Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 12:16
Static task
static1
Behavioral task
behavioral1
Sample
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
7b7c9655d9ff06f48b0371dd2aa23430
-
SHA1
0c30bffeebaaa53ccb198d4b6089ef89da198e2d
-
SHA256
51f9aef5eaa835383a5798e92ef00a323580b466e50a916822c4f74c5ffdef15
-
SHA512
275e2d907647d7f3ad47e14c8f9a475927a1c6a7af647b392aef2af87cde329d2168525430730a38c52cba3ef32b266483916582b812f6d777b6c3677f8edc2f
-
SSDEEP
98304:ddByXcdnlLwOrI5Vfeg91hZOhkRpsinjR:ddien+OrFuBR6cR
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2388 explorer.exe 2744 spoolsv.exe 2808 svchost.exe 2884 spoolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 2388 explorer.exe 2744 spoolsv.exe 2808 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs
Processes:
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 2388 explorer.exe 2744 spoolsv.exe 2808 svchost.exe 2884 spoolsv.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe -
Drops file in Windows directory 4 IoCs
Processes:
explorer.exespoolsv.exe7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exedescription ioc process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2552 schtasks.exe 1508 schtasks.exe 784 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exeexplorer.exesvchost.exepid process 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2808 svchost.exe 2808 svchost.exe 2388 explorer.exe 2388 explorer.exe 2808 svchost.exe 2808 svchost.exe 2388 explorer.exe 2808 svchost.exe 2388 explorer.exe 2388 explorer.exe 2808 svchost.exe 2808 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2388 explorer.exe 2808 svchost.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2744 spoolsv.exe 2744 spoolsv.exe 2744 spoolsv.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2884 spoolsv.exe 2884 spoolsv.exe 2884 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1412 wrote to memory of 2388 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe explorer.exe PID 1412 wrote to memory of 2388 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe explorer.exe PID 1412 wrote to memory of 2388 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe explorer.exe PID 1412 wrote to memory of 2388 1412 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe explorer.exe PID 2388 wrote to memory of 2744 2388 explorer.exe spoolsv.exe PID 2388 wrote to memory of 2744 2388 explorer.exe spoolsv.exe PID 2388 wrote to memory of 2744 2388 explorer.exe spoolsv.exe PID 2388 wrote to memory of 2744 2388 explorer.exe spoolsv.exe PID 2744 wrote to memory of 2808 2744 spoolsv.exe svchost.exe PID 2744 wrote to memory of 2808 2744 spoolsv.exe svchost.exe PID 2744 wrote to memory of 2808 2744 spoolsv.exe svchost.exe PID 2744 wrote to memory of 2808 2744 spoolsv.exe svchost.exe PID 2808 wrote to memory of 2884 2808 svchost.exe spoolsv.exe PID 2808 wrote to memory of 2884 2808 svchost.exe spoolsv.exe PID 2808 wrote to memory of 2884 2808 svchost.exe spoolsv.exe PID 2808 wrote to memory of 2884 2808 svchost.exe spoolsv.exe PID 2388 wrote to memory of 2656 2388 explorer.exe Explorer.exe PID 2388 wrote to memory of 2656 2388 explorer.exe Explorer.exe PID 2388 wrote to memory of 2656 2388 explorer.exe Explorer.exe PID 2388 wrote to memory of 2656 2388 explorer.exe Explorer.exe PID 2808 wrote to memory of 2552 2808 svchost.exe schtasks.exe PID 2808 wrote to memory of 2552 2808 svchost.exe schtasks.exe PID 2808 wrote to memory of 2552 2808 svchost.exe schtasks.exe PID 2808 wrote to memory of 2552 2808 svchost.exe schtasks.exe PID 2808 wrote to memory of 1508 2808 svchost.exe schtasks.exe PID 2808 wrote to memory of 1508 2808 svchost.exe schtasks.exe PID 2808 wrote to memory of 1508 2808 svchost.exe schtasks.exe PID 2808 wrote to memory of 1508 2808 svchost.exe schtasks.exe PID 2808 wrote to memory of 784 2808 svchost.exe schtasks.exe PID 2808 wrote to memory of 784 2808 svchost.exe schtasks.exe PID 2808 wrote to memory of 784 2808 svchost.exe schtasks.exe PID 2808 wrote to memory of 784 2808 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2884 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:19 /f5⤵
- Creates scheduled task(s)
PID:2552 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:20 /f5⤵
- Creates scheduled task(s)
PID:1508 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:21 /f5⤵
- Creates scheduled task(s)
PID:784 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2656
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5161840c49e7a644eaa140dba14d279eb
SHA111ed7885798b1c9f95938f39fdc6fc5e381357b5
SHA256a1034e0fbd689764f86e6ac7522a8e412f24f0377069d18cc95f1d33599e032d
SHA512d7b2b3682bbf2b96359e5387c7dd701ab304386d57e043b3c0a4df9048b903eb87007a581c9278da49b26a85e24667abfd4fddc64547c113aedcc3ec87eef1b7
-
Filesize
3.6MB
MD5381bf0e1c622b9103bc00cea654d9aee
SHA182d8a2e98886b1027f062ded9bf1e35163eb38b9
SHA25695c496d9c0e39961ad14e543984e887c21b712f81a74ec4ce895da4be60ade63
SHA512a9bf4732f13dcb28cf0108fd7dd74e9a0764d260098ac94c2bedb5557429cb4fac8ba4c6ada0c896ccf54a8f67d553400e34b4d0b0f409d3535abd0eac724636
-
Filesize
3.6MB
MD5525892f7d55b447e3ff1ef58e78d3e73
SHA131f7382d35e8b1049c819f0d31b6630c953a48f4
SHA25626618760f71407b71c0b9acc3cdd55e804de1c868320ad33c4d8d3a53ae5f158
SHA5129871970542cc124eb33773ca9b484fc3db6832006441ed36227c51b8a8816b0cde61f6fb89abf39f2ed29a861266fa00258c289ac0aa0424b546c528ced6eac2