Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 00:58
Static task
static1
Behavioral task
behavioral1
Sample
9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe
-
Size
206KB
-
MD5
9559100eb61dc46e50ffd51978d9dce0
-
SHA1
fcf6be090da5d05f2426f230ae992c2838861139
-
SHA256
8a91cca756e95a86c9bca31ff06d42a255b27f12563a626e316ee6d9bf57c45d
-
SHA512
17e9e12234cda406d0c49b5f624283556b3bc0334368b410e407f07e98f0e789a9fdf44671584cbef699ac8a3035537026cd8cf843efdb97545216823588db78
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL2:5vEN2U+T6i5LirrllHy4HUcMQY6K2
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2812 explorer.exe 2368 spoolsv.exe 2732 svchost.exe 2728 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2072 9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe 2072 9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe 2812 explorer.exe 2812 explorer.exe 2368 spoolsv.exe 2368 spoolsv.exe 2732 svchost.exe 2732 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2072 9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2812 explorer.exe 2732 svchost.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe 2732 svchost.exe 2812 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2812 explorer.exe 2732 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2072 9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe 2072 9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe 2812 explorer.exe 2812 explorer.exe 2368 spoolsv.exe 2368 spoolsv.exe 2732 svchost.exe 2732 svchost.exe 2728 spoolsv.exe 2728 spoolsv.exe 2812 explorer.exe 2812 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2812 2072 9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe 28 PID 2072 wrote to memory of 2812 2072 9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe 28 PID 2072 wrote to memory of 2812 2072 9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe 28 PID 2072 wrote to memory of 2812 2072 9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe 28 PID 2812 wrote to memory of 2368 2812 explorer.exe 29 PID 2812 wrote to memory of 2368 2812 explorer.exe 29 PID 2812 wrote to memory of 2368 2812 explorer.exe 29 PID 2812 wrote to memory of 2368 2812 explorer.exe 29 PID 2368 wrote to memory of 2732 2368 spoolsv.exe 30 PID 2368 wrote to memory of 2732 2368 spoolsv.exe 30 PID 2368 wrote to memory of 2732 2368 spoolsv.exe 30 PID 2368 wrote to memory of 2732 2368 spoolsv.exe 30 PID 2732 wrote to memory of 2728 2732 svchost.exe 31 PID 2732 wrote to memory of 2728 2732 svchost.exe 31 PID 2732 wrote to memory of 2728 2732 svchost.exe 31 PID 2732 wrote to memory of 2728 2732 svchost.exe 31 PID 2732 wrote to memory of 2700 2732 svchost.exe 32 PID 2732 wrote to memory of 2700 2732 svchost.exe 32 PID 2732 wrote to memory of 2700 2732 svchost.exe 32 PID 2732 wrote to memory of 2700 2732 svchost.exe 32 PID 2732 wrote to memory of 268 2732 svchost.exe 36 PID 2732 wrote to memory of 268 2732 svchost.exe 36 PID 2732 wrote to memory of 268 2732 svchost.exe 36 PID 2732 wrote to memory of 268 2732 svchost.exe 36 PID 2732 wrote to memory of 2012 2732 svchost.exe 38 PID 2732 wrote to memory of 2012 2732 svchost.exe 38 PID 2732 wrote to memory of 2012 2732 svchost.exe 38 PID 2732 wrote to memory of 2012 2732 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9559100eb61dc46e50ffd51978d9dce0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
C:\Windows\SysWOW64\at.exeat 01:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2700
-
-
C:\Windows\SysWOW64\at.exeat 01:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:268
-
-
C:\Windows\SysWOW64\at.exeat 01:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2012
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD57cc57684577b5ef0cd8ec0e253ef184a
SHA12116957c6bd3946940722542fde702a82d01b362
SHA256986ddbc96bc1e28234e5ebf5dfc3bf07f6623a027741345dacb37cff24eb1919
SHA512d5de24b473a214e89da165313821aef03553e0a3ffc9e85888e1b8cbf883af172abc70c79eb3fd10559f14fbd3cf1777091b9689ddb56059e584208a8055ad7f
-
Filesize
206KB
MD552d557c6407f680081d04c43e3b1c6c6
SHA18b87c26245414cd6e82c07100d55293b6b07354c
SHA256da6ad3ba52d68f4ba8fb1e7ff6d8813d324515e264f119ff6299f1e041b58666
SHA5128f87d5afc093f0fe639ba9456d0a827f6602d2b708d09968c779366e262c8b44cd525c1e81e1123654a976586c7f411d13763dd180e23c9c76e6d89766da7429
-
Filesize
206KB
MD52f9e5c5b2ff47d23830011a73fd15510
SHA14a52457a8928b69f3b5d1025b948f7ec506e38a9
SHA2568815fac5890635c04523b56742825f588fa6b4f02d951e785de284646a4b89ee
SHA51226335a5955695c93d6ed559c43ab63369adcc3b801046a6e8699af558eacdee231cc9208a0fd8c7673aeeb992ea22bfc64a5ee5709eeb6fcb14e83267b8e70d1
-
Filesize
206KB
MD5616b5059ad2efd20e47bd80447d703d6
SHA1179d00ed10a7ffc3cb1fc7f8d1ed619200e09edf
SHA2569a44acac0780602ff9bde41a9f21faba801c35cc8786e82efa4925ed8c95a2f2
SHA51215ad35bddb42fe643b7c0f291e1582bd79e7f602e2263dd1730d61283583fec381a47ca56001e99d938226c834fb51c6dfb02b0daea95897e20f7b36ee771392