Malware Analysis Report

2025-01-06 13:02

Sample ID 240614-ephmesycnk
Target a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe
SHA256 b24a7a6092aec89af83fbdc032bd3155fb4a3ead51280302f7dc18096bfc532d
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b24a7a6092aec89af83fbdc032bd3155fb4a3ead51280302f7dc18096bfc532d

Threat Level: Known bad

The file a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:06

Reported

2024-06-14 04:09

Platform

win7-20240611-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1804 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2952 wrote to memory of 3008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2952 wrote to memory of 3008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2952 wrote to memory of 3008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2952 wrote to memory of 3008 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3008 wrote to memory of 2636 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3008 wrote to memory of 2636 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3008 wrote to memory of 2636 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3008 wrote to memory of 2636 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2636 wrote to memory of 2732 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2636 wrote to memory of 2732 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2636 wrote to memory of 2732 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2636 wrote to memory of 2732 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2636 wrote to memory of 2584 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2636 wrote to memory of 2584 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2636 wrote to memory of 2584 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2636 wrote to memory of 2584 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2636 wrote to memory of 1304 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2636 wrote to memory of 1304 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2636 wrote to memory of 1304 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2636 wrote to memory of 1304 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2636 wrote to memory of 1100 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2636 wrote to memory of 1100 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2636 wrote to memory of 1100 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2636 wrote to memory of 1100 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1804-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1804-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1804-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1804-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1804-4-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 db66fad2a4c8d2853cf0851c94865d0f
SHA1 e83e2ab08776f7936345e9bbdf8a85cc71e5daee
SHA256 d844944afca3d9e56e7e196c083406282993df75e14ed72efbcc41c1b914ecf5
SHA512 b5daa4f4ad6ea3d5d245526115c36f79ce7556bc1dfce4483487d9033745a15992c66cdf6e52c6f117f79b17fe3077a6ae4c5f984f24afd09deba3ce071f6fc0

memory/1804-13-0x0000000002670000-0x00000000026A1000-memory.dmp

memory/2952-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2952-18-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\spoolsv.exe

MD5 4155db678d0f2ca5c8ae3a27a96f6731
SHA1 63f8a845e3c9fc0eb5c44f2dac113c7b41a245bd
SHA256 b7ee6ad4165e8077c7749ca68947e601dbd9cab0d36adb8fc286f3f0a077d574
SHA512 98353db9943463c9420fc6246b85e376b14b3ebdf2e41297fad4f9ebd6ffe035f16c64c3527143bb06e78ecd0a7b6c5b1ba0251e699c088969203b678c32bbe6

memory/3008-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2952-34-0x00000000026C0000-0x00000000026F1000-memory.dmp

memory/3008-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/3008-40-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 4ab1955555c96d03217d1ade5dee10c6
SHA1 316e5f6d2ea0e0c8c518d8e82ca7c50b463a858a
SHA256 e24f4eb1dd30c6b28fc0300d53438a87441e561836055709dfd33b598acf3e79
SHA512 27658e429bfc6efae682d12cada7e8e9d9567fc7b6b8275c826d413c34aa1ce787b0538e9b832a1f7a331e4a38ae0d47dfbf01632ba8ee7e258da3ab3b9db0f4

memory/3008-51-0x0000000002610000-0x0000000002641000-memory.dmp

memory/2636-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2636-53-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2636-64-0x0000000002A10000-0x0000000002A41000-memory.dmp

memory/1804-63-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2732-65-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2732-71-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3008-75-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1804-77-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1804-76-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 bc2a7a1468b63330ca4b1a03487220b9
SHA1 73a200b15f9a07c8941e47c58ce23921c6507154
SHA256 2a0e03f3cb771374ac04e6cf7b091fd060c2903ccd73ad7556d30f4f2af57ddd
SHA512 f922d565b00e130597d014e0cdad8375049a060e4cc070b4acf83ddd3ff02e396978c8cf636d119f156ce77de0e64226f3ed519242948e7a9e3942def436908b

memory/2952-79-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2636-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2952-90-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:06

