Malware Analysis Report

2025-01-06 11:58

Sample ID 240614-elhs1sybrm
Target a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe
SHA256 f7b30606f95231e501356ba47757134a0d5037d08d56d97447cafa32ad086637
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7b30606f95231e501356ba47757134a0d5037d08d56d97447cafa32ad086637

Threat Level: Known bad

The file a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:01

Reported

2024-06-14 04:04

Platform

win7-20240611-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1936 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1936 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1936 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1492 wrote to memory of 2652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1492 wrote to memory of 2652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1492 wrote to memory of 2652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1492 wrote to memory of 2652 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2652 wrote to memory of 2684 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2652 wrote to memory of 2684 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2652 wrote to memory of 2684 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2652 wrote to memory of 2684 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2684 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2684 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2684 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2684 wrote to memory of 2696 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2684 wrote to memory of 2776 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2776 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2776 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 2776 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 1972 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 1972 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 1972 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 1972 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 264 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 264 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 264 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2684 wrote to memory of 264 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1936-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\system\explorer.exe

MD5 9402e91dd73894a858d0cdd4bef4050b
SHA1 61a5da465f92bdf76c4b46d043e39f7baef3edc7
SHA256 9c4d82e7139b11ca29c48c8ffd6c2b6771bae3d18b55a9a61d9a615617b9bb6b
SHA512 b676f391619c92044b83a0f4745d0db25c71ff3f456f07922e14d1277eac5f2926ff2d7b324d81a59749023664fba3178cd41508a70cde5151d0b0210a6057a0

memory/1936-13-0x0000000002C60000-0x0000000002CA0000-memory.dmp

memory/1936-14-0x0000000002C60000-0x0000000002CA0000-memory.dmp

\Windows\system\spoolsv.exe

MD5 02d6a30158106dc2847276e091a705d4
SHA1 84a61423e33809063c45c7883af2ca88fadf5978
SHA256 b4fa27948b084e9e538f59ae538988c3cf0391d2ef8682a0a3746736403a29cb
SHA512 16c628cc4ac07b92510894ea16de6ff643336b6729c1707580cb9b3a29268fb5594b5a8562a5025732cfaa9c3ce45bf5c2609d780fc25e2657202c7ec0c86e12

memory/2652-28-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\system\svchost.exe

MD5 dd48207cfac8a4eb89765e1f0e99d48c
SHA1 b5c10352780fcef5cb9b28fe69d209311afe3460
SHA256 73ec58c6528ee4ddcd133f32b8bc3a92e1a9e1ef791dcac89b7ff586f5dc00df
SHA512 3cb70eb124ccaf4153d8427d243cd4999fed0a9ca33eee2e19ab83a2b86cf776d770c3d2064f3cd475e312bf505cb1980b4d6d6002ec6b20dac11bfef901d18b

memory/2684-44-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2696-53-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2652-56-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1936-57-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 9ae6dc928e7cb4ad0f5e75f242e678c4
SHA1 1b9f04082bf6308ddf1e25068abd4b393294dc4c
SHA256 69a927f3bd0436e7052c3d88e2aa9c92780ce314cc12130d02cf24a4d33b28c4
SHA512 6708f4c2984bd840b025c0c40ccd66fbf9dfa27541510015eaec2d08e20acf62910dd4789222d6431c559ed02e5d9f2627e6f6f702124ba666c03df04bea74bf

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:01

Reported

2024-06-14 04:04

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3892 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3892 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3892 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2488 wrote to memory of 2820 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2488 wrote to memory of 2820 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2488 wrote to memory of 2820 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2820 wrote to memory of 1628 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2820 wrote to memory of 1628 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2820 wrote to memory of 1628 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1628 wrote to memory of 2664 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1628 wrote to memory of 2664 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1628 wrote to memory of 2664 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1628 wrote to memory of 4196 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1628 wrote to memory of 4196 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1628 wrote to memory of 4196 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1628 wrote to memory of 4812 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1628 wrote to memory of 4812 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1628 wrote to memory of 4812 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1628 wrote to memory of 3624 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1628 wrote to memory of 3624 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1628 wrote to memory of 3624 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a0b1e86b13ae5e57e120b939277a7cf0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/3892-0-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\System\explorer.exe

MD5 9dfbba1d5c602f6c6da27ff50b966478
SHA1 585168699dbb6693381c92986a5eb7ef7a947125
SHA256 213ac46f2cbb62501b3f6a0dff41f801c1cc9c4d646eefc01ecdbb817dd5d894
SHA512 6f92ee2b38b3a6010aac960ac84c4f0efd2338e0db3446bab662a318aabd9d45f3851b7c59d7334880a828f836e23fd59021ad3c67a72479df1acb91755572c7

memory/2488-9-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 944ac6f52cfd543beb67300be418d0a1
SHA1 24d42391709f52a0b198f57aecd3c3a8f513d872
SHA256 f06784730c39aafacdf5445a9367a235a66f3a4dfd4775174c0bc24f1c94013b
SHA512 69c2bd5b5aa966a582b59b17088d562439d128628b90e556b22bc4895a7a028c39772b57c7479dbca02e532130b0429cd899aa51438e32f74efad8dec2bb3709

C:\Windows\System\svchost.exe

MD5 769ed95e5d438559e6ba624dc5038792
SHA1 4274c0241e4146fadc34e20b2ebdb1e8561216c7
SHA256 67dce6dcc63cd13e6869e5a324754e72873d026837c55c406a8b7ce93aa6e219
SHA512 267c0bc3efc1b36f2ce0e0087380b97f7dd1741d2339034ebd38561bf700ed3e1a1e502a104ce15b56a51e4292ed5b708320acb1c8b5490c4b5ae51040c2a5be

memory/2664-33-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2820-36-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3892-37-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 2998a7a7f35ae187471770f7a2f2b923
SHA1 9129daf84f14174772da35767784d58a255ea971
SHA256 576a3d831985e7a11508b01be5a7a1e9bb5fb3074265ca25c74be72291ea4a90
SHA512 c41d5eb93d115154fb6e3f546a2a50ec941183d5d624029d91d43367e96b3ac09ad7330637da6321eec947a4de44e722ce464d04c5763c9e47a4f9c3e4a06be8