Malware Analysis Report

2025-01-06 12:33

Sample ID 240614-e2v4aavepf
Target a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe
SHA256 32fd68b57134802bccd1648aafe1689010c7c375856e5f6e9dd748e1126ca831
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32fd68b57134802bccd1648aafe1689010c7c375856e5f6e9dd748e1126ca831

Threat Level: Known bad

The file a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:26

Reported

2024-06-14 04:29

Platform

win7-20240611-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2648 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2648 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2648 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2432 wrote to memory of 2724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2432 wrote to memory of 2724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2432 wrote to memory of 2724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2432 wrote to memory of 2724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2724 wrote to memory of 2932 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2724 wrote to memory of 2932 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2724 wrote to memory of 2932 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2724 wrote to memory of 2932 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2932 wrote to memory of 2564 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2932 wrote to memory of 2564 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2932 wrote to memory of 2564 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2932 wrote to memory of 2564 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2932 wrote to memory of 2788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 2788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 2788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 2788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 1644 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 1644 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 1644 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 1644 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 596 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 596 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 596 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 596 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2648-0-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2648-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2648-3-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2648-2-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2648-1-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\explorer.exe

MD5 795dfedce788b0d2cf1044a72e9b26a1
SHA1 3a738826b52e36eef6a411bc9ec1c7541289bc52
SHA256 c78eb0923946f8488e19f8d2b146e98d7d2676bd0abefa1692eb4a9d9df547f5
SHA512 29e3f21f868ebdddc4dff37e8b324b18da5a5653bd251677dc779e7ddc1a40b5d6bb2eae2281090b46df4b5ccf6a17012efd6a4860906c97083b602c42abd34d

memory/2648-17-0x0000000002690000-0x00000000026C1000-memory.dmp

memory/2648-19-0x0000000002690000-0x00000000026C1000-memory.dmp

memory/2432-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2432-18-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2432-30-0x0000000000530000-0x0000000000561000-memory.dmp

\Windows\system\spoolsv.exe

MD5 7a0fe1e422bb56ae62c795bab4ed3953
SHA1 3a90ca97662ba3949304c289ac4dfa5ac976ab09
SHA256 7028d8dbb047554403111fed16aa3b9a5a5ba0ee73a910680f70dba779ea76cd
SHA512 bb6414742735a3b98bdfa9ce484e49d18b0f09494ef9b99564d87f665913292217b8906748b1b211417e5ae154b1ab186aac0ea21605c28b2a1a3e9de2e33e49

memory/2724-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2724-37-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2724-41-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 74f58738868c33043062edcfa9339b50
SHA1 67d9b72477cb722751d073a41204bd26a44d4b57
SHA256 25cd6575b7e0182a80616ea6d4efe20132b8688c15dd6e5b853bba0f1ee8b8ae
SHA512 a03b1f45bd35c46c37b6973832bd2050fc58251c2a66299643669d891b8cfc9eaf6558d72dbc2d353ced815dbe9705c7ddfc69c9921760f738f1a703c3028374

memory/2932-58-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2724-57-0x0000000003140000-0x0000000003171000-memory.dmp

memory/2932-53-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2932-64-0x0000000002AE0000-0x0000000002B11000-memory.dmp

memory/2564-65-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2564-70-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2724-74-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2648-76-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2648-77-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 94f2ab5b937b9c930985c8ba8038d485
SHA1 2814ba8585f81e952c9d62eafff196c5e2128679
SHA256 f05b2c38fc93c00f18bfd046744eb5ba4f006185ba8c9da4ab384d7660005863
SHA512 19f1090882deb7f760d42264a4d6abe63bd73ae8686e71b64edf0d8bee6f586332228e69f644144d1c4e3fd0798612ea46401a9d96625c51444c4d8ddef3a9f1

memory/2432-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2932-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2432-90-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:26

Reported

2024-06-14 04:29

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3264 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3264 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3264 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2952 wrote to memory of 3012 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2952 wrote to memory of 3012 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2952 wrote to memory of 3012 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3012 wrote to memory of 2224 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3012 wrote to memory of 2224 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3012 wrote to memory of 2224 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2224 wrote to memory of 2316 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2224 wrote to memory of 2316 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2224 wrote to memory of 2316 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2224 wrote to memory of 4888 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2224 wrote to memory of 4888 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2224 wrote to memory of 4888 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2224 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2224 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2224 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2224 wrote to memory of 2600 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2224 wrote to memory of 2600 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2224 wrote to memory of 2600 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a2082a7cf861849da32cf00a217b4170_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.128:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 128.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3264-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3264-1-0x00000000001D0000-0x00000000001D4000-memory.dmp

memory/3264-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3264-2-0x0000000074E50000-0x0000000074FAD000-memory.dmp

memory/3264-4-0x0000000000401000-0x000000000042E000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 10bca5cb7f7bdbf2b41bffa1a5b586e7
SHA1 604b4ab131b06030ad9184a1ff2b29e528fb6306
SHA256 6a887bc362af6a494bc317c060d62342c6dc1bc8046afeba2ccbfa81f72acaff
SHA512 9bb3fd05adf566344381d40c3973a8ddd7a7e728b5651fd2a84dd933d7723a4a66617ef379274e2e592e9ee3a695763e52bc80f613fd3602a40bba5efbca30a6

memory/2952-16-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2952-15-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2952-13-0x0000000074E50000-0x0000000074FAD000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 cb930044d1317bb25f465148d613f47d
SHA1 7b301629baf782af074c5b7087a071badb3fade7
SHA256 e5a46b6034319e05827662e6aa56bd3da5833c3285cdf90fb530d887988bc8b9
SHA512 a534cfd5e1e8caf085e9ccf41cd94b6bcaeab29501d84d5c61fdf3831aac7b39d5f38e6461c95d45b03282ac6de0ff8468fcca5967e2a9f14170c86871fdf1d2

memory/3012-29-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3012-25-0x0000000074E50000-0x0000000074FAD000-memory.dmp

C:\Windows\System\svchost.exe

MD5 763db524dcaf9dd064bde1216cccffe5
SHA1 3e2254ffd470466c39dc4253b061ed612c665fe3
SHA256 ffb71c434a2e545c8bd36177ac086845da53bfb40a1ec1a2cec1c6e5d0edd0c6
SHA512 955ce0def7ba063cf13ad6eb90234a666c0074bf6a643dec014123eda3e0df04299f61b2a17c13da957b7f58c9e5e0424380c11011e878a000cc2e8f529dccb5

memory/2224-36-0x0000000074E50000-0x0000000074FAD000-memory.dmp

memory/2316-42-0x0000000074E50000-0x0000000074FAD000-memory.dmp

memory/2316-48-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3012-51-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3264-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3264-55-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3264-53-0x00000000001D0000-0x00000000001D4000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 d14fecb5d565c4ca97590f5a25298ce9
SHA1 031e68406ccc8555a43b0470db9048609c102652
SHA256 2f0c851607797e763de3912d8b695877e370fa1ff8078ab2f266dea00de5b825
SHA512 309ea5729175c8f36325678a3560c0f10ecc5fd45b8452314ae74a34a3d47de4b79628ab4e6a311065335ab5491b0043aa7ee49bed5f72c5fccfee22626ad8d0

memory/2952-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2224-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2952-68-0x0000000000400000-0x0000000000431000-memory.dmp