Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 12:01
Static task
static1
Behavioral task
behavioral1
Sample
7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe
-
Size
66KB
-
MD5
7a50e4f23bfa6c4e40be34d51e8ba750
-
SHA1
c61858b260d6d241ce749fedc7d2df91107a7d99
-
SHA256
e3ad8d9c635a0e88990ed1252b7fb1729e6a25a9ce41c187df6b2e455b8d3ede
-
SHA512
a01b220f4820689b0c123014f9736d93d115e75658d73fc74ce34c5d11afb35565726b97c83b755f27575555c783b33ad273bb2edb1249a19738aa8d75b85f4e
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXib:IeklMMYJhqezw/pXzH9ib
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2036 explorer.exe 2704 spoolsv.exe 1292 svchost.exe 2512 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 840 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe 840 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe 2036 explorer.exe 2036 explorer.exe 2704 spoolsv.exe 2704 spoolsv.exe 1292 svchost.exe 1292 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
explorer.exesvchost.exe7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exeexplorer.exesvchost.exepid process 840 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 2036 explorer.exe 1292 svchost.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 2036 explorer.exe 1292 svchost.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe 1292 svchost.exe 2036 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2036 explorer.exe 1292 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 840 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe 840 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe 2036 explorer.exe 2036 explorer.exe 2704 spoolsv.exe 2704 spoolsv.exe 1292 svchost.exe 1292 svchost.exe 2512 spoolsv.exe 2512 spoolsv.exe 2036 explorer.exe 2036 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 840 wrote to memory of 2036 840 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe explorer.exe PID 840 wrote to memory of 2036 840 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe explorer.exe PID 840 wrote to memory of 2036 840 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe explorer.exe PID 840 wrote to memory of 2036 840 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe explorer.exe PID 2036 wrote to memory of 2704 2036 explorer.exe spoolsv.exe PID 2036 wrote to memory of 2704 2036 explorer.exe spoolsv.exe PID 2036 wrote to memory of 2704 2036 explorer.exe spoolsv.exe PID 2036 wrote to memory of 2704 2036 explorer.exe spoolsv.exe PID 2704 wrote to memory of 1292 2704 spoolsv.exe svchost.exe PID 2704 wrote to memory of 1292 2704 spoolsv.exe svchost.exe PID 2704 wrote to memory of 1292 2704 spoolsv.exe svchost.exe PID 2704 wrote to memory of 1292 2704 spoolsv.exe svchost.exe PID 1292 wrote to memory of 2512 1292 svchost.exe spoolsv.exe PID 1292 wrote to memory of 2512 1292 svchost.exe spoolsv.exe PID 1292 wrote to memory of 2512 1292 svchost.exe spoolsv.exe PID 1292 wrote to memory of 2512 1292 svchost.exe spoolsv.exe PID 1292 wrote to memory of 1944 1292 svchost.exe at.exe PID 1292 wrote to memory of 1944 1292 svchost.exe at.exe PID 1292 wrote to memory of 1944 1292 svchost.exe at.exe PID 1292 wrote to memory of 1944 1292 svchost.exe at.exe PID 1292 wrote to memory of 1360 1292 svchost.exe at.exe PID 1292 wrote to memory of 1360 1292 svchost.exe at.exe PID 1292 wrote to memory of 1360 1292 svchost.exe at.exe PID 1292 wrote to memory of 1360 1292 svchost.exe at.exe PID 1292 wrote to memory of 3056 1292 svchost.exe at.exe PID 1292 wrote to memory of 3056 1292 svchost.exe at.exe PID 1292 wrote to memory of 3056 1292 svchost.exe at.exe PID 1292 wrote to memory of 3056 1292 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2512 -
C:\Windows\SysWOW64\at.exeat 12:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1944
-
C:\Windows\SysWOW64\at.exeat 12:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1360
-
C:\Windows\SysWOW64\at.exeat 12:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3056
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD51558b67e663cdecb6684238147c26f16
SHA1f7e24f03380c295af81d6af1beaed752c928d79c
SHA256005225ca637342d0f05467c6c5c8e13b792ec3447f537c7683d20f195bff1a16
SHA5120fa3034e765984b7d321a92078822f887a79ad2fd27a1a81da6a020b9e13a039d4122bf18dc9f985ff0fa8fb5d5ba9003dadb91e3f8019d05cc19c64f79db913
-
Filesize
66KB
MD55a5c59f42b612e9c9335477e7565872d
SHA1e64057c321be3231c8538cc25b741c83ce48fc42
SHA25629516056e317d0001193bcb043795bb562e972d50235a4b3acd0c9775262bdef
SHA512ccb977a2b348f6423b559a34ba04673c68d77787da0bd871f7332f759635512002521f370dad2660a782964f19598b1a881b6fc2c90e90e9f3f7191b627365c1
-
Filesize
66KB
MD516a93df81564ea380e80e69ad4430bfe
SHA1d5022436ce2585b79a9eeb70d3769c473076750e
SHA256bef0be06d4d3c8fbdb4dd201a204f3fa7eb62d38dc8750a79cf4bd9bef1785d5
SHA51214fac8fe13eab02b97ce29f0cbf5265ab4da38e735d31de6ea37ad76eed57cfd5d1c88bbeec6eff6860bebe8188788bd5340c0e1bf2c5355f845d670ce2f398a
-
Filesize
66KB
MD5aa43842ce5f2e3d40744688401f41af8
SHA182d4a30f981b03cbe87d0bb77b1444c43b72a1a4
SHA256e36b1b6c72faafb9a18f2fb995201ff9e87abdea2c40b55d7f2504d0d908e652
SHA512e24296b7d148fa8647364ea92e4a0b644a4625175b1889901eb3aadc125b17e3f3d15d27374ab3b5209007e3476d5de3ea346d9ad3a902b41a029e5875872aa7