Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 12:36
Static task
static1
Behavioral task
behavioral1
Sample
7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
7cd6169a5656572078e159fd6a1755a0
-
SHA1
be224d40dc425ac2be34a998f19783503d917ea0
-
SHA256
e4f1a7da104ef80b119bde79d629bc097d209e792796ebb6aa27a419cc29575b
-
SHA512
ec237ca6ac6de67b2bb399361d49c5a57d082e4872df69beaedc14b6268e10b4f965b3be070daa232c70f7ab6446c0fb759f323f74ecc773af01b0be2f53e8d1
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi3:IeklMMYJhqezw/pXzH9i3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2296 explorer.exe 2684 spoolsv.exe 2672 svchost.exe 2676 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 2336 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe 2336 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe 2296 explorer.exe 2296 explorer.exe 2684 spoolsv.exe 2684 spoolsv.exe 2672 svchost.exe 2672 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
spoolsv.exeexplorer.exesvchost.exe7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exedescription ioc process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exeexplorer.exesvchost.exepid process 2336 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe 2296 explorer.exe 2296 explorer.exe 2296 explorer.exe 2672 svchost.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe 2296 explorer.exe 2672 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2296 explorer.exe 2672 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2336 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe 2336 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe 2296 explorer.exe 2296 explorer.exe 2684 spoolsv.exe 2684 spoolsv.exe 2672 svchost.exe 2672 svchost.exe 2676 spoolsv.exe 2676 spoolsv.exe 2296 explorer.exe 2296 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2336 wrote to memory of 2296 2336 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe explorer.exe PID 2336 wrote to memory of 2296 2336 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe explorer.exe PID 2336 wrote to memory of 2296 2336 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe explorer.exe PID 2336 wrote to memory of 2296 2336 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe explorer.exe PID 2296 wrote to memory of 2684 2296 explorer.exe spoolsv.exe PID 2296 wrote to memory of 2684 2296 explorer.exe spoolsv.exe PID 2296 wrote to memory of 2684 2296 explorer.exe spoolsv.exe PID 2296 wrote to memory of 2684 2296 explorer.exe spoolsv.exe PID 2684 wrote to memory of 2672 2684 spoolsv.exe svchost.exe PID 2684 wrote to memory of 2672 2684 spoolsv.exe svchost.exe PID 2684 wrote to memory of 2672 2684 spoolsv.exe svchost.exe PID 2684 wrote to memory of 2672 2684 spoolsv.exe svchost.exe PID 2672 wrote to memory of 2676 2672 svchost.exe spoolsv.exe PID 2672 wrote to memory of 2676 2672 svchost.exe spoolsv.exe PID 2672 wrote to memory of 2676 2672 svchost.exe spoolsv.exe PID 2672 wrote to memory of 2676 2672 svchost.exe spoolsv.exe PID 2672 wrote to memory of 288 2672 svchost.exe at.exe PID 2672 wrote to memory of 288 2672 svchost.exe at.exe PID 2672 wrote to memory of 288 2672 svchost.exe at.exe PID 2672 wrote to memory of 288 2672 svchost.exe at.exe PID 2672 wrote to memory of 2044 2672 svchost.exe at.exe PID 2672 wrote to memory of 2044 2672 svchost.exe at.exe PID 2672 wrote to memory of 2044 2672 svchost.exe at.exe PID 2672 wrote to memory of 2044 2672 svchost.exe at.exe PID 2672 wrote to memory of 2508 2672 svchost.exe at.exe PID 2672 wrote to memory of 2508 2672 svchost.exe at.exe PID 2672 wrote to memory of 2508 2672 svchost.exe at.exe PID 2672 wrote to memory of 2508 2672 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2676 -
C:\Windows\SysWOW64\at.exeat 12:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:288
-
C:\Windows\SysWOW64\at.exeat 12:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2044
-
C:\Windows\SysWOW64\at.exeat 12:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2508
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5650d4c6a966e2372e3c2bfceda0b9d2e
SHA1d869b2eb6d28aed73a7ff49058065200cc4d15cb
SHA2565d7b41be846be96d427a78eaa9e23e414c9bfeeef5a9e3a2246b6d5b5b24b66b
SHA51206fe7ff5bc69adb9cb11f12102dd254509c9a149c4616c0cab3d81bc5130f7c3541fc66372c79bb48d45168f686f08a916155d06572c1a6f1b47796f8ea72022
-
Filesize
66KB
MD5e8d85902003ee30f1b86f86ec190ad80
SHA18e3677c804beda3c574756c5c2978e0c1cf0b4e0
SHA256760f0f07efdeb666c5378b2a1f2f9eda8a7c6aaa7e62e8d80fe813eba2b50838
SHA512d9c00c943c43c92354e0b2de6fd745459c384e02980250c7bff4a3f440e2f6457f90e81ebe99ab323adcec467f09cb97f14be27125782592b4b3847430e10a8e
-
Filesize
66KB
MD5df7d5693e884551e9d650354031e8c92
SHA17ece731a2be8a980e242812fac961402584f6c0c
SHA256dded968db64ff909c3c2c7d91095ccb7184e4ab67ef14075929fb528bed823b1
SHA5128e78e1ecfbca7b006ef95b5be4549f5220be0fb34d7a61e6eeeec6b5ceadd869733285f91b01ce90937a0f12190e27e27c9c1cd2d25eb042f3a57a40193e8881
-
Filesize
66KB
MD5d5a49697acc762a5adc97f13f61798c1
SHA1bffa2196a1f4f9770a1057d4b7e935852c028164
SHA256070c2daa7a3f55c230159a3c6aae079d62c4d5052a3a7f35948cc4423966037f
SHA512a4db793ed0d3d2d0e51947d50570a2e4e9dab415c2f52bc58592311ea502b4394e03e1133c20c239b3f687bbf1051f09bff0641cdb6c91d34669a67eee444970