Analysis
-
max time kernel
150s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:22
Static task
static1
Behavioral task
behavioral1
Sample
569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe
-
Size
66KB
-
MD5
569f59bd9d6404a61a465c692b35e320
-
SHA1
0fb5ac98c106b8ba373e3fea9c50d6dca8a7ebda
-
SHA256
a1056735c4f39e384d8a7fffe572525fcc3dab3aaf2e3a53500104bdc6949213
-
SHA512
53a3d53495930b18e6d9fcfbf4f6a3287dc074a2b4103c4435b35ccd59fdb6171b4ea1f68a70a491c39df60e5fd1899ca26e0fe91e36ea6bcac5587d7372955d
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiU:IeklMMYJhqezw/pXzH9iU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2472 explorer.exe 1028 spoolsv.exe 3192 svchost.exe 3616 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3492 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 3492 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 3192 svchost.exe 2472 explorer.exe 2472 explorer.exe 3192 svchost.exe 3192 svchost.exe 2472 explorer.exe 2472 explorer.exe 3192 svchost.exe 3192 svchost.exe 2472 explorer.exe 2472 explorer.exe 3192 svchost.exe 3192 svchost.exe 2472 explorer.exe 2472 explorer.exe 3192 svchost.exe 3192 svchost.exe 2472 explorer.exe 2472 explorer.exe 3192 svchost.exe 3192 svchost.exe 2472 explorer.exe 2472 explorer.exe 3192 svchost.exe 3192 svchost.exe 2472 explorer.exe 2472 explorer.exe 3192 svchost.exe 3192 svchost.exe 2472 explorer.exe 2472 explorer.exe 3192 svchost.exe 3192 svchost.exe 2472 explorer.exe 2472 explorer.exe 3192 svchost.exe 3192 svchost.exe 2472 explorer.exe 2472 explorer.exe 3192 svchost.exe 3192 svchost.exe 2472 explorer.exe 2472 explorer.exe 3192 svchost.exe 3192 svchost.exe 2472 explorer.exe 2472 explorer.exe 3192 svchost.exe 3192 svchost.exe 2472 explorer.exe 2472 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2472 explorer.exe 3192 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3492 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 3492 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 2472 explorer.exe 2472 explorer.exe 1028 spoolsv.exe 1028 spoolsv.exe 3192 svchost.exe 3192 svchost.exe 3616 spoolsv.exe 3616 spoolsv.exe 2472 explorer.exe 2472 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3492 wrote to memory of 2472 3492 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 81 PID 3492 wrote to memory of 2472 3492 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 81 PID 3492 wrote to memory of 2472 3492 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe 81 PID 2472 wrote to memory of 1028 2472 explorer.exe 82 PID 2472 wrote to memory of 1028 2472 explorer.exe 82 PID 2472 wrote to memory of 1028 2472 explorer.exe 82 PID 1028 wrote to memory of 3192 1028 spoolsv.exe 83 PID 1028 wrote to memory of 3192 1028 spoolsv.exe 83 PID 1028 wrote to memory of 3192 1028 spoolsv.exe 83 PID 3192 wrote to memory of 3616 3192 svchost.exe 85 PID 3192 wrote to memory of 3616 3192 svchost.exe 85 PID 3192 wrote to memory of 3616 3192 svchost.exe 85 PID 3192 wrote to memory of 5112 3192 svchost.exe 87 PID 3192 wrote to memory of 5112 3192 svchost.exe 87 PID 3192 wrote to memory of 5112 3192 svchost.exe 87 PID 3192 wrote to memory of 848 3192 svchost.exe 94 PID 3192 wrote to memory of 848 3192 svchost.exe 94 PID 3192 wrote to memory of 848 3192 svchost.exe 94 PID 3192 wrote to memory of 2696 3192 svchost.exe 98 PID 3192 wrote to memory of 2696 3192 svchost.exe 98 PID 3192 wrote to memory of 2696 3192 svchost.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3616
-
-
C:\Windows\SysWOW64\at.exeat 02:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:5112
-
-
C:\Windows\SysWOW64\at.exeat 02:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:848
-
-
C:\Windows\SysWOW64\at.exeat 02:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2696
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD530fdfe34fc13151664961bb16cfc7140
SHA16abcf577fe0467277e2c77698213cf57cc656f18
SHA256f593daf4097bd806503932d437a2c78e42588c35ea8bea65257b6e94b84c9b98
SHA5123fe17d75d451a9c1847a05ec6947b9132958e9c9fc25808c21eb153f61e75248c2b113a56c3596e792622cda70f764a4f4ee778ff5d70f16ee0b4e6ca426e316
-
Filesize
66KB
MD5fcc4cbfb35cbf0d1caf88f153d0829d7
SHA18e5a691a04d31cdd2966e75ddb4685f9e53f2a92
SHA256735fdc18402e52c41f7bd4fffb11b9143d9d7c5094cd6659638608935d924cb0
SHA512ef201ac7d7f33e74c8b09a35905944a0068d8c32da601aca87de1b2eb2fe1bfe84d84cd50020844800b22a3d373fa5972d44f4ff826a4c934aa675343e11d672
-
Filesize
66KB
MD507236078fa669200093a5adb1910ba0c
SHA15e687b4044714012cdb6a636d5d4602f6ac7136c
SHA256e8e56b136a839063a4162085a44effbddc593e497deb52ac049cd7668656ee6e
SHA5123a54268d70d7804cd6abb44ec07bada004c4ede6f72ee4426514d52d77914b65ee873db673a2ceca0f5f2a1ab540ceebf99a0136223c944672cf97391f710521
-
Filesize
66KB
MD575d87b94a514b7976356c1dfeb2fb5b6
SHA1d5e986ab5c7555e945860ac629a6b0566315823d
SHA256f5475087af3faaab37964b5510c4a398fd63fa6b12bb29fd22b0fdeba4d3b09b
SHA512f6d5f1429fc29370f87a9e8254ac6940b5b1af5620f72bb76012d9f58ee6fdcd9cb4e8bb1c589ad5af0db2f299c3a92dd5ece5e3bf43da9f4f7b84f391ba3863