050c899e38f0df6be3759c80db1c6423f9c6e315249e4bd0a3565271d39234576c332

memory/2708-46-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2776-55-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2092-52-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2200-56-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 bc57a92e4785249fd922e26a3060cb0f
SHA1 e8f951161192a9de15f1f0362dd41b890c6755c5
SHA256 e1bc24587515115b7ed90be43ec507d0c93bbeda9ed84240c839c6b9bad217f5
SHA512 8caf6e99f90e74f05d9ea1133c9c25fa9eb4651c0e2776e986ac02ea76b30802baa74b73f50d66b4199a3babcb97b467409ebed4750389aa384b0feb6ca2d118

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:17

Reported

2024-06-13 02:19

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3744 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3744 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3744 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 764 wrote to memory of 5008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 764 wrote to memory of 5008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 764 wrote to memory of 5008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 5008 wrote to memory of 556 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 5008 wrote to memory of 556 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 5008 wrote to memory of 556 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 556 wrote to memory of 4884 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 556 wrote to memory of 4884 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 556 wrote to memory of 4884 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 556 wrote to memory of 2008 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 556 wrote to memory of 2008 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 556 wrote to memory of 2008 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 556 wrote to memory of 3252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 556 wrote to memory of 3252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 556 wrote to memory of 3252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 556 wrote to memory of 696 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 556 wrote to memory of 696 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 556 wrote to memory of 696 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5669dad4caa24be995a62af657b34270_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 02:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3744-0-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\System\explorer.exe

MD5 e7d37222ac884efefda8c1b2b6bcd900
SHA1 da2687c6c2987e24719063a7c2d35407fc503491
SHA256 ebc3073ec10a58dfc60a6120ed208cc3e6991df3db325d6d9e935bd2e0c9c583
SHA512 e3655081735a154f0f16d8eea4095ba706ad496b0eba7bfa6d3b589b771b0cc570fb65090cbced8a9ccac6cfdf9335968bd0c7d9212fe43a2f8ba73527dad49f

C:\Windows\System\spoolsv.exe

MD5 2f308138401d15bf2f0ba7d883c53aee
SHA1 0416a48a48a9bbbc47120a38b087fc4c64874b4c
SHA256 43d6ce5a104ecd9e1c3c4252588f7e9fcf866b36bc5ed40e03eebe6913ca2693
SHA512 d50d425b56426e98104cbea31cc5c419b4ca15dc79d7302c66633b57bb6c24513dee16a4b29a4c757222d5ce5ce7fad9f05d059b63b21e5bf192b7fc9ecb2d1a

C:\Windows\System\svchost.exe

MD5 2012a2a00cba661731062dfd2d6b8d87
SHA1 dd4aab59ffff4bc541d019c5418940527155e0f7
SHA256 38463cebf00fd138e286b5313bb43df6dc7befadfab5795db3254b19c61ea9aa
SHA512 914aa8acba319a22acf6d60723efa20860cc03517fa9ff175e4b8b5261297f82f02d0d58c30dd47768dc7692988959fa8e88f1cbf0ea8df8f03efe8788014bfe

memory/4884-32-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5008-35-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3744-36-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 0ba6f9920d8eee7a12b2e35c83030b32
SHA1 b70ad36fca27846247ced057e421a8940b3dd019
SHA256 1de7d575389ad2a9823d7db34ed257cdb4d6591d69c8bc58cfa5a21e308a7416
SHA512 34014db71aa601ead0ed775767c967bac81256b42c116d83703641529479ea4740632f2e32f70c0ba5dbc1a546ead8c210c45ddb61eca8dca10d1c998dddb776