Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:22
Static task
static1
Behavioral task
behavioral1
Sample
569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe
-
Size
66KB
-
MD5
569f59bd9d6404a61a465c692b35e320
-
SHA1
0fb5ac98c106b8ba373e3fea9c50d6dca8a7ebda
-
SHA256
a1056735c4f39e384d8a7fffe572525fcc3dab3aaf2e3a53500104bdc6949213
-
SHA512
53a3d53495930b18e6d9fcfbf4f6a3287dc074a2b4103c4435b35ccd59fdb6171b4ea1f68a70a491c39df60e5fd1899ca26e0fe91e36ea6bcac5587d7372955d
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiU:IeklMMYJhqezw/pXzH9iU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2392 explorer.exe 3036 spoolsv.exe 2768 svchost.exe 2556 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1384 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 1384 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 2392 explorer.exe 2392 explorer.exe 3036 spoolsv.exe 3036 spoolsv.exe 2768 svchost.exe 2768 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1384 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 2392 explorer.exe 2392 explorer.exe 2392 explorer.exe 2392 explorer.exe 2768 svchost.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe 2768 svchost.exe 2392 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2392 explorer.exe 2768 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1384 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 1384 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 2392 explorer.exe 2392 explorer.exe 3036 spoolsv.exe 3036 spoolsv.exe 2768 svchost.exe 2768 svchost.exe 2556 spoolsv.exe 2556 spoolsv.exe 2392 explorer.exe 2392 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1384 wrote to memory of 2392 1384 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 28 PID 1384 wrote to memory of 2392 1384 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 28 PID 1384 wrote to memory of 2392 1384 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 28 PID 1384 wrote to memory of 2392 1384 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 28 PID 2392 wrote to memory of 3036 2392 explorer.exe 29 PID 2392 wrote to memory of 3036 2392 explorer.exe 29 PID 2392 wrote to memory of 3036 2392 explorer.exe 29 PID 2392 wrote to memory of 3036 2392 explorer.exe 29 PID 3036 wrote to memory of 2768 3036 spoolsv.exe 30 PID 3036 wrote to memory of 2768 3036 spoolsv.exe 30 PID 3036 wrote to memory of 2768 3036 spoolsv.exe 30 PID 3036 wrote to memory of 2768 3036 spoolsv.exe 30 PID 2768 wrote to memory of 2556 2768 svchost.exe 31 PID 2768 wrote to memory of 2556 2768 svchost.exe 31 PID 2768 wrote to memory of 2556 2768 svchost.exe 31 PID 2768 wrote to memory of 2556 2768 svchost.exe 31 PID 2768 wrote to memory of 2960 2768 svchost.exe 32 PID 2768 wrote to memory of 2960 2768 svchost.exe 32 PID 2768 wrote to memory of 2960 2768 svchost.exe 32 PID 2768 wrote to memory of 2960 2768 svchost.exe 32 PID 2768 wrote to memory of 1612 2768 svchost.exe 36 PID 2768 wrote to memory of 1612 2768 svchost.exe 36 PID 2768 wrote to memory of 1612 2768 svchost.exe 36 PID 2768 wrote to memory of 1612 2768 svchost.exe 36 PID 2768 wrote to memory of 1252 2768 svchost.exe 38 PID 2768 wrote to memory of 1252 2768 svchost.exe 38 PID 2768 wrote to memory of 1252 2768 svchost.exe 38 PID 2768 wrote to memory of 1252 2768 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2556
-
-
C:\Windows\SysWOW64\at.exeat 02:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2960
-
-
C:\Windows\SysWOW64\at.exeat 02:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1612
-
-
C:\Windows\SysWOW64\at.exeat 02:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1252
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5ab517121dcbab85a89afb5fdb6811167
SHA1963489e502ead74ad2585eaf857ad05d68f1ceae
SHA256727ee6305db8fcac6bb92439b65420528cedabe6dc764ef3a3529289db825ec4
SHA5129dd1e9949c566f1ad28b329e77d9dcdc6239209554d1b5de6f2a067aa47765f8415a14cab16a65b187d386a84ca763609551363e6a9981c24a326192fa96f1b2
-
Filesize
66KB
MD5cd02b745433f3013e3c23bb9aff9e0a1
SHA1dfc32f6a826f0dc5d66b1ec3a94d79d286ed403c
SHA256f8cfb0cbbbfe2373f9d68af4ca397483f279dd2c1f4bc33ed8663ff36cf49b1d
SHA5129d6cf3c92a6f7bdef3c8fc96dff7bf9e92d0649d97c126fdd1ad3b6ebdd8491e6acfcc46253a1b0657ec27a53b4144314993b479c6478a3c51b9881feda83511
-
Filesize
66KB
MD5eb3305f8051ac46957cc2b7c50f532fc
SHA1f6e7da183d2967302b23c065060df1f492862dba
SHA2564bca8b2b3954ea5a071f72b841d4906cd934f7204974be645a38baad557e037b
SHA5123d5d063ba9cefba84538807619ef8a13243e34f903b53b9cdf360d36ea301cb4db80e1d0abd02ea751ff62350e0cc32e598f882e3899d6caead15d0eb7947819
-
Filesize
66KB
MD56ecf4e58fd6c037ad4ef7c64ee1cfd1f
SHA150b7c7b04840eb7292b5ce7eb59c15d76e2d6a03
SHA2566f38b27cc78ac6e16b1ba16168e2331c86cdb0e5d42e112d1b9bedf56f03eb81
SHA5125faa947c004e6f6101c1529c37767d43a46b94d00ecc21d3e9743fadef08e6e991a86a7fb618e94cf2a0e359d79056b831cfaee02c85cb377a23baf7958f3602