Malware Analysis Report

2025-01-06 11:57

Sample ID 240614-er6f9sydmk
Target a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe
SHA256 c5e468d4009ef8e0e2a04e577dbcc10e041d26d32f6125b13178b801c3ef44e3
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5e468d4009ef8e0e2a04e577dbcc10e041d26d32f6125b13178b801c3ef44e3

Threat Level: Known bad

The file a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:11

Reported

2024-06-14 04:14

Platform

win7-20240221-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1740 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1740 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 1740 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 2916 wrote to memory of 2732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2916 wrote to memory of 2732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2916 wrote to memory of 2732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2916 wrote to memory of 2732 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2732 wrote to memory of 2932 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2732 wrote to memory of 2932 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2732 wrote to memory of 2932 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2732 wrote to memory of 2932 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2932 wrote to memory of 2604 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2932 wrote to memory of 2604 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2932 wrote to memory of 2604 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2932 wrote to memory of 2604 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2932 wrote to memory of 2000 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 2000 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 2000 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 2000 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 1432 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 1432 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 1432 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 1432 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 352 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 352 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 352 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2932 wrote to memory of 352 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1740-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1740-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1740-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1740-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1740-3-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\system\explorer.exe

MD5 28a1a8a12ffa75a4d2316bb4c6c25c08
SHA1 e1631d5fd3b4e86a65816df40a67ddec12cec67e
SHA256 060d9874e7c7c263d49e95d6c096a88b378ad2bb189b96411f26a2eba91c7c28
SHA512 bd35d662010ea1941f71cecdfb55d68a6cb4c828c83d4b1a1c87c167b29f010a04f33fabd53ca8953596566f378a62c57a3f53c6e5d52e8ebb4d5ac3664cd216

memory/2916-19-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1740-18-0x0000000002470000-0x00000000024A1000-memory.dmp

memory/1740-17-0x0000000002470000-0x00000000024A1000-memory.dmp

memory/2916-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2916-21-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2916-25-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 4ef81296bee253b381f568038697cbbf
SHA1 dd6cabacbc6046a8e462fc1904b43971fa57efb6
SHA256 2a7d70418737a55259654b7e09c2fb030be1c7a2c7751c61bbd71816cb741b40
SHA512 6aadbbfa208af2d991b94340be588725446c8a80c4d2e7706a531a164a343ae9a41de1c51f2dd084311e648e0f6777c667aa306001f2f92053613988ddb2692e

memory/2916-36-0x00000000006C0000-0x00000000006F1000-memory.dmp

memory/2732-38-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\svchost.exe

MD5 e60074894061c58f6c5fec24e6296915
SHA1 eaaf5bb4bbf804984093d8ebdf8b25cac1f3e0bb
SHA256 79145997fd357f51fca5b8e88dc62fafe13b7ada42f46d6ccf52d47835f275d2
SHA512 66bda6b8e1be2ebccb7473400ba746fec6295f05a7d80aa35e04b7fa83afdecdd14c4e5f42eb75896486aa0d6f4e12044f213369225b6fa842ddd7b58efeaa91

memory/2732-46-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2932-54-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2932-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1740-59-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2604-69-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2604-65-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2916-66-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2604-73-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1740-78-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2732-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1740-79-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 527a460106e24fbc7c34843f8c3492ef
SHA1 a25c014b76804f24f52a5e8b6b097bd6d34b9948
SHA256 7034815e845d6aaf9f1333323135220e569cef92f308da869cd88a7ffc075ab7
SHA512 6c3af031fef85c9ef483fe163e7e5f91c41b7bec6a671d27823a313f8bdd72497f0c46495ebd8fb8149fcb38706e210bde966c4ee8b2655a1b350d8cf6cf5bd5

memory/2916-81-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2932-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2916-91-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:11

Reported

2024-06-14 04:14

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3364 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 3364 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe \??\c:\windows\system\explorer.exe
PID 4164 wrote to memory of 3596 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4164 wrote to memory of 3596 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4164 wrote to memory of 3596 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3596 wrote to memory of 3704 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3596 wrote to memory of 3704 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3596 wrote to memory of 3704 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3704 wrote to memory of 1960 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3704 wrote to memory of 1960 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3704 wrote to memory of 1960 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3704 wrote to memory of 2440 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3704 wrote to memory of 2440 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3704 wrote to memory of 2440 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3704 wrote to memory of 2140 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3704 wrote to memory of 2140 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3704 wrote to memory of 2140 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3704 wrote to memory of 1628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3704 wrote to memory of 1628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3704 wrote to memory of 1628 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a148aa61b4c81e2e415452f804932ca0_NeikiAnalytics.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 04:13 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\at.exe

at 04:14 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 04:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.187.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/3364-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3364-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3364-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3364-4-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3364-2-0x0000000075630000-0x000000007578D000-memory.dmp

C:\Windows\System\explorer.exe

MD5 375211e7f83440a4d27dcc2a8beb23b2
SHA1 1068a73dd5a06acae7b473b5e928dc873a0d7b5c
SHA256 6b0b790b9479a1358ae48d89f9c0d49e0df7aa3f32b8ec8a1d1a6374f726852b
SHA512 c612bfb9ecde1cde953a8816557178ceb3713359580c5c604fcadccaa3791418a7b77a7bb6ae9b24515b42b750cd3ec6d384a264a67694dcab90ce7e99cbbb8c

memory/4164-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4164-14-0x0000000075630000-0x000000007578D000-memory.dmp

memory/4164-17-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 37e574c007a1974048aeee0cebcba83a
SHA1 0fd3331ca9ce32e76d6113dd2fd4d4202f7f3044
SHA256 5c9ef4b3828040709bc29874683a5de6f7f92d5a50ff3764de9b82f2d8d95c03
SHA512 ba86d7be796d85484372f17713bcb9e750e10fc71fd314e55cb63d8b4f48b06918d66797fc8b590689c241aa1b65323f979fbb2fa9be036bb2f83a8fb84995d4

memory/3596-25-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3596-26-0x0000000075630000-0x000000007578D000-memory.dmp

C:\Windows\System\svchost.exe

MD5 ad2e61c392fdaaaf5cc5b9222e09d2ca
SHA1 e8a6cdd0f3527fe712434b9a43d80a3f1e174523
SHA256 dff613bc99111666702d563c9527d325b2906c982944d488a86f4c89c65a04d6
SHA512 de7d35a8887df9e773317a59ad175aa5e8abdf033845246631c13153c6b688d0b5770bed91341987930ee67479ab073e647febbcf66f3fd13314d5a442e820e8

memory/3364-35-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3364-37-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3704-38-0x0000000075630000-0x000000007578D000-memory.dmp

memory/1960-44-0x0000000075630000-0x000000007578D000-memory.dmp

memory/1960-50-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3596-54-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3364-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3364-57-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 8a8a2cb240705941c42b8a3bb6774f94
SHA1 753ab3c52c0a0a6aa884f17e1f8272430997f6b4
SHA256 8f73d4a0ba43bae413df8d0448df6b3854fdbdfe6a5c49f772736e6004661601
SHA512 31407144e223aafbb8d186016c61337a60cbfb9b0affceb3045ade7d728ddddeaea3bfa6850f3a92b059489733ade206308a02b8fcf7b6fd583413be9bc5b878

memory/4164-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3704-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4164-72-0x0000000000400000-0x0000000000431000-memory.dmp