Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 12:14
Behavioral task
behavioral1
Sample
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe
-
Size
69KB
-
MD5
7b514cbb5d3ab728d0f42524bcee1450
-
SHA1
0acafd7ed7db3c0834a4f0a7fc228adb8ed541bf
-
SHA256
48407974e0003d9e8654531426efd9860dd89b3c165a45a9516060cc6b029902
-
SHA512
2d71bc1329106933f50b15af4a7991336e51d35bdf140fe717b65009f30ce8713bbabe05266b0a0a95e0211233ab1796989248f5ac19981dbfce977cf80858f3
-
SSDEEP
1536:EJrFDMRyriCY/qXfatMp4Q2V6fIMxIpLC:0F8dCY85TE6fIMSRC
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2368 explorer.exe 3600 spoolsv.exe 1912 svchost.exe 3968 spoolsv.exe -
Processes:
resource yara_rule behavioral2/memory/4264-0-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\Windows\System\explorer.exe upx C:\Windows\System\spoolsv.exe upx behavioral2/memory/3600-17-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\Windows\System\svchost.exe upx behavioral2/memory/3968-34-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3600-38-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4264-39-0x0000000000400000-0x0000000000434000-memory.dmp upx C:\Users\Admin\AppData\Roaming\mrsys.exe upx behavioral2/memory/1912-42-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2368-41-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2368-51-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
Processes:
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exeexplorer.exesvchost.exepid process 4264 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe 4264 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe 2368 explorer.exe 2368 explorer.exe 2368 explorer.exe 2368 explorer.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 1912 svchost.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe 2368 explorer.exe 2368 explorer.exe 1912 svchost.exe 1912 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2368 explorer.exe 1912 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4264 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe 4264 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe 2368 explorer.exe 2368 explorer.exe 3600 spoolsv.exe 3600 spoolsv.exe 1912 svchost.exe 1912 svchost.exe 3968 spoolsv.exe 3968 spoolsv.exe 2368 explorer.exe 2368 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 4264 wrote to memory of 2368 4264 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe explorer.exe PID 4264 wrote to memory of 2368 4264 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe explorer.exe PID 4264 wrote to memory of 2368 4264 7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe explorer.exe PID 2368 wrote to memory of 3600 2368 explorer.exe spoolsv.exe PID 2368 wrote to memory of 3600 2368 explorer.exe spoolsv.exe PID 2368 wrote to memory of 3600 2368 explorer.exe spoolsv.exe PID 3600 wrote to memory of 1912 3600 spoolsv.exe svchost.exe PID 3600 wrote to memory of 1912 3600 spoolsv.exe svchost.exe PID 3600 wrote to memory of 1912 3600 spoolsv.exe svchost.exe PID 1912 wrote to memory of 3968 1912 svchost.exe spoolsv.exe PID 1912 wrote to memory of 3968 1912 svchost.exe spoolsv.exe PID 1912 wrote to memory of 3968 1912 svchost.exe spoolsv.exe PID 1912 wrote to memory of 1684 1912 svchost.exe at.exe PID 1912 wrote to memory of 1684 1912 svchost.exe at.exe PID 1912 wrote to memory of 1684 1912 svchost.exe at.exe PID 1912 wrote to memory of 1664 1912 svchost.exe at.exe PID 1912 wrote to memory of 1664 1912 svchost.exe at.exe PID 1912 wrote to memory of 1664 1912 svchost.exe at.exe PID 1912 wrote to memory of 1908 1912 svchost.exe at.exe PID 1912 wrote to memory of 1908 1912 svchost.exe at.exe PID 1912 wrote to memory of 1908 1912 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7b514cbb5d3ab728d0f42524bcee1450_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3968 -
C:\Windows\SysWOW64\at.exeat 12:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1684
-
C:\Windows\SysWOW64\at.exeat 12:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1664
-
C:\Windows\SysWOW64\at.exeat 12:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1908
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5f12114194affd7d2d4e06bd488eedf72
SHA15b4d5a6f4ad2ae7fd47356d875bb56545cc9fed4
SHA25603e2d4cc7d6f9fb9bd9cbd08fddcc3485d9c073f46035df47c27dcf48470b0be
SHA5124521d9a86c3d62cd17ee26f389535b3e0889ee23c64819d50584f67d75efb6e2fdef82d9af6c1e937f74474e725767e2c9c9fa207b1b0bfa5a6eb2ed030b216d
-
Filesize
70KB
MD57975570d447a288f16dc0ac9bacef5e7
SHA1adaf4c9505f017cc0918da5878e6caa4a8b8d3b3
SHA256f04860f646bcfaf7d1c5de16455a3835655624ae2010abc28e71cccf85295cee
SHA512a0783ea79b4f8655af8f8d0d6c581bec063d75c81df015e991b69dc4ee23017c19216216388e00adc39c141a71dba021d4c2a2ed21947f9f84f71872c227329c
-
Filesize
69KB
MD55a3260f5a207d98e73501a17417289e7
SHA152ccac3f760288c9fefa4129de4589c1e756aaae
SHA25620465c8a55b6cf786d58d6605e3ea06e9217feb612b41647dd5420ce111f683b
SHA512eb166f0691b24f1b091eb01c9e4013663e2daf6981d4de35999c31817786aa0b70e90443ecc8dbb45f786ee72ca7bc8cad4a7b6629fe307acd835e800a8fc576
-
Filesize
69KB
MD518e4f2da1f72699d3393eef054bc2837
SHA1e9e7835381999bdbf3aa12c7581258e95cf47148
SHA256aabe688816f4cb1e74b81ef7d0979932d36b5652ee295918f3c7fa1614925c94
SHA51249723782a4e78d0780933bd199b3361c1aefcb32e01df33924a67882d5bca23371cdb5dbe6f3abee2e00f5719ae3fc102ebf066d12d4bb368030e1901ee754f7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e