Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 04:58
Static task
static1
Behavioral task
behavioral1
Sample
a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe
-
Size
199KB
-
MD5
a41cb195b4fa25c54fc8401368275220
-
SHA1
3ca31b9504717940cc42836bab09b84cc8c6d976
-
SHA256
2c00e254f198a688532bf9e3b89fdc43f8d8f320b0051378f021dc707fe1afb5
-
SHA512
74b03042040902dd8211f51a92a4c18be9e025de0bce0aae3f7b1ca2285137f09fe234356f1c6af38396a81069e2780e7ead863998679be046cf3cdfce1aea3e
-
SSDEEP
6144:7vEN2U+T6i5LirrllHy4HUcMQY6KddddddddddddddddddddddddddddW:7ENN+T5xYrllrU7QY6Kdddddddddddd2
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1708 explorer.exe 2660 spoolsv.exe 2552 svchost.exe 2572 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 1612 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 1612 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 1708 explorer.exe 1708 explorer.exe 2660 spoolsv.exe 2660 spoolsv.exe 2552 svchost.exe 2552 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1612 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 1708 explorer.exe 1708 explorer.exe 1708 explorer.exe 2552 svchost.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe 1708 explorer.exe 2552 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1708 explorer.exe 2552 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1612 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 1612 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 1708 explorer.exe 1708 explorer.exe 2660 spoolsv.exe 2660 spoolsv.exe 2552 svchost.exe 2552 svchost.exe 2572 spoolsv.exe 2572 spoolsv.exe 1708 explorer.exe 1708 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1612 wrote to memory of 1708 1612 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 28 PID 1612 wrote to memory of 1708 1612 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 28 PID 1612 wrote to memory of 1708 1612 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 28 PID 1612 wrote to memory of 1708 1612 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 28 PID 1708 wrote to memory of 2660 1708 explorer.exe 29 PID 1708 wrote to memory of 2660 1708 explorer.exe 29 PID 1708 wrote to memory of 2660 1708 explorer.exe 29 PID 1708 wrote to memory of 2660 1708 explorer.exe 29 PID 2660 wrote to memory of 2552 2660 spoolsv.exe 30 PID 2660 wrote to memory of 2552 2660 spoolsv.exe 30 PID 2660 wrote to memory of 2552 2660 spoolsv.exe 30 PID 2660 wrote to memory of 2552 2660 spoolsv.exe 30 PID 2552 wrote to memory of 2572 2552 svchost.exe 31 PID 2552 wrote to memory of 2572 2552 svchost.exe 31 PID 2552 wrote to memory of 2572 2552 svchost.exe 31 PID 2552 wrote to memory of 2572 2552 svchost.exe 31 PID 2552 wrote to memory of 2512 2552 svchost.exe 32 PID 2552 wrote to memory of 2512 2552 svchost.exe 32 PID 2552 wrote to memory of 2512 2552 svchost.exe 32 PID 2552 wrote to memory of 2512 2552 svchost.exe 32 PID 2552 wrote to memory of 2388 2552 svchost.exe 36 PID 2552 wrote to memory of 2388 2552 svchost.exe 36 PID 2552 wrote to memory of 2388 2552 svchost.exe 36 PID 2552 wrote to memory of 2388 2552 svchost.exe 36 PID 2552 wrote to memory of 2216 2552 svchost.exe 38 PID 2552 wrote to memory of 2216 2552 svchost.exe 38 PID 2552 wrote to memory of 2216 2552 svchost.exe 38 PID 2552 wrote to memory of 2216 2552 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2572
-
-
C:\Windows\SysWOW64\at.exeat 05:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2512
-
-
C:\Windows\SysWOW64\at.exeat 05:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2388
-
-
C:\Windows\SysWOW64\at.exeat 05:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2216
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD50a0b46d36ab15341fc1b0fc9cf574d2f
SHA1a3e80771dffe0283dbd5745a11e5a5c76243ce8c
SHA256d0ff8cbe9bee65082f2c875710d3386159fd30c541600f6007b19b9beeeeaae6
SHA512bdd5e8f0dae6e6f360f5eb81124e578f7d65e83c180a7fbd5314c29e9513a53eb184bfa9db43f8c9cde00298e451009511c3124e3c4fbc8431028efe7c55fa3e
-
Filesize
216KB
MD57cb0fde7d8f7e6b5c068fa0f669e01d3
SHA12dd1f6ea4ea4fecefff240b4cd6684e0c2331c20
SHA2563704a6824cf059da6da51fa436c075b117a827172c15bcf8bac6bbc1ed0a2830
SHA512e34398001b4775e8271edc83938396f485aad09d71cd8212560ac6e6db87335691c6529c4230efdddaed094d5dcd427805426b94e41c3d3a6a00718ad3c58eca
-
Filesize
216KB
MD56cf42feb1e7059556a90e1371ab719e0
SHA1bd7d62f75364202c7837b9d3600b3d978ecddd23
SHA256e0df725191ab96840e02a0d6844c8c8a081a1962d2c0e55d056d26c1f8e0f972
SHA5124bdf8e1b790a900a27d8987ba0ed8bee97baa1431486114050ba0d2d0bd1da9a0032bba0e88669aee57eb0842d2b2dcd60d382adb64434ec3c72d8bf2841577c
-
Filesize
216KB
MD574bc660b5ad72e4b9ea8a795770f1687
SHA1d724cdb0a673075a9afff570f128f02b456e3595
SHA2560b9ba4c50dc149577e0c7f3435568b7e82d77a3d21a0f378e0618bb91a07320e
SHA512048c4bb3e8ccbc9e6530d85f3adc4ce04f7efbee46a96b93567193e6d98ee9d1542e41aff20254189aa409edc326b6eea4bd7eaff2d26253c7fb5b3fcd12a879