Malware Analysis Report

2025-01-18 14:25

Sample ID 240613-dkx1wawbll
Target 596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe
SHA256 21b1e575e95fd79a7ef76ba1defcd4e2dad10da3892b5f8d668778132640a23d
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21b1e575e95fd79a7ef76ba1defcd4e2dad10da3892b5f8d668778132640a23d

Threat Level: Known bad

The file 596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:04

Reported

2024-06-13 03:07

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 948 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 948 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2312 wrote to memory of 1456 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2312 wrote to memory of 1456 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2312 wrote to memory of 1456 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1456 wrote to memory of 4976 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1456 wrote to memory of 4976 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1456 wrote to memory of 4976 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4976 wrote to memory of 4680 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4976 wrote to memory of 4680 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4976 wrote to memory of 4680 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4976 wrote to memory of 1588 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4976 wrote to memory of 1588 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4976 wrote to memory of 1588 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4976 wrote to memory of 5024 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4976 wrote to memory of 5024 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4976 wrote to memory of 5024 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4976 wrote to memory of 2176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4976 wrote to memory of 2176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4976 wrote to memory of 2176 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 03:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp

Files

memory/948-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/948-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/948-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/948-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/948-2-0x0000000074C30000-0x0000000074D8D000-memory.dmp

C:\Windows\System\explorer.exe

MD5 d9b67b706fd3a05f79f4affe12d5d4d1
SHA1 74e2a71a567138014106246569b40d536fe4377a
SHA256 94f044ea2877f5365054e299f45d12b2f9064060051f75327938ed511d59bc74
SHA512 22505ae049d4c501a9fe40ee94e1f76cff69a7d7688340ec485aa929341bd664d9f656fbcd4780260beba93da0c5ab2ad5ca13d4451c287ffcc3fcc0300994cf

memory/2312-12-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2312-14-0x0000000074C30000-0x0000000074D8D000-memory.dmp

memory/2312-17-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 3275925d64f39e6070d2c6ea2df2cea4
SHA1 c99e522d65978825906cfe67fcbac8334a63d730
SHA256 0477a5933459def598ce960afe92cb4af1e35a53e91d8c37215b32e32c2a968c
SHA512 d852089dfc526f504a42fe89d1f061bb98212643db07542417c56b3d7695f42d8b3f3415b767885f259962c5842e4e0fd92c32d6954258fe336a721ea3baf2b2

memory/1456-26-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1456-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1456-27-0x0000000074C30000-0x0000000074D8D000-memory.dmp

C:\Windows\System\svchost.exe

MD5 cc9fde1023d734d96a238134b629160d
SHA1 ab7fee935cef9c1c295fe912c6e525a09ed75aaa
SHA256 9ef9541404b3ae09a3b62b50565d8a3774dd014df010f5a314885545378f2a11
SHA512 3b3468039579f3cea5efc2f1beaf0519078694385a1a71ef44228615c206737b4edd10f03914aec4cb732c05112c573ee9c7ae7c7e5bdee47ed340b7529b4629

memory/4976-37-0x0000000074C30000-0x0000000074D8D000-memory.dmp

memory/4976-42-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4680-44-0x0000000074C30000-0x0000000074D8D000-memory.dmp

memory/4680-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/948-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/948-56-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 e9f1c6308fe549f172572e596a638206
SHA1 1f9bb458bc5609ad214fc81e89925d9cc8f7a63c
SHA256 a2698f5c507aec6dcdb7f88ebfa1a41fae91891594888c809edfb0c6d52bb881
SHA512 d0b75014299cde6a826912f203108530e078a93793d32ef0eb1faf5d0335129278e1b66bb4a872139d3f77007ee7e1fe385d7150f768246723d93c9f63e45904

memory/1456-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2312-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4976-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2312-69-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:04

Reported

2024-06-13 03:07

Platform

win7-20231129-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2044 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2044 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2044 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1972 wrote to memory of 2572 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 2572 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 2572 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1972 wrote to memory of 2572 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2572 wrote to memory of 2632 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2572 wrote to memory of 2632 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2572 wrote to memory of 2632 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2572 wrote to memory of 2632 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2632 wrote to memory of 2720 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2632 wrote to memory of 2720 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2632 wrote to memory of 2720 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2632 wrote to memory of 2720 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2632 wrote to memory of 2256 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2632 wrote to memory of 2256 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2632 wrote to memory of 2256 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2632 wrote to memory of 2256 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2632 wrote to memory of 2940 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2632 wrote to memory of 2940 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2632 wrote to memory of 2940 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2632 wrote to memory of 2940 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2632 wrote to memory of 1228 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2632 wrote to memory of 1228 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2632 wrote to memory of 1228 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2632 wrote to memory of 1228 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\596906331dd02681bfa4e48f84b0f000_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 03:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 03:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2044-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2044-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2044-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2044-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2044-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2044-16-0x0000000002AF0000-0x0000000002B21000-memory.dmp

C:\Windows\system\explorer.exe

MD5 f2f3ed58bc1053d09f20b3b97a9acaf8
SHA1 911e76e6552d0fbbf91ebd60b9eaa94a39883617
SHA256 b327ee917000be30eca7036601abefda455c2bbc93a85ff1ea4ddf3e35e72e3a
SHA512 86b331ec09c84992a7804a8f54c4a19c66368feb3cd910902ab3dc470f54b2194ef9a986a43b42e97bb292df6764839206a63462c44bd9f9c4dda5db052d2cc1

memory/1972-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1972-19-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1972-21-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 e91b2d3429cbdf308ed6fa4a9bc6e828
SHA1 d8fd1cebcc8775bdca6bb600bfafbab5892abf7b
SHA256 677b93c72a8f259797e3edca67edf85041da316f5770f107bfadf24eac31d9a1
SHA512 bb6e7506d9f6f0a19c2f0a087ea18d93b3c64b83022cf843d1573a6af9fd83d8b5f37ef5ae72e9e01f08e5a30de894a884a71347fbee9a3b78665ecc2e7add74

memory/1972-35-0x00000000025A0000-0x00000000025D1000-memory.dmp

memory/1972-34-0x00000000025A0000-0x00000000025D1000-memory.dmp

memory/2572-37-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2572-43-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\system\svchost.exe

MD5 66347d19f407d43782bbff0019ba785c
SHA1 41471c341f679ad13fb408127f6066d0c9be6c64
SHA256 fd46c1968a574d9ff334ccee94dcb9b089dda8a5758d03f75a5d338a5983c459
SHA512 d5a7e1fafc72b0e50a96ec2a4176526a3b9e952e8b5ebcfcde4f6e634ee152ce2bf2dddb3f821f6a96392f95cec7e3bf339f8ec5718b89f3bd4be3f52a963764

memory/2572-46-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2632-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2572-55-0x00000000004D0000-0x0000000000501000-memory.dmp

memory/2044-54-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2632-57-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1972-65-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2720-67-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2720-73-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2572-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2044-80-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2044-79-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 f03b91c3e26f2a8adc10a986faea56f1
SHA1 42c03a0cfa602db762d2440cdbb555475b647cb6
SHA256 a717ff92a008fc9b7bee2a0dd45896291a1bdc1e8dfa11a560c759e20d0e99be
SHA512 cdc67ae279e3d66e566490e64b43475f0db48d605c6e5b967ccbd7b6a37942b94dba91312331056d45e2ad6dc1af41439bcc9fdcfb8b94be6cf452793d479275

memory/1972-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2632-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1972-92-0x0000000000400000-0x0000000000431000-memory.dmp