Malware Analysis Report

2024-10-19 09:41

Sample ID 240613-pfzjpaybjc
Target 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe
SHA256 51f9aef5eaa835383a5798e92ef00a323580b466e50a916822c4f74c5ffdef15
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51f9aef5eaa835383a5798e92ef00a323580b466e50a916822c4f74c5ffdef15

Threat Level: Known bad

The file 7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 12:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 12:16

Reported

2024-06-13 12:19

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4788 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4788 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2984 wrote to memory of 4860 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2984 wrote to memory of 4860 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2984 wrote to memory of 4860 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4860 wrote to memory of 2064 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4860 wrote to memory of 2064 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4860 wrote to memory of 2064 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2064 wrote to memory of 3188 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2064 wrote to memory of 3188 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2064 wrote to memory of 3188 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.218:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 218.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4788-0-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4788-2-0x0000000077473000-0x0000000077474000-memory.dmp

memory/4788-1-0x0000000077472000-0x0000000077473000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 e4719bf14fa49819c2a41e14e68c357d
SHA1 9f6f6cfd537b7e82552f5de8d9b667f823eedfe7
SHA256 5baa9eb7ed86e821f4ebae3c9313fdaa3d48f3177c7cd5b56e8c32d38c56634d
SHA512 62f602e30c95ac998c98b91f2d703daa6cbe73399caf77af6ab75d8db8f0b07be5502ef4fdd692040a8c87a74783bc0f8c89195d8a641693ab54f353eaf2ac9a

C:\Windows\Resources\spoolsv.exe

MD5 4c8669ca467c3f5e7da0bd3573f71cda
SHA1 c73888373976f81f873055ab7fc4e65cc3ccd28b
SHA256 80baa4a60875fd8ce08c28068fd9480f06d4bf0a257a748b9d0a1898b842dfb0
SHA512 a2be5bdefddd47c94ce8ef917a534bdaf11f6ae7b5bfae53850b5995463e489176ece3346ba8168981adb2aed1f8b68834d4c98c516d7a21ec6d53a5a5cd2d6f

memory/4860-19-0x0000000000400000-0x0000000000784000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 8b018940ea2b39eec68d691030ec9a79
SHA1 fc65ba91781f46f660504ad60978e14d3fb83518
SHA256 cdef8d7248e3eaa8dbade68eecd85cbacb56a4c973565125298dd9f70a5d4ce8
SHA512 fc4c46cd690064c5aeb00a4f49d1de286e86668b417712a4028ef00b0c968d0248132696e28215b322d9e7d38ae46cd7ae378071d28b31492b011178531adcea

memory/3188-32-0x0000000000400000-0x0000000000784000-memory.dmp

memory/3188-37-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4860-40-0x0000000000400000-0x0000000000784000-memory.dmp

memory/4788-41-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-42-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-43-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-44-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-45-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-46-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-47-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-48-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-49-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-51-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-50-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-52-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-53-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-54-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-55-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-56-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-57-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-58-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-59-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-60-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-61-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-62-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-63-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-64-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-65-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-67-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-66-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-68-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-69-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2984-70-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2064-71-0x0000000000400000-0x0000000000784000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 12:16

Reported

2024-06-13 12:19

Platform

win7-20240611-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1412 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1412 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1412 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2388 wrote to memory of 2744 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2388 wrote to memory of 2744 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2388 wrote to memory of 2744 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2388 wrote to memory of 2744 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2744 wrote to memory of 2808 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2744 wrote to memory of 2808 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2744 wrote to memory of 2808 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2744 wrote to memory of 2808 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2808 wrote to memory of 2884 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2808 wrote to memory of 2884 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2808 wrote to memory of 2884 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2808 wrote to memory of 2884 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2388 wrote to memory of 2656 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2388 wrote to memory of 2656 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2388 wrote to memory of 2656 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2388 wrote to memory of 2656 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2808 wrote to memory of 2552 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2808 wrote to memory of 2552 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2808 wrote to memory of 2552 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2808 wrote to memory of 2552 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2808 wrote to memory of 1508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2808 wrote to memory of 1508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2808 wrote to memory of 1508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2808 wrote to memory of 1508 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2808 wrote to memory of 784 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2808 wrote to memory of 784 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2808 wrote to memory of 784 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2808 wrote to memory of 784 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7b7c9655d9ff06f48b0371dd2aa23430_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:19 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:20 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:21 /f

Network

N/A

Files

memory/1412-0-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1412-1-0x0000000077830000-0x0000000077831000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 161840c49e7a644eaa140dba14d279eb
SHA1 11ed7885798b1c9f95938f39fdc6fc5e381357b5
SHA256 a1034e0fbd689764f86e6ac7522a8e412f24f0377069d18cc95f1d33599e032d
SHA512 d7b2b3682bbf2b96359e5387c7dd701ab304386d57e043b3c0a4df9048b903eb87007a581c9278da49b26a85e24667abfd4fddc64547c113aedcc3ec87eef1b7

memory/2388-11-0x0000000000400000-0x0000000000784000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 381bf0e1c622b9103bc00cea654d9aee
SHA1 82d8a2e98886b1027f062ded9bf1e35163eb38b9
SHA256 95c496d9c0e39961ad14e543984e887c21b712f81a74ec4ce895da4be60ade63
SHA512 a9bf4732f13dcb28cf0108fd7dd74e9a0764d260098ac94c2bedb5557429cb4fac8ba4c6ada0c896ccf54a8f67d553400e34b4d0b0f409d3535abd0eac724636

memory/2744-22-0x0000000000400000-0x0000000000784000-memory.dmp

\Windows\Resources\svchost.exe

MD5 525892f7d55b447e3ff1ef58e78d3e73
SHA1 31f7382d35e8b1049c819f0d31b6630c953a48f4
SHA256 26618760f71407b71c0b9acc3cdd55e804de1c868320ad33c4d8d3a53ae5f158
SHA512 9871970542cc124eb33773ca9b484fc3db6832006441ed36227c51b8a8816b0cde61f6fb89abf39f2ed29a861266fa00258c289ac0aa0424b546c528ced6eac2

memory/2744-33-0x0000000003730000-0x0000000003AB4000-memory.dmp

memory/2808-39-0x0000000003820000-0x0000000003BA4000-memory.dmp

memory/2884-41-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2884-45-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2744-47-0x0000000000400000-0x0000000000784000-memory.dmp

memory/1412-49-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-50-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-51-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2808-52-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-53-0x0000000003910000-0x0000000003C94000-memory.dmp

memory/2808-54-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-55-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2808-57-0x0000000003820000-0x0000000003BA4000-memory.dmp

memory/2808-59-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-58-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-60-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2808-61-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-62-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2808-63-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-64-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2808-65-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-66-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2808-67-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-68-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2808-69-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-70-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-72-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2808-73-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-74-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2808-75-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-76-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2808-77-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-78-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2808-79-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2388-80-0x0000000000400000-0x0000000000784000-memory.dmp

memory/2808-81-0x0000000000400000-0x0000000000784000-memory.dmp