Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:29
Static task
static1
Behavioral task
behavioral1
Sample
571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
571c5022756bb721647aae39b5379aa0
-
SHA1
d6208f3bb23f148a6aa2c356022161967db64e70
-
SHA256
c18809027005c9b3d232bcb745e3f9531e26f913edb57e0e0eb1fc05a982b191
-
SHA512
b15666bd0ce7bbd8bd316ea44bef384b16e97629f2035a50b662623412ca7e013123649641e1fbe6c36144422acbe41bdcbfefa856a32787bb702fee5995c808
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiY:IeklMMYJhqezw/pXzH9iY
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1236 explorer.exe 2780 spoolsv.exe 2188 svchost.exe 2728 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2228 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 2228 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 1236 explorer.exe 1236 explorer.exe 2780 spoolsv.exe 2780 spoolsv.exe 2188 svchost.exe 2188 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2228 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 1236 explorer.exe 1236 explorer.exe 1236 explorer.exe 1236 explorer.exe 2188 svchost.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 2188 svchost.exe 1236 explorer.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 2188 svchost.exe 1236 explorer.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 1236 explorer.exe 2188 svchost.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 2188 svchost.exe 1236 explorer.exe 1236 explorer.exe 2188 svchost.exe 2188 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1236 explorer.exe 2188 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2228 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 2228 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 1236 explorer.exe 1236 explorer.exe 2780 spoolsv.exe 2780 spoolsv.exe 2188 svchost.exe 2188 svchost.exe 2728 spoolsv.exe 2728 spoolsv.exe 1236 explorer.exe 1236 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2228 wrote to memory of 1236 2228 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 1236 2228 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 1236 2228 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 1236 2228 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 28 PID 1236 wrote to memory of 2780 1236 explorer.exe 29 PID 1236 wrote to memory of 2780 1236 explorer.exe 29 PID 1236 wrote to memory of 2780 1236 explorer.exe 29 PID 1236 wrote to memory of 2780 1236 explorer.exe 29 PID 2780 wrote to memory of 2188 2780 spoolsv.exe 30 PID 2780 wrote to memory of 2188 2780 spoolsv.exe 30 PID 2780 wrote to memory of 2188 2780 spoolsv.exe 30 PID 2780 wrote to memory of 2188 2780 spoolsv.exe 30 PID 2188 wrote to memory of 2728 2188 svchost.exe 31 PID 2188 wrote to memory of 2728 2188 svchost.exe 31 PID 2188 wrote to memory of 2728 2188 svchost.exe 31 PID 2188 wrote to memory of 2728 2188 svchost.exe 31 PID 2188 wrote to memory of 2320 2188 svchost.exe 32 PID 2188 wrote to memory of 2320 2188 svchost.exe 32 PID 2188 wrote to memory of 2320 2188 svchost.exe 32 PID 2188 wrote to memory of 2320 2188 svchost.exe 32 PID 2188 wrote to memory of 1160 2188 svchost.exe 36 PID 2188 wrote to memory of 1160 2188 svchost.exe 36 PID 2188 wrote to memory of 1160 2188 svchost.exe 36 PID 2188 wrote to memory of 1160 2188 svchost.exe 36 PID 2188 wrote to memory of 1808 2188 svchost.exe 38 PID 2188 wrote to memory of 1808 2188 svchost.exe 38 PID 2188 wrote to memory of 1808 2188 svchost.exe 38 PID 2188 wrote to memory of 1808 2188 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
C:\Windows\SysWOW64\at.exeat 02:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2320
-
-
C:\Windows\SysWOW64\at.exeat 02:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1160
-
-
C:\Windows\SysWOW64\at.exeat 02:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1808
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5a0e88150548141b1675e082a155aaba4
SHA138daa2d472e9c79f2281131cff819f28cb7caf2c
SHA25656e04cbeefbb9c82ae2435edea022e16a454b0a4a47dd57750a3f05dcc36c825
SHA512f855b68a8ff9b9b41859d4a5b900df0288dc3a7dfb848daef3901fd7dd52de8d8cf91b38f842ca089309a01ee0a21baee1e3ed5c503350b724eac39d8cb90c10
-
Filesize
66KB
MD59e6daa9c316bd3bc871cf1f194f94d72
SHA1ba59a04855e75a6bb697d565641fda0c2eec13e1
SHA256874c5a99b90c449a53554b8e1b07ea24e837e7aea0a45ac3121815365a0cd0b2
SHA51274e9ec848fa4256ef18e174b3595fe7ec32a5e60efca0ae9775b477b6b60c6c3ea83663da84afe072198e3356bf5ac5097307900d675b310ce0c66723811c025
-
Filesize
66KB
MD5839ae3533304e8b17620e65dd022a295
SHA1e4d42418983bdfc3cb32954d66e2c7bc0f85d999
SHA256bbad28b1ff63fb6940a0c7cc1459b5fcd7b9080a4204f453f6a3a41cab5172db
SHA512fdc5cd032362c6eb36c6f7d76fd5a070c6be04927e8e187366df9c14bd25aa736574014dbde8277c31504acf11c810c32177d41c3d252f31bf1189a042b39721
-
Filesize
66KB
MD5e2c576f6bd739cae9e690f751fca3185
SHA15a1d59228759a8142958989836afee7009e99328
SHA256e218fdcc5dba882a23c377027731752983defdbb959650148f98cc6b685b5d4d
SHA512c334b0c4be6df1d181e6a814acb6eca6dfdb9aff7b6a8fc4998904853881990c09ce561efd15a5f171da512923092a122f3a949ed0067902f6c1c9c2468cc7c4