Malware Analysis Report

2024-10-23 22:31

Sample ID 240613-n6733sxgkf
Target 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe
SHA256 e3ad8d9c635a0e88990ed1252b7fb1729e6a25a9ce41c187df6b2e455b8d3ede
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3ad8d9c635a0e88990ed1252b7fb1729e6a25a9ce41c187df6b2e455b8d3ede

Threat Level: Known bad

The file 7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 12:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 12:01

Reported

2024-06-13 12:04

Platform

win7-20240611-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 840 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 840 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 840 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2036 wrote to memory of 2704 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2036 wrote to memory of 2704 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2036 wrote to memory of 2704 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2036 wrote to memory of 2704 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2704 wrote to memory of 1292 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2704 wrote to memory of 1292 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2704 wrote to memory of 1292 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2704 wrote to memory of 1292 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1292 wrote to memory of 2512 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1292 wrote to memory of 2512 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1292 wrote to memory of 2512 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1292 wrote to memory of 2512 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1292 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1292 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1292 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1292 wrote to memory of 1944 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1292 wrote to memory of 1360 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1292 wrote to memory of 1360 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1292 wrote to memory of 1360 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1292 wrote to memory of 1360 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1292 wrote to memory of 3056 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1292 wrote to memory of 3056 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1292 wrote to memory of 3056 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1292 wrote to memory of 3056 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 12:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 12:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 12:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/840-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/840-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/840-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/840-6-0x0000000000401000-0x000000000042E000-memory.dmp

memory/840-2-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\explorer.exe

MD5 5a5c59f42b612e9c9335477e7565872d
SHA1 e64057c321be3231c8538cc25b741c83ce48fc42
SHA256 29516056e317d0001193bcb043795bb562e972d50235a4b3acd0c9775262bdef
SHA512 ccb977a2b348f6423b559a34ba04673c68d77787da0bd871f7332f759635512002521f370dad2660a782964f19598b1a881b6fc2c90e90e9f3f7191b627365c1

memory/2036-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/840-18-0x0000000000540000-0x0000000000571000-memory.dmp

memory/2036-17-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2036-22-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2036-20-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\spoolsv.exe

MD5 16a93df81564ea380e80e69ad4430bfe
SHA1 d5022436ce2585b79a9eeb70d3769c473076750e
SHA256 bef0be06d4d3c8fbdb4dd201a204f3fa7eb62d38dc8750a79cf4bd9bef1785d5
SHA512 14fac8fe13eab02b97ce29f0cbf5265ab4da38e735d31de6ea37ad76eed57cfd5d1c88bbeec6eff6860bebe8188788bd5340c0e1bf2c5355f845d670ce2f398a

memory/2036-36-0x0000000002660000-0x0000000002691000-memory.dmp

memory/2704-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2704-37-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\svchost.exe

MD5 aa43842ce5f2e3d40744688401f41af8
SHA1 82d4a30f981b03cbe87d0bb77b1444c43b72a1a4
SHA256 e36b1b6c72faafb9a18f2fb995201ff9e87abdea2c40b55d7f2504d0d908e652
SHA512 e24296b7d148fa8647364ea92e4a0b644a4625175b1889901eb3aadc125b17e3f3d15d27374ab3b5209007e3476d5de3ea346d9ad3a902b41a029e5875872aa7

memory/2704-53-0x0000000002650000-0x0000000002681000-memory.dmp

memory/1292-54-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1292-65-0x0000000002630000-0x0000000002661000-memory.dmp

memory/2036-67-0x0000000000400000-0x0000000000431000-memory.dmp

memory/840-64-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1292-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/840-59-0x0000000000020000-0x0000000000024000-memory.dmp

memory/840-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/840-79-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2704-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2512-73-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2512-68-0x0000000072940000-0x0000000072A93000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 1558b67e663cdecb6684238147c26f16
SHA1 f7e24f03380c295af81d6af1beaed752c928d79c
SHA256 005225ca637342d0f05467c6c5c8e13b792ec3447f537c7683d20f195bff1a16
SHA512 0fa3034e765984b7d321a92078822f887a79ad2fd27a1a81da6a020b9e13a039d4122bf18dc9f985ff0fa8fb5d5ba9003dadb91e3f8019d05cc19c64f79db913

memory/2036-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1292-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2036-91-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 12:01

