7bfa16f4687747816f1e6c6e08404e8cdab82f13c9daa99e8d0c390f43b545de

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dcb6d48ac9e9d78af6cd6818951f180_NeikiAnalytics.exe
Size

65KB
MD5

9dcb6d48ac9e9d78af6cd6818951f180
SHA1

0cd44b249fb9b48da51e464e6ddf07b8cf32d175
SHA256

7bfa16f4687747816f1e6c6e08404e8cdab82f13c9daa99e8d0c390f43b545de
SHA512

c0dc7d217219905cebd6561fda3be1ef56c29c7f472bd1207c8c93825f8cbc4a0b8e982137150548d224bf36d23d73cf59eddbe090bfced799b5c1623a95578a
SSDEEP

1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ouf:7WNqkOJWmo1HpM0MkTUmuf

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2164	explorer.exe
2204	spoolsv.exe
2880	svchost.exe
2784	spoolsv.exe

Loads dropped DLL 8 IoCs

pid	Process
2196	9dcb6d48ac9e9d78af6cd6818951f180_NeikiAnalytics.exe
2196	9dcb6d48ac9e9d78af6cd6818951f180_NeikiAnalytics.exe
2164	explorer.exe
2164	explorer.exe
2204	spoolsv.exe
2204	spoolsv.exe
2880	svchost.exe
2880	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	9dcb6d48ac9e9d78af6cd6818951f180_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	9dcb6d48ac9e9d78af6cd6818951f180_NeikiAnalytics.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2880	svchost.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe
2164	explorer.exe
2880	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2164	explorer.exe
2880	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2196	9dcb6d48ac9e9d78af6cd6818951f180_NeikiAnalytics.exe
2196	9dcb6d48ac9e9d78af6cd6818951f180_NeikiAnalytics.exe
2164	explorer.exe
2164	explorer.exe
2204	spoolsv.exe
2204	spoolsv.exe
2880	svchost.exe
2880	svchost.exe
2784	spoolsv.exe
2784	spoolsv.exe
2164	explorer.exe
2164	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2164	2196	9dcb6d48ac9e9d78af6cd6818951f180_NeikiAnalytics.exe	28
PID 2196 wrote to memory of 2164	2196	9dcb6d48ac9e9d78af6cd6818951f180_NeikiAnalytics.exe	28
PID 2196 wrote to memory of 2164	2196	9dcb6d48ac9e9d78af6cd6818951f180_NeikiAnalytics.exe	28
PID 2196 wrote to memory of 2164	2196	9dcb6d48ac9e9d78af6cd6818951f180_NeikiAnalytics.exe	28
PID 2164 wrote to memory of 2204	2164	explorer.exe	29
PID 2164 wrote to memory of 2204	2164	explorer.exe	29
PID 2164 wrote to memory of 2204	2164	explorer.exe	29
PID 2164 wrote to memory of 2204	2164	explorer.exe	29
PID 2204 wrote to memory of 2880	2204	spoolsv.exe	30
PID 2204 wrote to memory of 2880	2204	spoolsv.exe	30
PID 2204 wrote to memory of 2880	2204	spoolsv.exe	30
PID 2204 wrote to memory of 2880	2204	spoolsv.exe	30
PID 2880 wrote to memory of 2784	2880	svchost.exe	31
PID 2880 wrote to memory of 2784	2880	svchost.exe	31
PID 2880 wrote to memory of 2784	2880	svchost.exe	31
PID 2880 wrote to memory of 2784	2880	svchost.exe	31
PID 2880 wrote to memory of 2960	2880	svchost.exe	32
PID 2880 wrote to memory of 2960	2880	svchost.exe	32
PID 2880 wrote to memory of 2960	2880	svchost.exe	32
PID 2880 wrote to memory of 2960	2880	svchost.exe	32
PID 2880 wrote to memory of 2812	2880	svchost.exe	36
PID 2880 wrote to memory of 2812	2880	svchost.exe	36
PID 2880 wrote to memory of 2812	2880	svchost.exe	36
PID 2880 wrote to memory of 2812	2880	svchost.exe	36
PID 2880 wrote to memory of 1012	2880	svchost.exe	38
PID 2880 wrote to memory of 1012	2880	svchost.exe	38
PID 2880 wrote to memory of 1012	2880	svchost.exe	38
PID 2880 wrote to memory of 1012	2880	svchost.exe	38

