Malware Analysis Report

2025-01-18 14:04

Sample ID 240613-ctme3avcnk
Target 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe
SHA256 a1056735c4f39e384d8a7fffe572525fcc3dab3aaf2e3a53500104bdc6949213
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1056735c4f39e384d8a7fffe572525fcc3dab3aaf2e3a53500104bdc6949213

Threat Level: Known bad

The file 569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:22

Reported

2024-06-13 02:24

Platform

win7-20240508-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1384 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1384 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1384 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2392 wrote to memory of 3036 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2392 wrote to memory of 3036 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2392 wrote to memory of 3036 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2392 wrote to memory of 3036 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3036 wrote to memory of 2768 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3036 wrote to memory of 2768 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3036 wrote to memory of 2768 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3036 wrote to memory of 2768 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2768 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2768 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2768 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2768 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2768 wrote to memory of 2960 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2768 wrote to memory of 2960 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2768 wrote to memory of 2960 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2768 wrote to memory of 2960 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2768 wrote to memory of 1612 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2768 wrote to memory of 1612 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2768 wrote to memory of 1612 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2768 wrote to memory of 1612 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2768 wrote to memory of 1252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2768 wrote to memory of 1252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2768 wrote to memory of 1252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2768 wrote to memory of 1252 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 02:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1384-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1384-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1384-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1384-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1384-3-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\system\explorer.exe

MD5 cd02b745433f3013e3c23bb9aff9e0a1
SHA1 dfc32f6a826f0dc5d66b1ec3a94d79d286ed403c
SHA256 f8cfb0cbbbfe2373f9d68af4ca397483f279dd2c1f4bc33ed8663ff36cf49b1d
SHA512 9d6cf3c92a6f7bdef3c8fc96dff7bf9e92d0649d97c126fdd1ad3b6ebdd8491e6acfcc46253a1b0657ec27a53b4144314993b479c6478a3c51b9881feda83511

memory/2392-17-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2392-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1384-19-0x0000000002BA0000-0x0000000002BD1000-memory.dmp

\Windows\system\spoolsv.exe

MD5 6ecf4e58fd6c037ad4ef7c64ee1cfd1f
SHA1 50b7c7b04840eb7292b5ce7eb59c15d76e2d6a03
SHA256 6f38b27cc78ac6e16b1ba16168e2331c86cdb0e5d42e112d1b9bedf56f03eb81
SHA512 5faa947c004e6f6101c1529c37767d43a46b94d00ecc21d3e9743fadef08e6e991a86a7fb618e94cf2a0e359d79056b831cfaee02c85cb377a23baf7958f3602

memory/2392-34-0x0000000001EB0000-0x0000000001EE1000-memory.dmp

memory/3036-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3036-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/3036-41-0x0000000000400000-0x0000000000431000-memory.dmp

\??\c:\windows\system\svchost.exe

MD5 eb3305f8051ac46957cc2b7c50f532fc
SHA1 f6e7da183d2967302b23c065060df1f492862dba
SHA256 4bca8b2b3954ea5a071f72b841d4906cd934f7204974be645a38baad557e037b
SHA512 3d5d063ba9cefba84538807619ef8a13243e34f903b53b9cdf360d36ea301cb4db80e1d0abd02ea751ff62350e0cc32e598f882e3899d6caead15d0eb7947819

memory/1384-59-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2768-53-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1384-63-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2768-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2768-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2768-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2556-72-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2556-66-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/3036-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1384-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1384-76-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 ab517121dcbab85a89afb5fdb6811167
SHA1 963489e502ead74ad2585eaf857ad05d68f1ceae
SHA256 727ee6305db8fcac6bb92439b65420528cedabe6dc764ef3a3529289db825ec4
SHA512 9dd1e9949c566f1ad28b329e77d9dcdc6239209554d1b5de6f2a067aa47765f8415a14cab16a65b187d386a84ca763609551363e6a9981c24a326192fa96f1b2

memory/2392-80-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2392-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2768-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2392-92-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:22

Reported

2024-06-13 02:24

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3492 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3492 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2472 wrote to memory of 1028 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2472 wrote to memory of 1028 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2472 wrote to memory of 1028 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1028 wrote to memory of 3192 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1028 wrote to memory of 3192 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1028 wrote to memory of 3192 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3192 wrote to memory of 3616 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3192 wrote to memory of 3616 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3192 wrote to memory of 3616 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3192 wrote to memory of 5112 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3192 wrote to memory of 5112 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3192 wrote to memory of 5112 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3192 wrote to memory of 848 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3192 wrote to memory of 848 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3192 wrote to memory of 848 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3192 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3192 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3192 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\569f59bd9d6404a61a465c692b35e320_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 02:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp

Files

memory/3492-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3492-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3492-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3492-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3492-2-0x00000000758A0000-0x00000000759FD000-memory.dmp

C:\Windows\System\explorer.exe

MD5 fcc4cbfb35cbf0d1caf88f153d0829d7
SHA1 8e5a691a04d31cdd2966e75ddb4685f9e53f2a92
SHA256 735fdc18402e52c41f7bd4fffb11b9143d9d7c5094cd6659638608935d924cb0
SHA512 ef201ac7d7f33e74c8b09a35905944a0068d8c32da601aca87de1b2eb2fe1bfe84d84cd50020844800b22a3d373fa5972d44f4ff826a4c934aa675343e11d672

memory/2472-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2472-13-0x00000000758A0000-0x00000000759FD000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 07236078fa669200093a5adb1910ba0c
SHA1 5e687b4044714012cdb6a636d5d4602f6ac7136c
SHA256 e8e56b136a839063a4162085a44effbddc593e497deb52ac049cd7668656ee6e
SHA512 3a54268d70d7804cd6abb44ec07bada004c4ede6f72ee4426514d52d77914b65ee873db673a2ceca0f5f2a1ab540ceebf99a0136223c944672cf97391f710521

memory/1028-26-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1028-24-0x00000000758A0000-0x00000000759FD000-memory.dmp

C:\Windows\System\svchost.exe

MD5 75d87b94a514b7976356c1dfeb2fb5b6
SHA1 d5e986ab5c7555e945860ac629a6b0566315823d
SHA256 f5475087af3faaab37964b5510c4a398fd63fa6b12bb29fd22b0fdeba4d3b09b
SHA512 f6d5f1429fc29370f87a9e8254ac6940b5b1af5620f72bb76012d9f58ee6fdcd9cb4e8bb1c589ad5af0db2f299c3a92dd5ece5e3bf43da9f4f7b84f391ba3863

memory/3192-35-0x00000000758A0000-0x00000000759FD000-memory.dmp

memory/3192-40-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3616-42-0x00000000758A0000-0x00000000759FD000-memory.dmp

memory/3616-48-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1028-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3492-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3492-54-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 30fdfe34fc13151664961bb16cfc7140
SHA1 6abcf577fe0467277e2c77698213cf57cc656f18
SHA256 f593daf4097bd806503932d437a2c78e42588c35ea8bea65257b6e94b84c9b98
SHA512 3fe17d75d451a9c1847a05ec6947b9132958e9c9fc25808c21eb153f61e75248c2b113a56c3596e792622cda70f764a4f4ee778ff5d70f16ee0b4e6ca426e316

memory/2472-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3192-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2472-67-0x0000000000400000-0x0000000000431000-memory.dmp