Reported

2024-06-13 12:04

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 4556 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 4556 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 4828 wrote to memory of 4468 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4828 wrote to memory of 4468 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4828 wrote to memory of 4468 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4468 wrote to memory of 4544 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4468 wrote to memory of 4544 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4468 wrote to memory of 4544 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4544 wrote to memory of 4572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4544 wrote to memory of 4572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4544 wrote to memory of 4572 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4544 wrote to memory of 3040 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4544 wrote to memory of 3040 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4544 wrote to memory of 3040 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4544 wrote to memory of 5108 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4544 wrote to memory of 5108 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4544 wrote to memory of 5108 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4544 wrote to memory of 4292 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4544 wrote to memory of 4292 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4544 wrote to memory of 4292 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7a50e4f23bfa6c4e40be34d51e8ba750_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 12:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 12:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 12:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Files

memory/4556-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4556-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4556-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4556-2-0x0000000075430000-0x000000007558D000-memory.dmp

memory/4556-4-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 c87d6bf805c2525f97e903cf0f234b13
SHA1 17d24bc5e0156922410ffa45e251d86ee66cac31
SHA256 83c45fe960afc4c00edfefb44c3c14dbaa39f84ed7e7e025e9f40719f4adf2c1
SHA512 cd6f341d6e5f4a007a3b8ed3e40928c23bd410f31f1956d78971529678f1e0c5942ba72513e8caf4a05215e47e587654f4781ff7983bc6c5b6cc9982d3013a48

memory/4828-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4828-14-0x0000000075430000-0x000000007558D000-memory.dmp

memory/4828-18-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 2973407d42677054f3aecebaa1ce2851
SHA1 c1f0b3fa1b94dabce30cd2f90d8d0b82181dc08b
SHA256 db22d15d12d6f0c0e11f9a0c158a438c55ac84b2dd22d01373428325374eda75
SHA512 02954d4acd17989e270cbbd97fa9a5465a781ea30675d0211f76f29d3f016e8a94051bba557764a9a276772505f62d2bd2006be6d32d91c17e19ecbbf30c9144

memory/4468-25-0x0000000075430000-0x000000007558D000-memory.dmp

memory/4468-29-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 aec6b2f4eb24954c9d9b65d97c848bde
SHA1 899cbfacf37786a535620ad09862f937c0a0f0a3
SHA256 2296bfd0c9698731d99001a5ec5c223877b986fbd22c447c4c87021419895f2a
SHA512 b100f87453293d61250442a4ab7ff6bad2d64f3a5dfce50be219def8d084f30b5d7cd780bb09769bc3f56cc5278d3141b58567d77247bbc84052f72e24cc921b

memory/4544-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4544-37-0x0000000075430000-0x000000007558D000-memory.dmp

memory/4544-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4572-47-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4572-44-0x0000000075430000-0x000000007558D000-memory.dmp

memory/4572-51-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4468-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4556-58-0x0000000000401000-0x000000000042E000-memory.dmp

memory/4556-57-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 de7834982484af112dfa450cdbac8100
SHA1 36c86c5726bbdcec009cda8cfc2c44afa2bc7923
SHA256 fd984b6702bbba77306aaa7199424e408a7b8af9aeeb25883c5b2b4919d9ccae
SHA512 9c144ca59f6205f5e58e7cae7d4b660adfeb7869e6f183f636d2b868e8c854929e9490e7c939ae284bb40d161f9cfa84e3e60dbec9c7d832ef1b04b5452517b3

memory/4828-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4544-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4828-71-0x0000000000400000-0x0000000000431000-memory.dmp