Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 12:13
Static task
static1
Behavioral task
behavioral1
Sample
7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe
-
Size
206KB
-
MD5
7b369f6b351f70374acda63d26bdaca0
-
SHA1
ee15eb4506ae06b933130174cefe13d19d7918de
-
SHA256
5b3802a5d12b73ab2a907c22fd569e7dfdb350fb5b1038b00afa462bb89eed50
-
SHA512
8f16d5f7158b867a008b0dc340e3ec306fdb4405842013d900fe411f671067fec1dfcfafbad997ff72a1eea4c6ea490a819a63e23a5a3ec4e42e90fbe077ec62
-
SSDEEP
6144:5vEN2U+T6i5LirrllHy4HUcMQY6KYnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnP:RENN+T5xYrllrU7QY6K6
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 1788 explorer.exe 2608 spoolsv.exe 2652 svchost.exe 2288 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 848 7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe 848 7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe 1788 explorer.exe 1788 explorer.exe 2608 spoolsv.exe 2608 spoolsv.exe 2652 svchost.exe 2652 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
Processes:
7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe 7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exeexplorer.exesvchost.exepid process 848 7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe 1788 explorer.exe 1788 explorer.exe 1788 explorer.exe 2652 svchost.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe 1788 explorer.exe 2652 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1788 explorer.exe 2652 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 848 7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe 848 7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe 1788 explorer.exe 1788 explorer.exe 2608 spoolsv.exe 2608 spoolsv.exe 2652 svchost.exe 2652 svchost.exe 2288 spoolsv.exe 2288 spoolsv.exe 1788 explorer.exe 1788 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 848 wrote to memory of 1788 848 7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe explorer.exe PID 848 wrote to memory of 1788 848 7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe explorer.exe PID 848 wrote to memory of 1788 848 7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe explorer.exe PID 848 wrote to memory of 1788 848 7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe explorer.exe PID 1788 wrote to memory of 2608 1788 explorer.exe spoolsv.exe PID 1788 wrote to memory of 2608 1788 explorer.exe spoolsv.exe PID 1788 wrote to memory of 2608 1788 explorer.exe spoolsv.exe PID 1788 wrote to memory of 2608 1788 explorer.exe spoolsv.exe PID 2608 wrote to memory of 2652 2608 spoolsv.exe svchost.exe PID 2608 wrote to memory of 2652 2608 spoolsv.exe svchost.exe PID 2608 wrote to memory of 2652 2608 spoolsv.exe svchost.exe PID 2608 wrote to memory of 2652 2608 spoolsv.exe svchost.exe PID 2652 wrote to memory of 2288 2652 svchost.exe spoolsv.exe PID 2652 wrote to memory of 2288 2652 svchost.exe spoolsv.exe PID 2652 wrote to memory of 2288 2652 svchost.exe spoolsv.exe PID 2652 wrote to memory of 2288 2652 svchost.exe spoolsv.exe PID 2652 wrote to memory of 2556 2652 svchost.exe at.exe PID 2652 wrote to memory of 2556 2652 svchost.exe at.exe PID 2652 wrote to memory of 2556 2652 svchost.exe at.exe PID 2652 wrote to memory of 2556 2652 svchost.exe at.exe PID 2652 wrote to memory of 1868 2652 svchost.exe at.exe PID 2652 wrote to memory of 1868 2652 svchost.exe at.exe PID 2652 wrote to memory of 1868 2652 svchost.exe at.exe PID 2652 wrote to memory of 1868 2652 svchost.exe at.exe PID 2652 wrote to memory of 2292 2652 svchost.exe at.exe PID 2652 wrote to memory of 2292 2652 svchost.exe at.exe PID 2652 wrote to memory of 2292 2652 svchost.exe at.exe PID 2652 wrote to memory of 2292 2652 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7b369f6b351f70374acda63d26bdaca0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2288 -
C:\Windows\SysWOW64\at.exeat 12:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2556
-
C:\Windows\SysWOW64\at.exeat 12:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1868
-
C:\Windows\SysWOW64\at.exeat 12:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2292
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD592bb0c7d32171ff96ab5bd1ffb1937a2
SHA1c6b1709efe1319baedcbf6170fcc3d143ac69313
SHA2569a08efa6f03878ffc3d9859dab3ef1232c183a9704e83226727ea59b9ee8183e
SHA512794a5ac5bd36aa0a27d599ceb8d1df50d15f5969d522b8a45e3fc0bc301e14191e3ffacdc540fd14ca056a4374f9c6c2a9d84af675ab3a5ea88d05fd276d613b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
206KB
MD5fc143982186cd45690cf79cfb6c00012
SHA1ca59d234bd4103dbef2a73bc02ec2091122195e8
SHA256da7e04c125d3c26a39badbe3d05e8667c27e368199014e23dc8b6705e124045d
SHA512fc7812eee630d40819b90429e5681149da73ebb2a3cef001084ceeeca8e42750d5278e0e399fc087a1055ec0c3b874dff47e8208439c0064dd36c42e974442fe
-
Filesize
206KB
MD58a160bf7a8c7e81d1c79d387127cec9a
SHA129372d211ca34f29e58b49ee9aa5cc54621f0c05
SHA25636d4b3d357501ec6afb7bb40ab30f044228757edc8dea4495bd7680e21d9169c
SHA512f4d4020b3672a38d5b3fa11f406764953ea4dc862fbe6c1ef3fde0e4664bdbac3b7eab156a41dc993824aae88b17f7f20e562f4c45ee21e0ed5edf22e4db8509
-
Filesize
206KB
MD56bb27a16aef0c05b0b66f8446a512980
SHA1aef8cd621a7797ba7659d2faf2785eb66df21863
SHA256b8952f43f7338bc3dd4335d41cbabe974f04043067b85222f07ed515725f8ef1
SHA512935d587996b37cd92f8ea7bcccec0511969cf149e1b53630fad6f288e79d7cbd79e8b74f221a11dad09078e13210d6bacbc64f168a13869e59c539df4953283e