Malware Analysis Report

2025-01-18 14:05

Sample ID 240613-cyt1psvdqm
Target 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe
SHA256 c18809027005c9b3d232bcb745e3f9531e26f913edb57e0e0eb1fc05a982b191
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c18809027005c9b3d232bcb745e3f9531e26f913edb57e0e0eb1fc05a982b191

Threat Level: Known bad

The file 571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:29

Reported

2024-06-13 02:32

Platform

win7-20240508-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2228 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2228 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2228 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1236 wrote to memory of 2780 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1236 wrote to memory of 2780 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1236 wrote to memory of 2780 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1236 wrote to memory of 2780 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2780 wrote to memory of 2188 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2780 wrote to memory of 2188 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2780 wrote to memory of 2188 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2780 wrote to memory of 2188 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2188 wrote to memory of 2728 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2188 wrote to memory of 2728 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2188 wrote to memory of 2728 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2188 wrote to memory of 2728 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2188 wrote to memory of 2320 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2188 wrote to memory of 2320 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2188 wrote to memory of 2320 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2188 wrote to memory of 2320 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2188 wrote to memory of 1160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2188 wrote to memory of 1160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2188 wrote to memory of 1160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2188 wrote to memory of 1160 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2188 wrote to memory of 1808 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2188 wrote to memory of 1808 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2188 wrote to memory of 1808 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2188 wrote to memory of 1808 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 02:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2228-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2228-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2228-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2228-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2228-3-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\system\explorer.exe

MD5 9e6daa9c316bd3bc871cf1f194f94d72
SHA1 ba59a04855e75a6bb697d565641fda0c2eec13e1
SHA256 874c5a99b90c449a53554b8e1b07ea24e837e7aea0a45ac3121815365a0cd0b2
SHA512 74e9ec848fa4256ef18e174b3595fe7ec32a5e60efca0ae9775b477b6b60c6c3ea83663da84afe072198e3356bf5ac5097307900d675b310ce0c66723811c025

memory/1236-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2228-18-0x0000000002500000-0x0000000002531000-memory.dmp

memory/2228-17-0x0000000002500000-0x0000000002531000-memory.dmp

memory/1236-20-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1236-24-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 e2c576f6bd739cae9e690f751fca3185
SHA1 5a1d59228759a8142958989836afee7009e99328
SHA256 e218fdcc5dba882a23c377027731752983defdbb959650148f98cc6b685b5d4d
SHA512 c334b0c4be6df1d181e6a814acb6eca6dfdb9aff7b6a8fc4998904853881990c09ce561efd15a5f171da512923092a122f3a949ed0067902f6c1c9c2468cc7c4

memory/2780-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1236-44-0x0000000002710000-0x0000000002741000-memory.dmp

C:\Windows\system\svchost.exe

MD5 839ae3533304e8b17620e65dd022a295
SHA1 e4d42418983bdfc3cb32954d66e2c7bc0f85d999
SHA256 bbad28b1ff63fb6940a0c7cc1459b5fcd7b9080a4204f453f6a3a41cab5172db
SHA512 fdc5cd032362c6eb36c6f7d76fd5a070c6be04927e8e187366df9c14bd25aa736574014dbde8277c31504acf11c810c32177d41c3d252f31bf1189a042b39721

memory/2780-45-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2188-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2188-54-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2188-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2728-69-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2728-64-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2728-71-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2780-73-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2228-79-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2228-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2228-77-0x0000000000020000-0x0000000000024000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 a0e88150548141b1675e082a155aaba4
SHA1 38daa2d472e9c79f2281131cff819f28cb7caf2c
SHA256 56e04cbeefbb9c82ae2435edea022e16a454b0a4a47dd57750a3f05dcc36c825
SHA512 f855b68a8ff9b9b41859d4a5b900df0288dc3a7dfb848daef3901fd7dd52de8d8cf91b38f842ca089309a01ee0a21baee1e3ed5c503350b724eac39d8cb90c10

memory/1236-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2188-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1236-91-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:29

Reported

2024-06-13 02:32

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2288 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2288 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 4056 wrote to memory of 3340 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4056 wrote to memory of 3340 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4056 wrote to memory of 3340 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3340 wrote to memory of 5056 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3340 wrote to memory of 5056 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3340 wrote to memory of 5056 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 5056 wrote to memory of 3980 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5056 wrote to memory of 3980 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5056 wrote to memory of 3980 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 5056 wrote to memory of 5036 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5056 wrote to memory of 5036 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5056 wrote to memory of 5036 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5056 wrote to memory of 3508 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5056 wrote to memory of 3508 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5056 wrote to memory of 3508 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5056 wrote to memory of 1176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5056 wrote to memory of 1176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 5056 wrote to memory of 1176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\571c5022756bb721647aae39b5379aa0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 02:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
NL 52.111.243.31:443 tcp

Files

memory/2288-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2288-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/2288-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2288-2-0x0000000074D90000-0x0000000074EED000-memory.dmp

memory/2288-5-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 b6770eedaaa05c8d3dada4abd3e32fe9
SHA1 d3469ee1bfbac4e6cf2ed2ec6ba12038dec07bd8
SHA256 c187e56f2ede258af48dcd8c1429d4e1517a8df364515e809dd2bd460b7d56b1
SHA512 241be9b933f715766136a906789918391f4df9cf8e3f5807835d8de0f75155e326b127e4d91016881d598866025e7f43783810ca55904732bcb83cc44c643592

memory/4056-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4056-14-0x0000000074D90000-0x0000000074EED000-memory.dmp

memory/4056-18-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 a247063dd68ab5f28738a172a5c2b273
SHA1 06596c6114df87002944af0d923791b6234ea544
SHA256 48bee8edf8534f05b4523f133fd63be492289e6ed08fb435421c2be115f44b4a
SHA512 6328058add538dd079f652925d4bf2b7775582e13349c963d63d33447170ab0abbb03b13ed099ef1b55c2d64e88cfaea5f5563663b7dd7b9295af5cb8b92a462

memory/3340-26-0x0000000074D90000-0x0000000074EED000-memory.dmp

memory/3340-32-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3340-29-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3340-25-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 ba30937a9af1440d430451dffa72fa9d
SHA1 ff47352ef32584c35fee3e855c8b5e632bb6b912
SHA256 02ed3a0f85085af9d69d6a03bb3d8009eeb73c90f943b85e2ce59717e23746e2
SHA512 f832888f0620f62c70825452e5517dca62ad439ff1f5ef19c7fb960411942577fc67a04ab9dfd7a5462f1e5073d0c097d054b75c2eee11abb4798d46ce3d7005

memory/5056-38-0x0000000074D90000-0x0000000074EED000-memory.dmp

memory/5056-43-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2288-45-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3980-46-0x0000000074D90000-0x0000000074EED000-memory.dmp

memory/3340-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3980-55-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 c52938ad7b2355da6796d286c2d502f9
SHA1 8762200c5c60efc59d530747caa00766fa8d6d46
SHA256 d3626d629ddfbafd714dd77c380ece392f14c51a88e69e0a5442b131c0eb9051
SHA512 66721acd465e82fb32fa07e53a3c832817f1ffc26088395b8724dda283aba1596876e79da9f72144aeb8800fa248dde1fc976cf74bb5e6182f3b4e8535799778

memory/2288-59-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2288-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4056-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5056-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4056-71-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e