Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 12:36
Static task
static1
Behavioral task
behavioral1
Sample
7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
7cd6169a5656572078e159fd6a1755a0
-
SHA1
be224d40dc425ac2be34a998f19783503d917ea0
-
SHA256
e4f1a7da104ef80b119bde79d629bc097d209e792796ebb6aa27a419cc29575b
-
SHA512
ec237ca6ac6de67b2bb399361d49c5a57d082e4872df69beaedc14b6268e10b4f965b3be070daa232c70f7ab6446c0fb759f323f74ecc773af01b0be2f53e8d1
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi3:IeklMMYJhqezw/pXzH9i3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 3324 explorer.exe 1092 spoolsv.exe 2492 svchost.exe 4504 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
explorer.exe7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exespoolsv.exesvchost.exedescription ioc process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exeexplorer.exesvchost.exepid process 4204 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe 4204 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe 2492 svchost.exe 2492 svchost.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe 3324 explorer.exe 3324 explorer.exe 2492 svchost.exe 2492 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 3324 explorer.exe 2492 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4204 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe 4204 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe 3324 explorer.exe 3324 explorer.exe 1092 spoolsv.exe 1092 spoolsv.exe 2492 svchost.exe 2492 svchost.exe 4504 spoolsv.exe 4504 spoolsv.exe 3324 explorer.exe 3324 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 4204 wrote to memory of 3324 4204 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe explorer.exe PID 4204 wrote to memory of 3324 4204 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe explorer.exe PID 4204 wrote to memory of 3324 4204 7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe explorer.exe PID 3324 wrote to memory of 1092 3324 explorer.exe spoolsv.exe PID 3324 wrote to memory of 1092 3324 explorer.exe spoolsv.exe PID 3324 wrote to memory of 1092 3324 explorer.exe spoolsv.exe PID 1092 wrote to memory of 2492 1092 spoolsv.exe svchost.exe PID 1092 wrote to memory of 2492 1092 spoolsv.exe svchost.exe PID 1092 wrote to memory of 2492 1092 spoolsv.exe svchost.exe PID 2492 wrote to memory of 4504 2492 svchost.exe spoolsv.exe PID 2492 wrote to memory of 4504 2492 svchost.exe spoolsv.exe PID 2492 wrote to memory of 4504 2492 svchost.exe spoolsv.exe PID 2492 wrote to memory of 2124 2492 svchost.exe at.exe PID 2492 wrote to memory of 2124 2492 svchost.exe at.exe PID 2492 wrote to memory of 2124 2492 svchost.exe at.exe PID 2492 wrote to memory of 2140 2492 svchost.exe at.exe PID 2492 wrote to memory of 2140 2492 svchost.exe at.exe PID 2492 wrote to memory of 2140 2492 svchost.exe at.exe PID 2492 wrote to memory of 3876 2492 svchost.exe at.exe PID 2492 wrote to memory of 3876 2492 svchost.exe at.exe PID 2492 wrote to memory of 3876 2492 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7cd6169a5656572078e159fd6a1755a0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4504 -
C:\Windows\SysWOW64\at.exeat 12:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2124
-
C:\Windows\SysWOW64\at.exeat 12:40 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2140
-
C:\Windows\SysWOW64\at.exeat 12:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:81⤵PID:4916
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5fa77f3792d6cd1ed56e34dc98c3a192d
SHA197529bd1ea7a3ed61bf821289ad994a7d9d1f5a8
SHA25669805f0aef3ce01d5d5c03ce41084739e70867eea686cd839e8ec0acc6c7e40a
SHA512867585f79bee97379b92503a75d5310590ca1ce4bd0b4842586446c1f39c0b49adcb6692c5d8c43c5ac383d651066a17b353421c3235ba71f4f65c26ce51eb48
-
Filesize
66KB
MD57d95e3fc696410806d0b988aee691b9c
SHA1358bac38c1bb5b56056f7e33fea28911f292cec8
SHA25690a633d97758f69628fe1a01cd785537c54d8116c87a040e29298f5fccdff9ed
SHA51222e2ae421f5b1fd0767778221892c400cc6641ea8bb244a00a81b83b5ad0b48a76561465a986437a658c694866c44cd743043735df8006b2272b79aceb1d781a
-
Filesize
66KB
MD54308645528fa4e3261bdb0bed0aa509f
SHA1df3a3fa70ddd762b463cc164382910ed0e06f45c
SHA256966e5d115d1be4921ea0fa9c3745794b809622fb42c29168aaee5d48d11634df
SHA51251aefdc872bc31ae2dff4b195fd6f5cd7a22066a697d11c8e593cdaeacb0a9dcb337126de85aea6538f921612893d6764c82c6ab69720416fcb72deeb121a367
-
Filesize
66KB
MD53cea86b83d5e2d00953d502a52ca94ab
SHA1077684bcf2fa6f9808f8e05d0ff62be09f7245f3
SHA2564f3ea1a13aeb4f7938fa1fb6cbcab07ba6f9734532556a3282409661fe66f28b
SHA5121d0fd7c0dfa3cad192d68dbff9e7e460cf2f07598cb2e16bb7a63b8c0cbe0d138c9a4f1ce425de16044b788daab5c298d6f02117cc859ef1e8e4d184f6583d91
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e