Malware Analysis Report

2025-01-18 14:06

Sample ID 240613-cxvwls1ejc
Target 5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe
SHA256 6fff8ef0b05c90fa26600b071f14f4b2e60caf2e72698f71f3bae263e28e979b
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6fff8ef0b05c90fa26600b071f14f4b2e60caf2e72698f71f3bae263e28e979b

Threat Level: Known bad

The file 5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:27

Reported

2024-06-13 02:30

Platform

win7-20240611-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2084 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2084 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2084 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2976 wrote to memory of 2640 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2976 wrote to memory of 2640 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2976 wrote to memory of 2640 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2976 wrote to memory of 2640 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2640 wrote to memory of 2588 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2640 wrote to memory of 2588 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2640 wrote to memory of 2588 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2640 wrote to memory of 2588 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2588 wrote to memory of 2540 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2588 wrote to memory of 2540 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2588 wrote to memory of 2540 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2588 wrote to memory of 2540 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2588 wrote to memory of 804 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 804 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 804 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 804 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 1792 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 1792 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 1792 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 1792 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 1568 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 1568 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 1568 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2588 wrote to memory of 1568 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 02:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2084-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2084-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2084-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2084-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2084-4-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 f6dfa5a86e5fe8ced874df0f05180e2c
SHA1 b36001e509a1a19e77a77f961c36defd30f1ffd8
SHA256 9d7fb6f1734ab8861648828e1f0961e363e9d544b0c6700ed5612eed97bc2ca9
SHA512 029e0b33584a4e6dfedab9ef265b0b8415b79c652cc2f0eec675028d1f86e18d8d7f8e690ed3517bf240d71e3ffc3b5eff1746b5ad164df0fc9054841dcbd18c

memory/2084-12-0x00000000026B0000-0x00000000026E1000-memory.dmp

memory/2976-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2084-18-0x00000000026B0000-0x00000000026E1000-memory.dmp

memory/2976-20-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2976-24-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 61d4f17cdd9a89d8746be1ab1728e309
SHA1 8833deb6d56403520b9f93d1d3776507b75e8e9f
SHA256 70f80ca719e06d5ccb57de5d9ace0e94065b774851d946e54440de4286227e3d
SHA512 bdd3c6f683cf4cec72d86108ff5f9efee7092972171899b0f83828fc012649bc73534ae3c6a7f9da2c1ed17ea8f535a8a57fab3f9b59553169faa8a1042ede9d

memory/2976-31-0x00000000027E0000-0x0000000002811000-memory.dmp

memory/2976-35-0x00000000027E0000-0x0000000002811000-memory.dmp

memory/2640-43-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2084-42-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2640-38-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2084-54-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2640-56-0x00000000004A0000-0x00000000004D1000-memory.dmp

C:\Windows\system\svchost.exe

MD5 0db9274770940f767c890c738a9061c3
SHA1 190cd20ef9fd2fd4968ecb901fcb9181cf85c449
SHA256 ca9eb3d5bfc196e9cd52e3ca2f992255bf190d6ba9577d9c3dbaa2e767d324fa
SHA512 2ec8656c69508ece60567e338fead35e0170caa7e141e3d24440aec26b626152ed446c5d6daef900faccda1e4ce12dadf234395aeb1bc6bccec52ea7de7f6670

memory/2588-57-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2588-63-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2976-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2540-74-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2540-68-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2640-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2084-81-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2084-80-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 f06faad5c765d0fbd861c2938ec8b95b
SHA1 9bd7a80b2f0994b244e7bcf0851eb3f2b0bb0459
SHA256 9b521d7bab65ca77f968e5be413d1191d1720ebd5317adc0de51862d8f9ba382
SHA512 de46254eab0d25ffb11921afdb1590530da226ff934cd9d63a0b66f3515e8569fe7484ffc855afdd22ac4890294f60b3c9a3b81ed8684d8991a6cea985a1617f

memory/2976-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2588-84-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2976-93-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:27

Reported

2024-06-13 02:30

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2944 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2944 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3940 wrote to memory of 3152 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3940 wrote to memory of 3152 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3940 wrote to memory of 3152 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3152 wrote to memory of 2744 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3152 wrote to memory of 2744 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3152 wrote to memory of 2744 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2744 wrote to memory of 3900 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2744 wrote to memory of 3900 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2744 wrote to memory of 3900 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2744 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2744 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2744 wrote to memory of 2556 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2744 wrote to memory of 5092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2744 wrote to memory of 5092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2744 wrote to memory of 5092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2744 wrote to memory of 4268 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2744 wrote to memory of 4268 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2744 wrote to memory of 4268 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5705fac196d3cbd91c3b90fb1321f5c0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 02:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2944-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2944-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/2944-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2944-2-0x0000000075770000-0x00000000758CD000-memory.dmp

memory/2944-4-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 6ac02521775f638bb5bfc900dc3bbe78
SHA1 7d85d09e926a27fa831260f1d2d14515a3ce61c1
SHA256 2055c07d91d3fb5f1fffe038c63a8367ed331613804c67af471a74e4388ad31b
SHA512 875241170e0567c5185a4d88fd619747db7459c88a9ae20bc26c70874df6c55ccd47e44c7a63933a10d190337835c761a1ba6b6c6fc9374684a1ac9c40be5792

memory/3940-16-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3940-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3940-13-0x0000000075770000-0x00000000758CD000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 4ae84ced0bb22dd85dadc8678a371df3
SHA1 d6c24985ef764e68d6be5e7d75d604e75d663764
SHA256 e646aaa7582c530f2314a292547dbc44bc237ad11d92fce7d6d48701d599467d
SHA512 d3d805179f87070bd72ebef33a481247599df125ad9f14fae58d89a03e21aa6e1e9fa2f7b7de40fec9f05d620c96bb7294193131f197dd2ab321833064e3813c

memory/3152-25-0x0000000075770000-0x00000000758CD000-memory.dmp

C:\Windows\System\svchost.exe

MD5 abe751f19c0f2e5fe02e9b7c1cdf1a9f
SHA1 ade24079023cd7335259651f66cf893514627f6e
SHA256 7939c7ed90fc2cb1d74099f30e7bc84ecf5dffec314b284519253b1cca41c0ab
SHA512 154a34f8f594cd4ac25c4f4972641d6ddccd0a346c8d472219e8f2d67dec0bf13d3a415bca7522bb0c60c72f1da4130d5ee169d4e942199608021a1ef98a006e

memory/2744-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2744-36-0x0000000075770000-0x00000000758CD000-memory.dmp

memory/2744-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3900-43-0x0000000075770000-0x00000000758CD000-memory.dmp

memory/3900-49-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3152-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2944-57-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2944-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2944-55-0x00000000001C0000-0x00000000001C4000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 28d170a6961fa52ff6f01e6b0a50f595
SHA1 4065e861d44a690be1d6848635fe225767ad91c4
SHA256 caa287fc3cb100b4e9caa04c3e3e07756fd09da84b201d58a189f3db3a988ed5
SHA512 39809c0fe101aac6a04fc83236086fc6c27ebdd0331c296c9a5a653f2d91b94a4cf743a0ae0e95511bb80361449608aa66cf850e97cf57ea7a76f822a3d417c2

memory/3940-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2744-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3940-70-0x0000000000400000-0x0000000000431000-memory.dmp