Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 02:12
Static task
static1
Behavioral task
behavioral1
Sample
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe
-
Size
66KB
-
MD5
9a4c7160bfaf6f401fe670e344bb3d00
-
SHA1
dd9dd1beb84afb4559ad5df79d2714e473dc54ca
-
SHA256
de4eae0e14a9519efaca31ff237a2315607cd412b0c023c697514b7bf826366d
-
SHA512
a07e362498750c843bc874a324e0dcf73ae06662b2cb8feb5c0e99916ef0c305b2fd163960817e7bf5246318ae94bd468e14ada21ac2eabd314c4b0fe19b4570
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXim:IeklMMYJhqezw/pXzH9im
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2516 explorer.exe 2636 spoolsv.exe 2412 svchost.exe 2444 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 2000 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe 2000 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe 2516 explorer.exe 2516 explorer.exe 2636 spoolsv.exe 2636 spoolsv.exe 2412 svchost.exe 2412 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exeexplorer.exesvchost.exepid process 2000 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2412 svchost.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe 2516 explorer.exe 2412 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2516 explorer.exe 2412 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2000 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe 2000 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe 2516 explorer.exe 2516 explorer.exe 2636 spoolsv.exe 2636 spoolsv.exe 2412 svchost.exe 2412 svchost.exe 2444 spoolsv.exe 2444 spoolsv.exe 2516 explorer.exe 2516 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2000 wrote to memory of 2516 2000 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe explorer.exe PID 2000 wrote to memory of 2516 2000 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe explorer.exe PID 2000 wrote to memory of 2516 2000 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe explorer.exe PID 2000 wrote to memory of 2516 2000 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe explorer.exe PID 2516 wrote to memory of 2636 2516 explorer.exe spoolsv.exe PID 2516 wrote to memory of 2636 2516 explorer.exe spoolsv.exe PID 2516 wrote to memory of 2636 2516 explorer.exe spoolsv.exe PID 2516 wrote to memory of 2636 2516 explorer.exe spoolsv.exe PID 2636 wrote to memory of 2412 2636 spoolsv.exe svchost.exe PID 2636 wrote to memory of 2412 2636 spoolsv.exe svchost.exe PID 2636 wrote to memory of 2412 2636 spoolsv.exe svchost.exe PID 2636 wrote to memory of 2412 2636 spoolsv.exe svchost.exe PID 2412 wrote to memory of 2444 2412 svchost.exe spoolsv.exe PID 2412 wrote to memory of 2444 2412 svchost.exe spoolsv.exe PID 2412 wrote to memory of 2444 2412 svchost.exe spoolsv.exe PID 2412 wrote to memory of 2444 2412 svchost.exe spoolsv.exe PID 2412 wrote to memory of 2548 2412 svchost.exe at.exe PID 2412 wrote to memory of 2548 2412 svchost.exe at.exe PID 2412 wrote to memory of 2548 2412 svchost.exe at.exe PID 2412 wrote to memory of 2548 2412 svchost.exe at.exe PID 2412 wrote to memory of 1624 2412 svchost.exe at.exe PID 2412 wrote to memory of 1624 2412 svchost.exe at.exe PID 2412 wrote to memory of 1624 2412 svchost.exe at.exe PID 2412 wrote to memory of 1624 2412 svchost.exe at.exe PID 2412 wrote to memory of 652 2412 svchost.exe at.exe PID 2412 wrote to memory of 652 2412 svchost.exe at.exe PID 2412 wrote to memory of 652 2412 svchost.exe at.exe PID 2412 wrote to memory of 652 2412 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
C:\Windows\SysWOW64\at.exeat 02:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2548
-
-
C:\Windows\SysWOW64\at.exeat 02:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1624
-
-
C:\Windows\SysWOW64\at.exeat 02:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:652
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5d3d29e127a86415c238c866d9c448bb5
SHA1f552e92b8736940019827b87abe01e87e91cb022
SHA2569626c2a5ae50883ba105c8f8a8acee7b6653b724961d000e901f25ef5c71ac08
SHA51206c90e4b9a0ca1667f8f1e3deb7b5d30924ae8d21db16e57254a526e6cc796ce76c81b79c953cd9768eeae9bddad3f4bace9217e42c89f2a7a55e3e772e9bbf4
-
Filesize
66KB
MD5969a46fec143202e023fabd52637c9bc
SHA18d7c7f73c6db4468b6ea307519de971f7b01197d
SHA256846e4b70d3ea2b1c88637bc8f60400fb52fa0abe841bf8e45ad8cd6682023c43
SHA5129f793cf96aa8e121a966760d19d9135efa3b6da3c3b5293625e693bd9b3c37f3edf2c9a96af0693a9191c41c2c5badffb0ac8b61afdb0bbf003450f8226dc2f4
-
Filesize
66KB
MD5b3635b306f4817846bc8d84ff2610bda
SHA19f4bd2ef422d03dc0b517c14afe1d5796768db42
SHA256baa9f437e445bdd958f669632147e7fc5b9d895908ac49fd235f686b01f61779
SHA512443c224f2f66ebc1b39e25b9ab31a6221687cab2da189d2276807f122c7e873ab96b373135728f9959b944f4b8c108d37aa851130630e8beed995cd91bf732d0
-
Filesize
66KB
MD5714255d824e1e6c66095093eba286e03
SHA1c05dde68b43a69680b92991a9b717b01d6c6ef78
SHA2562fd69be63a3d1fadcc7e8db5b841672fc0537dbc9f94c6b30e6605df50a193ac
SHA512086549cf19ced42582e6d102a53b75118bd025995c3b548a4502b9db80b3e31bcaea2dc855de188738be04cd3f8f04f6bbdf594af0b85686258d3252fc428687