Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 12:01
Static task
static1
Behavioral task
behavioral1
Sample
7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe
-
Size
66KB
-
MD5
7a50e4f23bfa6c4e40be34d51e8ba750
-
SHA1
c61858b260d6d241ce749fedc7d2df91107a7d99
-
SHA256
e3ad8d9c635a0e88990ed1252b7fb1729e6a25a9ce41c187df6b2e455b8d3ede
-
SHA512
a01b220f4820689b0c123014f9736d93d115e75658d73fc74ce34c5d11afb35565726b97c83b755f27575555c783b33ad273bb2edb1249a19738aa8d75b85f4e
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXib:IeklMMYJhqezw/pXzH9ib
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 4828 explorer.exe 4468 spoolsv.exe 4544 svchost.exe 4572 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
explorer.exe7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exespoolsv.exesvchost.exedescription ioc process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exeexplorer.exesvchost.exepid process 4556 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe 4556 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe 4828 explorer.exe 4828 explorer.exe 4828 explorer.exe 4828 explorer.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe 4828 explorer.exe 4828 explorer.exe 4544 svchost.exe 4544 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 4828 explorer.exe 4544 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4556 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe 4556 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe 4828 explorer.exe 4828 explorer.exe 4468 spoolsv.exe 4468 spoolsv.exe 4544 svchost.exe 4544 svchost.exe 4572 spoolsv.exe 4572 spoolsv.exe 4828 explorer.exe 4828 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 4556 wrote to memory of 4828 4556 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe explorer.exe PID 4556 wrote to memory of 4828 4556 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe explorer.exe PID 4556 wrote to memory of 4828 4556 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe explorer.exe PID 4828 wrote to memory of 4468 4828 explorer.exe spoolsv.exe PID 4828 wrote to memory of 4468 4828 explorer.exe spoolsv.exe PID 4828 wrote to memory of 4468 4828 explorer.exe spoolsv.exe PID 4468 wrote to memory of 4544 4468 spoolsv.exe svchost.exe PID 4468 wrote to memory of 4544 4468 spoolsv.exe svchost.exe PID 4468 wrote to memory of 4544 4468 spoolsv.exe svchost.exe PID 4544 wrote to memory of 4572 4544 svchost.exe spoolsv.exe PID 4544 wrote to memory of 4572 4544 svchost.exe spoolsv.exe PID 4544 wrote to memory of 4572 4544 svchost.exe spoolsv.exe PID 4544 wrote to memory of 3040 4544 svchost.exe at.exe PID 4544 wrote to memory of 3040 4544 svchost.exe at.exe PID 4544 wrote to memory of 3040 4544 svchost.exe at.exe PID 4544 wrote to memory of 5108 4544 svchost.exe at.exe PID 4544 wrote to memory of 5108 4544 svchost.exe at.exe PID 4544 wrote to memory of 5108 4544 svchost.exe at.exe PID 4544 wrote to memory of 4292 4544 svchost.exe at.exe PID 4544 wrote to memory of 4292 4544 svchost.exe at.exe PID 4544 wrote to memory of 4292 4544 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4572 -
C:\Windows\SysWOW64\at.exeat 12:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3040
-
C:\Windows\SysWOW64\at.exeat 12:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:5108
-
C:\Windows\SysWOW64\at.exeat 12:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4292
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5de7834982484af112dfa450cdbac8100
SHA136c86c5726bbdcec009cda8cfc2c44afa2bc7923
SHA256fd984b6702bbba77306aaa7199424e408a7b8af9aeeb25883c5b2b4919d9ccae
SHA5129c144ca59f6205f5e58e7cae7d4b660adfeb7869e6f183f636d2b868e8c854929e9490e7c939ae284bb40d161f9cfa84e3e60dbec9c7d832ef1b04b5452517b3
-
Filesize
66KB
MD5c87d6bf805c2525f97e903cf0f234b13
SHA117d24bc5e0156922410ffa45e251d86ee66cac31
SHA25683c45fe960afc4c00edfefb44c3c14dbaa39f84ed7e7e025e9f40719f4adf2c1
SHA512cd6f341d6e5f4a007a3b8ed3e40928c23bd410f31f1956d78971529678f1e0c5942ba72513e8caf4a05215e47e587654f4781ff7983bc6c5b6cc9982d3013a48
-
Filesize
66KB
MD52973407d42677054f3aecebaa1ce2851
SHA1c1f0b3fa1b94dabce30cd2f90d8d0b82181dc08b
SHA256db22d15d12d6f0c0e11f9a0c158a438c55ac84b2dd22d01373428325374eda75
SHA51202954d4acd17989e270cbbd97fa9a5465a781ea30675d0211f76f29d3f016e8a94051bba557764a9a276772505f62d2bd2006be6d32d91c17e19ecbbf30c9144
-
Filesize
66KB
MD5aec6b2f4eb24954c9d9b65d97c848bde
SHA1899cbfacf37786a535620ad09862f937c0a0f0a3
SHA2562296bfd0c9698731d99001a5ec5c223877b986fbd22c447c4c87021419895f2a
SHA512b100f87453293d61250442a4ab7ff6bad2d64f3a5dfce50be219def8d084f30b5d7cd780bb09769bc3f56cc5278d3141b58567d77247bbc84052f72e24cc921b