Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 02:12
Static task
static1
Behavioral task
behavioral1
Sample
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe
-
Size
66KB
-
MD5
9a4c7160bfaf6f401fe670e344bb3d00
-
SHA1
dd9dd1beb84afb4559ad5df79d2714e473dc54ca
-
SHA256
de4eae0e14a9519efaca31ff237a2315607cd412b0c023c697514b7bf826366d
-
SHA512
a07e362498750c843bc874a324e0dcf73ae06662b2cb8feb5c0e99916ef0c305b2fd163960817e7bf5246318ae94bd468e14ada21ac2eabd314c4b0fe19b4570
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXim:IeklMMYJhqezw/pXzH9im
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 3012 explorer.exe 1884 spoolsv.exe 1768 svchost.exe 3724 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
spoolsv.exeexplorer.exesvchost.exe9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exedescription ioc process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exeexplorer.exesvchost.exepid process 3604 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe 3604 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 3012 explorer.exe 3012 explorer.exe 1768 svchost.exe 1768 svchost.exe 3012 explorer.exe 3012 explorer.exe 1768 svchost.exe 1768 svchost.exe 3012 explorer.exe 3012 explorer.exe 1768 svchost.exe 1768 svchost.exe 3012 explorer.exe 3012 explorer.exe 1768 svchost.exe 1768 svchost.exe 3012 explorer.exe 3012 explorer.exe 1768 svchost.exe 1768 svchost.exe 3012 explorer.exe 3012 explorer.exe 1768 svchost.exe 1768 svchost.exe 3012 explorer.exe 3012 explorer.exe 1768 svchost.exe 1768 svchost.exe 3012 explorer.exe 3012 explorer.exe 1768 svchost.exe 1768 svchost.exe 3012 explorer.exe 3012 explorer.exe 1768 svchost.exe 1768 svchost.exe 3012 explorer.exe 3012 explorer.exe 1768 svchost.exe 1768 svchost.exe 3012 explorer.exe 3012 explorer.exe 1768 svchost.exe 1768 svchost.exe 3012 explorer.exe 3012 explorer.exe 1768 svchost.exe 1768 svchost.exe 3012 explorer.exe 3012 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 3012 explorer.exe 1768 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3604 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe 3604 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe 3012 explorer.exe 3012 explorer.exe 1884 spoolsv.exe 1884 spoolsv.exe 1768 svchost.exe 1768 svchost.exe 3724 spoolsv.exe 3724 spoolsv.exe 3012 explorer.exe 3012 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 3604 wrote to memory of 3012 3604 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe explorer.exe PID 3604 wrote to memory of 3012 3604 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe explorer.exe PID 3604 wrote to memory of 3012 3604 9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe explorer.exe PID 3012 wrote to memory of 1884 3012 explorer.exe spoolsv.exe PID 3012 wrote to memory of 1884 3012 explorer.exe spoolsv.exe PID 3012 wrote to memory of 1884 3012 explorer.exe spoolsv.exe PID 1884 wrote to memory of 1768 1884 spoolsv.exe svchost.exe PID 1884 wrote to memory of 1768 1884 spoolsv.exe svchost.exe PID 1884 wrote to memory of 1768 1884 spoolsv.exe svchost.exe PID 1768 wrote to memory of 3724 1768 svchost.exe spoolsv.exe PID 1768 wrote to memory of 3724 1768 svchost.exe spoolsv.exe PID 1768 wrote to memory of 3724 1768 svchost.exe spoolsv.exe PID 1768 wrote to memory of 3448 1768 svchost.exe at.exe PID 1768 wrote to memory of 3448 1768 svchost.exe at.exe PID 1768 wrote to memory of 3448 1768 svchost.exe at.exe PID 1768 wrote to memory of 2152 1768 svchost.exe at.exe PID 1768 wrote to memory of 2152 1768 svchost.exe at.exe PID 1768 wrote to memory of 2152 1768 svchost.exe at.exe PID 1768 wrote to memory of 4568 1768 svchost.exe at.exe PID 1768 wrote to memory of 4568 1768 svchost.exe at.exe PID 1768 wrote to memory of 4568 1768 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9a4c7160bfaf6f401fe670e344bb3d00_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3724
-
-
C:\Windows\SysWOW64\at.exeat 02:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3448
-
-
C:\Windows\SysWOW64\at.exeat 02:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2152
-
-
C:\Windows\SysWOW64\at.exeat 02:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4568
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:1976
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5b073bca2ee17dc16c856f0196229a9fc
SHA14b6caa4c53080022144e0c0626545098f8904eed
SHA256f6f96c49e162e8d9ef735240ed4f7bd221178e9c0f81bd7d1188d223d44623a5
SHA5121e00cd520ac0b37add806c51dc54dc0fc727ec57bae1ed3042e0a1f68c374ba7872bfa86c528df4401bb50131d751db4eeef506e7685f285b5f61ac5b8cd2dae
-
Filesize
66KB
MD570ff2ffc60ef4e55b391e09c5ebebcac
SHA1940a56d05d4edb44d539c076e7c95ea27ecabe1d
SHA2563b5bc6618c11494d8a581c7bf48e79e8abd4db628e5a464978a7b7ace6e412c4
SHA51283dee608fc09fbbdd1ba0c7d26a23c85ea6ced251d3683731af6a5a9e988815eb63cc7f7ac7677c107efef947df06308a58bbe2d618bc46b2cf833ed88bcfb97
-
Filesize
66KB
MD5a9daa9feac887ea35a5305abd0778631
SHA19990624ec5741e7296d265d229e705fe57cab99a
SHA2563c1fc159529a13d408376757eb8f02bb28a3190792f3c32987cd87397a3762e6
SHA5129c7fe95b9ce56676563c64aed8f42b8e61f28f7410237ddd14a1f2c873eacdf79b0be8dc6478ea49b063db23f5091fff755f8b7bb22721a491875b66778804f5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
66KB
MD5cbef1234bc530e9fd250b4202659e9dd
SHA1e8067359ebcf352aebd0319290a269b4252841b4
SHA2566427e05ba3bbb4a194cede3dca49f0be65e5efa0610784735b34a1983cf1e72a
SHA512adc063ba3d8d0fb96fd9425260589ed7c1857a266dc66ca3322a4e22211aac5a4eb3d927322c0d20237eff5c5ca74a2800004cba76ce08afa1448c49edc080f0