Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 12:16
Static task
static1
Behavioral task
behavioral1
Sample
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
7b7c9655d9ff06f48b0371dd2aa23430
-
SHA1
0c30bffeebaaa53ccb198d4b6089ef89da198e2d
-
SHA256
51f9aef5eaa835383a5798e92ef00a323580b466e50a916822c4f74c5ffdef15
-
SHA512
275e2d907647d7f3ad47e14c8f9a475927a1c6a7af647b392aef2af87cde329d2168525430730a38c52cba3ef32b266483916582b812f6d777b6c3677f8edc2f
-
SSDEEP
98304:ddByXcdnlLwOrI5Vfeg91hZOhkRpsinjR:ddien+OrFuBR6cR
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2984 explorer.exe 4860 spoolsv.exe 2064 svchost.exe 3188 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs
Processes:
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 2984 explorer.exe 2984 explorer.exe 4860 spoolsv.exe 2064 svchost.exe 2064 svchost.exe 3188 spoolsv.exe 2984 explorer.exe 2064 svchost.exe 2984 explorer.exe 2064 svchost.exe 2984 explorer.exe 2064 svchost.exe 2984 explorer.exe 2064 svchost.exe 2984 explorer.exe 2064 svchost.exe 2984 explorer.exe 2064 svchost.exe 2984 explorer.exe 2064 svchost.exe 2984 explorer.exe 2064 svchost.exe 2984 explorer.exe 2064 svchost.exe 2984 explorer.exe 2064 svchost.exe 2984 explorer.exe 2064 svchost.exe 2984 explorer.exe 2064 svchost.exe 2984 explorer.exe 2064 svchost.exe 2984 explorer.exe 2064 svchost.exe -
Drops file in Windows directory 4 IoCs
Processes:
explorer.exe7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exeexplorer.exepid process 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2984 explorer.exe 2064 svchost.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe 2984 explorer.exe 2984 explorer.exe 2984 explorer.exe 4860 spoolsv.exe 4860 spoolsv.exe 4860 spoolsv.exe 2064 svchost.exe 2064 svchost.exe 2064 svchost.exe 3188 spoolsv.exe 3188 spoolsv.exe 3188 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 4788 wrote to memory of 2984 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe explorer.exe PID 4788 wrote to memory of 2984 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe explorer.exe PID 4788 wrote to memory of 2984 4788 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe explorer.exe PID 2984 wrote to memory of 4860 2984 explorer.exe spoolsv.exe PID 2984 wrote to memory of 4860 2984 explorer.exe spoolsv.exe PID 2984 wrote to memory of 4860 2984 explorer.exe spoolsv.exe PID 4860 wrote to memory of 2064 4860 spoolsv.exe svchost.exe PID 4860 wrote to memory of 2064 4860 spoolsv.exe svchost.exe PID 4860 wrote to memory of 2064 4860 spoolsv.exe svchost.exe PID 2064 wrote to memory of 3188 2064 svchost.exe spoolsv.exe PID 2064 wrote to memory of 3188 2064 svchost.exe spoolsv.exe PID 2064 wrote to memory of 3188 2064 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5e4719bf14fa49819c2a41e14e68c357d
SHA19f6f6cfd537b7e82552f5de8d9b667f823eedfe7
SHA2565baa9eb7ed86e821f4ebae3c9313fdaa3d48f3177c7cd5b56e8c32d38c56634d
SHA51262f602e30c95ac998c98b91f2d703daa6cbe73399caf77af6ab75d8db8f0b07be5502ef4fdd692040a8c87a74783bc0f8c89195d8a641693ab54f353eaf2ac9a
-
Filesize
3.6MB
MD54c8669ca467c3f5e7da0bd3573f71cda
SHA1c73888373976f81f873055ab7fc4e65cc3ccd28b
SHA25680baa4a60875fd8ce08c28068fd9480f06d4bf0a257a748b9d0a1898b842dfb0
SHA512a2be5bdefddd47c94ce8ef917a534bdaf11f6ae7b5bfae53850b5995463e489176ece3346ba8168981adb2aed1f8b68834d4c98c516d7a21ec6d53a5a5cd2d6f
-
Filesize
3.6MB
MD58b018940ea2b39eec68d691030ec9a79
SHA1fc65ba91781f46f660504ad60978e14d3fb83518
SHA256cdef8d7248e3eaa8dbade68eecd85cbacb56a4c973565125298dd9f70a5d4ce8
SHA512fc4c46cd690064c5aeb00a4f49d1de286e86668b417712a4028ef00b0c968d0248132696e28215b322d9e7d38ae46cd7ae378071d28b31492b011178531adcea