Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:27
Static task
static1
Behavioral task
behavioral1
Sample
5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
5705fac196d3cbd91c3b90fb1321f5c0
-
SHA1
5607bc8cdda9ab02594e2a134d0abc440eebbb01
-
SHA256
6fff8ef0b05c90fa26600b071f14f4b2e60caf2e72698f71f3bae263e28e979b
-
SHA512
80a3fe2b42c982d10bb088fdf01bb68ce08a53f8c78d2b458b9a1a8ec875109e3f8a034519a4776aebc46524fab9172921a990799ada0e74c4a9a6bc8a1d90a7
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi9:IeklMMYJhqezw/pXzH9i9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3940 explorer.exe 3152 spoolsv.exe 2744 svchost.exe 3900 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2944 5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe 2944 5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe 3940 explorer.exe 3940 explorer.exe 3940 explorer.exe 3940 explorer.exe 3940 explorer.exe 3940 explorer.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 2744 svchost.exe 3940 explorer.exe 3940 explorer.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 2744 svchost.exe 3940 explorer.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 2744 svchost.exe 3940 explorer.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 3940 explorer.exe 2744 svchost.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe 3940 explorer.exe 2744 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3940 explorer.exe 2744 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2944 5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe 2944 5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe 3940 explorer.exe 3940 explorer.exe 3152 spoolsv.exe 3152 spoolsv.exe 2744 svchost.exe 2744 svchost.exe 3900 spoolsv.exe 3900 spoolsv.exe 3940 explorer.exe 3940 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2944 wrote to memory of 3940 2944 5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe 81 PID 2944 wrote to memory of 3940 2944 5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe 81 PID 2944 wrote to memory of 3940 2944 5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe 81 PID 3940 wrote to memory of 3152 3940 explorer.exe 83 PID 3940 wrote to memory of 3152 3940 explorer.exe 83 PID 3940 wrote to memory of 3152 3940 explorer.exe 83 PID 3152 wrote to memory of 2744 3152 spoolsv.exe 85 PID 3152 wrote to memory of 2744 3152 spoolsv.exe 85 PID 3152 wrote to memory of 2744 3152 spoolsv.exe 85 PID 2744 wrote to memory of 3900 2744 svchost.exe 86 PID 2744 wrote to memory of 3900 2744 svchost.exe 86 PID 2744 wrote to memory of 3900 2744 svchost.exe 86 PID 2744 wrote to memory of 2556 2744 svchost.exe 88 PID 2744 wrote to memory of 2556 2744 svchost.exe 88 PID 2744 wrote to memory of 2556 2744 svchost.exe 88 PID 2744 wrote to memory of 5092 2744 svchost.exe 93 PID 2744 wrote to memory of 5092 2744 svchost.exe 93 PID 2744 wrote to memory of 5092 2744 svchost.exe 93 PID 2744 wrote to memory of 4268 2744 svchost.exe 97 PID 2744 wrote to memory of 4268 2744 svchost.exe 97 PID 2744 wrote to memory of 4268 2744 svchost.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3900
-
-
C:\Windows\SysWOW64\at.exeat 02:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2556
-
-
C:\Windows\SysWOW64\at.exeat 02:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:5092
-
-
C:\Windows\SysWOW64\at.exeat 02:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4268
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD528d170a6961fa52ff6f01e6b0a50f595
SHA14065e861d44a690be1d6848635fe225767ad91c4
SHA256caa287fc3cb100b4e9caa04c3e3e07756fd09da84b201d58a189f3db3a988ed5
SHA51239809c0fe101aac6a04fc83236086fc6c27ebdd0331c296c9a5a653f2d91b94a4cf743a0ae0e95511bb80361449608aa66cf850e97cf57ea7a76f822a3d417c2
-
Filesize
66KB
MD56ac02521775f638bb5bfc900dc3bbe78
SHA17d85d09e926a27fa831260f1d2d14515a3ce61c1
SHA2562055c07d91d3fb5f1fffe038c63a8367ed331613804c67af471a74e4388ad31b
SHA512875241170e0567c5185a4d88fd619747db7459c88a9ae20bc26c70874df6c55ccd47e44c7a63933a10d190337835c761a1ba6b6c6fc9374684a1ac9c40be5792
-
Filesize
66KB
MD54ae84ced0bb22dd85dadc8678a371df3
SHA1d6c24985ef764e68d6be5e7d75d604e75d663764
SHA256e646aaa7582c530f2314a292547dbc44bc237ad11d92fce7d6d48701d599467d
SHA512d3d805179f87070bd72ebef33a481247599df125ad9f14fae58d89a03e21aa6e1e9fa2f7b7de40fec9f05d620c96bb7294193131f197dd2ab321833064e3813c
-
Filesize
66KB
MD5abe751f19c0f2e5fe02e9b7c1cdf1a9f
SHA1ade24079023cd7335259651f66cf893514627f6e
SHA2567939c7ed90fc2cb1d74099f30e7bc84ecf5dffec314b284519253b1cca41c0ab
SHA512154a34f8f594cd4ac25c4f4972641d6ddccd0a346c8d472219e8f2d67dec0bf13d3a415bca7522bb0c60c72f1da4130d5ee169d4e942199608021a1ef98a006e