Analysis
-
max time kernel
150s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:29
Static task
static1
Behavioral task
behavioral1
Sample
571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
571c5022756bb721647aae39b5379aa0
-
SHA1
d6208f3bb23f148a6aa2c356022161967db64e70
-
SHA256
c18809027005c9b3d232bcb745e3f9531e26f913edb57e0e0eb1fc05a982b191
-
SHA512
b15666bd0ce7bbd8bd316ea44bef384b16e97629f2035a50b662623412ca7e013123649641e1fbe6c36144422acbe41bdcbfefa856a32787bb702fee5995c808
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiY:IeklMMYJhqezw/pXzH9iY
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4056 explorer.exe 3340 spoolsv.exe 5056 svchost.exe 3980 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2288 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 2288 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 4056 explorer.exe 4056 explorer.exe 4056 explorer.exe 4056 explorer.exe 4056 explorer.exe 4056 explorer.exe 4056 explorer.exe 5056 svchost.exe 4056 explorer.exe 5056 svchost.exe 5056 svchost.exe 5056 svchost.exe 5056 svchost.exe 4056 explorer.exe 4056 explorer.exe 5056 svchost.exe 4056 explorer.exe 4056 explorer.exe 5056 svchost.exe 5056 svchost.exe 5056 svchost.exe 5056 svchost.exe 4056 explorer.exe 4056 explorer.exe 4056 explorer.exe 5056 svchost.exe 5056 svchost.exe 4056 explorer.exe 5056 svchost.exe 5056 svchost.exe 4056 explorer.exe 4056 explorer.exe 4056 explorer.exe 4056 explorer.exe 5056 svchost.exe 5056 svchost.exe 4056 explorer.exe 5056 svchost.exe 4056 explorer.exe 5056 svchost.exe 4056 explorer.exe 5056 svchost.exe 4056 explorer.exe 5056 svchost.exe 4056 explorer.exe 5056 svchost.exe 4056 explorer.exe 5056 svchost.exe 5056 svchost.exe 4056 explorer.exe 4056 explorer.exe 5056 svchost.exe 5056 svchost.exe 4056 explorer.exe 4056 explorer.exe 5056 svchost.exe 4056 explorer.exe 5056 svchost.exe 4056 explorer.exe 5056 svchost.exe 5056 svchost.exe 4056 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4056 explorer.exe 5056 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2288 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 2288 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 4056 explorer.exe 4056 explorer.exe 3340 spoolsv.exe 3340 spoolsv.exe 5056 svchost.exe 5056 svchost.exe 3980 spoolsv.exe 3980 spoolsv.exe 4056 explorer.exe 4056 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2288 wrote to memory of 4056 2288 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 81 PID 2288 wrote to memory of 4056 2288 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 81 PID 2288 wrote to memory of 4056 2288 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe 81 PID 4056 wrote to memory of 3340 4056 explorer.exe 82 PID 4056 wrote to memory of 3340 4056 explorer.exe 82 PID 4056 wrote to memory of 3340 4056 explorer.exe 82 PID 3340 wrote to memory of 5056 3340 spoolsv.exe 85 PID 3340 wrote to memory of 5056 3340 spoolsv.exe 85 PID 3340 wrote to memory of 5056 3340 spoolsv.exe 85 PID 5056 wrote to memory of 3980 5056 svchost.exe 86 PID 5056 wrote to memory of 3980 5056 svchost.exe 86 PID 5056 wrote to memory of 3980 5056 svchost.exe 86 PID 5056 wrote to memory of 5036 5056 svchost.exe 87 PID 5056 wrote to memory of 5036 5056 svchost.exe 87 PID 5056 wrote to memory of 5036 5056 svchost.exe 87 PID 5056 wrote to memory of 3508 5056 svchost.exe 97 PID 5056 wrote to memory of 3508 5056 svchost.exe 97 PID 5056 wrote to memory of 3508 5056 svchost.exe 97 PID 5056 wrote to memory of 1176 5056 svchost.exe 99 PID 5056 wrote to memory of 1176 5056 svchost.exe 99 PID 5056 wrote to memory of 1176 5056 svchost.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3980
-
-
C:\Windows\SysWOW64\at.exeat 02:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:5036
-
-
C:\Windows\SysWOW64\at.exeat 02:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3508
-
-
C:\Windows\SysWOW64\at.exeat 02:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1176
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5c52938ad7b2355da6796d286c2d502f9
SHA18762200c5c60efc59d530747caa00766fa8d6d46
SHA256d3626d629ddfbafd714dd77c380ece392f14c51a88e69e0a5442b131c0eb9051
SHA51266721acd465e82fb32fa07e53a3c832817f1ffc26088395b8724dda283aba1596876e79da9f72144aeb8800fa248dde1fc976cf74bb5e6182f3b4e8535799778
-
Filesize
66KB
MD5b6770eedaaa05c8d3dada4abd3e32fe9
SHA1d3469ee1bfbac4e6cf2ed2ec6ba12038dec07bd8
SHA256c187e56f2ede258af48dcd8c1429d4e1517a8df364515e809dd2bd460b7d56b1
SHA512241be9b933f715766136a906789918391f4df9cf8e3f5807835d8de0f75155e326b127e4d91016881d598866025e7f43783810ca55904732bcb83cc44c643592
-
Filesize
66KB
MD5a247063dd68ab5f28738a172a5c2b273
SHA106596c6114df87002944af0d923791b6234ea544
SHA25648bee8edf8534f05b4523f133fd63be492289e6ed08fb435421c2be115f44b4a
SHA5126328058add538dd079f652925d4bf2b7775582e13349c963d63d33447170ab0abbb03b13ed099ef1b55c2d64e88cfaea5f5563663b7dd7b9295af5cb8b92a462
-
Filesize
66KB
MD5ba30937a9af1440d430451dffa72fa9d
SHA1ff47352ef32584c35fee3e855c8b5e632bb6b912
SHA25602ed3a0f85085af9d69d6a03bb3d8009eeb73c90f943b85e2ce59717e23746e2
SHA512f832888f0620f62c70825452e5517dca62ad439ff1f5ef19c7fb960411942577fc67a04ab9dfd7a5462f1e5073d0c097d054b75c2eee11abb4798d46ce3d7005