C:\Users\Admin\AppData\Local\Temp\9dcb6d48ac9e9d78af6cd6818951f180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9dcb6d48ac9e9d78af6cd6818951f180_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- \??\c:\windows\system\explorer.exe
  c:\windows\system\explorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2164
- - \??\c:\windows\system\spoolsv.exe
    c:\windows\system\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2784
    - - C:\Windows\SysWOW64\at.exe
        
        at 03:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\at.exe
        
        at 03:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\at.exe
        
        at 03:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        5⤵
        
        PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
65KB

MD5
0f709b24022905dff868fb491e581b09

SHA1
f4e1e42ff1694480aa7a76e1e7eeb579590724a6

SHA256
9235af4236e9d54a5b71b44aa04e5c2944f17b6c354f2f3ce937f69660bf250f

SHA512
34b5e739e225aa1c4ba9da916171edfaa257f476965e65af8c6bc7c7b568151e3bfad093fdb2f98e7a9f33be5de9e1ede87a122f51024e60e8aaa99b0f1fb2f0

Download Submit
\Windows\system\explorer.exe

Filesize
65KB

MD5
15dcdf7fcf0a091ba8fdc06508f2407b

SHA1
a4e9062976f685d30e35e017d2a550162076f6b3

SHA256
a1bb9f8a3d4e7b6324d607aef144c16a309c77d49b185a4d23298a149c9e9555

SHA512
3a789fd3c669c40e16b3afc23f307673a445efcd0ec06e953f40c7685a61010b92e3dec93816368fcd80dc007f81f4d0f971bcd3fd25a691fffa1a1e903089af

Download Submit
\Windows\system\spoolsv.exe

Filesize
65KB

MD5
48b81c519354ba77fbf16a896a11572b

SHA1
c36b024c11c44f0df9e862494ffa843351277f6b

SHA256
30ef6c4059e4ab6e0567475e7d5c9a2a2599ef57de04b41f29dee3f9426bf1eb

SHA512
66e630c26427adf4016ce4f9e5efa5a52944733b5d5f155210f9fa22070e20f0a2c477561e3876bf1b9feb346738cb5825f94b65c4d612fbd798f8c2330fb54c

Download Submit
\Windows\system\svchost.exe

Filesize
65KB

MD5
0cab11b593b9cd97ef93d6fc966fc12e

SHA1
4277dfc68d3f04c7fc3120bfa3d0d462c70e2c25

SHA256
0d95ca0751bad437043efcb3a0c6a1f62276641e0dc4f81441b0e3dd31788873

SHA512
812a2fd4c7adb76e34ae599b2de7b68953d1bf6adadc5a60526fdf95dc268d53635111885515e6b2c481e3f8e855aa87b1a32f0f07a73a7520f6fb93d71cb2e5

Download Submit
memory/2164-35-0x0000000002C80000-0x0000000002CB1000-memory.dmp

Filesize
196KB

Download
memory/2164-93-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2164-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2164-20-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2164-17-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2164-34-0x0000000002C80000-0x0000000002CB1000-memory.dmp

Filesize
196KB

Download
memory/2196-79-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2196-66-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2196-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2196-19-0x0000000000830000-0x0000000000861000-memory.dmp

Filesize
196KB

Download
memory/2196-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2196-4-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2196-3-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2196-80-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/2196-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2204-52-0x0000000002460000-0x0000000002491000-memory.dmp

Filesize
196KB

Download
memory/2204-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2204-36-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2204-53-0x0000000002460000-0x0000000002491000-memory.dmp

Filesize
196KB

Download
memory/2204-40-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2784-67-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2784-73-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2880-65-0x0000000002640000-0x0000000002671000-memory.dmp

Filesize
196KB

Download
memory/2880-60-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2880-55-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2880-84-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2880-54-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download