Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 12:14
Behavioral task
behavioral1
Sample
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe
-
Size
69KB
-
MD5
7b514cbb5d3ab728d0f42524bcee1450
-
SHA1
0acafd7ed7db3c0834a4f0a7fc228adb8ed541bf
-
SHA256
48407974e0003d9e8654531426efd9860dd89b3c165a45a9516060cc6b029902
-
SHA512
2d71bc1329106933f50b15af4a7991336e51d35bdf140fe717b65009f30ce8713bbabe05266b0a0a95e0211233ab1796989248f5ac19981dbfce977cf80858f3
-
SSDEEP
1536:EJrFDMRyriCY/qXfatMp4Q2V6fIMxIpLC:0F8dCY85TE6fIMSRC
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2112 explorer.exe 2616 spoolsv.exe 2500 svchost.exe 2584 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 1884 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe 1884 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe 2112 explorer.exe 2112 explorer.exe 2616 spoolsv.exe 2616 spoolsv.exe 2500 svchost.exe 2500 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1884-0-0x0000000000400000-0x0000000000434000-memory.dmp upx \Windows\system\explorer.exe upx behavioral1/memory/2112-16-0x0000000000400000-0x0000000000434000-memory.dmp upx \Windows\system\spoolsv.exe upx behavioral1/memory/2616-29-0x0000000000400000-0x0000000000434000-memory.dmp upx \Windows\system\svchost.exe upx behavioral1/memory/2500-45-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2584-55-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2616-61-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/1884-59-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\Users\Admin\AppData\Roaming\mrsys.exe upx behavioral1/memory/2500-64-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2112-63-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2112-73-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exeexplorer.exesvchost.exepid process 1884 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe 2112 explorer.exe 2112 explorer.exe 2112 explorer.exe 2112 explorer.exe 2500 svchost.exe 2500 svchost.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2112 explorer.exe 2500 svchost.exe 2500 svchost.exe 2112 explorer.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe 2112 explorer.exe 2500 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2112 explorer.exe 2500 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1884 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe 1884 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe 2112 explorer.exe 2112 explorer.exe 2616 spoolsv.exe 2616 spoolsv.exe 2500 svchost.exe 2500 svchost.exe 2584 spoolsv.exe 2584 spoolsv.exe 2112 explorer.exe 2112 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1884 wrote to memory of 2112 1884 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe explorer.exe PID 1884 wrote to memory of 2112 1884 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe explorer.exe PID 1884 wrote to memory of 2112 1884 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe explorer.exe PID 1884 wrote to memory of 2112 1884 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe explorer.exe PID 2112 wrote to memory of 2616 2112 explorer.exe spoolsv.exe PID 2112 wrote to memory of 2616 2112 explorer.exe spoolsv.exe PID 2112 wrote to memory of 2616 2112 explorer.exe spoolsv.exe PID 2112 wrote to memory of 2616 2112 explorer.exe spoolsv.exe PID 2616 wrote to memory of 2500 2616 spoolsv.exe svchost.exe PID 2616 wrote to memory of 2500 2616 spoolsv.exe svchost.exe PID 2616 wrote to memory of 2500 2616 spoolsv.exe svchost.exe PID 2616 wrote to memory of 2500 2616 spoolsv.exe svchost.exe PID 2500 wrote to memory of 2584 2500 svchost.exe spoolsv.exe PID 2500 wrote to memory of 2584 2500 svchost.exe spoolsv.exe PID 2500 wrote to memory of 2584 2500 svchost.exe spoolsv.exe PID 2500 wrote to memory of 2584 2500 svchost.exe spoolsv.exe PID 2500 wrote to memory of 2952 2500 svchost.exe at.exe PID 2500 wrote to memory of 2952 2500 svchost.exe at.exe PID 2500 wrote to memory of 2952 2500 svchost.exe at.exe PID 2500 wrote to memory of 2952 2500 svchost.exe at.exe PID 2500 wrote to memory of 856 2500 svchost.exe at.exe PID 2500 wrote to memory of 856 2500 svchost.exe at.exe PID 2500 wrote to memory of 856 2500 svchost.exe at.exe PID 2500 wrote to memory of 856 2500 svchost.exe at.exe PID 2500 wrote to memory of 564 2500 svchost.exe at.exe PID 2500 wrote to memory of 564 2500 svchost.exe at.exe PID 2500 wrote to memory of 564 2500 svchost.exe at.exe PID 2500 wrote to memory of 564 2500 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2584 -
C:\Windows\SysWOW64\at.exeat 12:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2952
-
C:\Windows\SysWOW64\at.exeat 12:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:856
-
C:\Windows\SysWOW64\at.exeat 12:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:564
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD550713f422a2e768c7ea1459280591a63
SHA17c3f6cf6988f7710f5573ac480c90f9b31b4206c
SHA2560c38da726c62b335f69d6623b8c7c38be598044455de303cd6b54c25d65bece9
SHA512934313114339c94545bc3a5eed23d56596c36a3d42e1a45315b8edb2e59845035e547df271ec701c3fb568d6e30b1105fbef44e91a2cfd8159c5b0e87d1be92c
-
Filesize
69KB
MD5754744f61d91a358fe664a40dfbfa1db
SHA160706306794695f58012412d3f2abbb607a77980
SHA2566028ecb6a17286e3470fc055edb2c6efe15ae117919097d6b1b8d8738aa17ce1
SHA512dc7980c0e2c0879880877d144ce1a3566b3b4154862f2d57b5da46704603a4f4644d8cffb78ccb7ec275e01df172fb846c96630341c17c5fb1dd31f422354b23
-
Filesize
69KB
MD5b8f0b4954ac1d42635b5c0e30068887b
SHA1e243a82b0232cfa4078f81032f4f7defab91d23e
SHA2568ce12167cab6dc6f254ef154dfb5c75b8ad266e55f51485403d10b2ef482335d
SHA512d8d9d11279da1160352a5851210befd4fe5959f31c79daaa11aa8bbb133b0c8d2a1e691e97df7cfa74e9988e182db68aafc8bcfb9c583b6b0af06c694322ba1c
-
Filesize
69KB
MD59ac708b0aaadc1779c0da2bdeddf15a4
SHA10092b2c9d84a5f5b412055b2a38d429f5afc8b10
SHA256b545aad1f3ffd574977522d1762ed66937091c9dbd50d0c066893917b13a3417
SHA512232b40c3c870d5ec5bd691bdd32904701f447ab5a9beb0d5c7cd3e08a35d3de1944105a342d8e8f4d09dc35ea8a5c7032f4a0cb06e2dc6d1a659608634f1c0fc