Reported

2024-06-14 04:09

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1152 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1152 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2948 wrote to memory of 2712 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2948 wrote to memory of 2712 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2948 wrote to memory of 2712 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2712 wrote to memory of 1324 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2712 wrote to memory of 1324 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2712 wrote to memory of 1324 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 1324 wrote to memory of 2736 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1324 wrote to memory of 2736 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1324 wrote to memory of 2736 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 1324 wrote to memory of 1360 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1324 wrote to memory of 1360 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1324 wrote to memory of 1360 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1324 wrote to memory of 4860 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1324 wrote to memory of 4860 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1324 wrote to memory of 4860 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1324 wrote to memory of 5108 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1324 wrote to memory of 5108 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 1324 wrote to memory of 5108 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a100dab8e010174b8a7a5f28cbf42f50_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:08 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:09 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Files

memory/1152-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/1152-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1152-2-0x00000000755A0000-0x00000000756FD000-memory.dmp

memory/1152-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1152-3-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\explorer.exe

MD5 6d7d7accc927785a34d62b92e2b6c149
SHA1 c6005ef5b8cceb1ce138cb3d5643f0bae2eaa779
SHA256 3f269fee77a59cc09f7d94eca6f14ceeb7cafce20a8d059e85852cedb2f70514
SHA512 099f54aca0751692ad1ba48c17c76573f8f838ca775674cf49cc153d16800dc05bf6f2422ed27c8052e64f444ba80f9b3ecc8f2a936f7c433a6a0c98ec766012

memory/2948-16-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2948-14-0x00000000755A0000-0x00000000756FD000-memory.dmp

memory/2948-13-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 724b274906f2187b840c322948f71c11
SHA1 049a85ba57cc803ec3a0b8b1090d2c4db7ac7060
SHA256 2499c4650ee4145554b5d12dd26d49ad3144ec5ea3642a904086b330e13f7196
SHA512 ceb22e0a915a170ca663764432a0fff85cbb84dffa7c04f074649fbe79ffeb5fdfcfcacd0e6e5cf329827b42ba2b1e00a581ed31c4a294eafa33445e6ac0763e

memory/2712-26-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2712-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2712-27-0x00000000755A0000-0x00000000756FD000-memory.dmp

\??\c:\windows\system\svchost.exe

MD5 678a60e1878c650d233ac86b2f7c1a4b
SHA1 6c2fc0bcc00ccc201350268dac5040cceb2b709d
SHA256 24214beb9caa33fe0f767ce8ad641f0f75d83b7b723e5664cfaa3fef0188b010
SHA512 898afa6dc13638e764581fe86028c37e1894c4329d71571811c25097007538197e47286c180db40b958c7b7b1be247add78ff0b7bfb96d5ae03c1d74151cf5b5

memory/1324-37-0x00000000755A0000-0x00000000756FD000-memory.dmp

memory/1324-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2736-44-0x00000000755A0000-0x00000000756FD000-memory.dmp

memory/2736-50-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2712-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1152-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1152-57-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1152-56-0x00000000001C0000-0x00000000001C4000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 bf42debb6d46a674cdfc4ac57c48aac3
SHA1 85d40c95362ea6e761f65b8d9b36304cd97a1a55
SHA256 82b3d3c280801348cab821ee4ef9bf7d89a1ec3b90b9ed04eb8cf6e2f72d017f
SHA512 79489354e63bdd5945cf769ab12a2fb0ea61780df1e6cdcfbf2a809d311a8cae0bf92bfcf0d19413ae90ae9ed7ea1c3bddb221bbdb4dff325ef5f0d1fec124b6

memory/2948-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1324-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2948-70-0x0000000000400000-0x0000000000431000-memory.dmp