Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 04:58
Static task
static1
Behavioral task
behavioral1
Sample
a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe
-
Size
199KB
-
MD5
a41cb195b4fa25c54fc8401368275220
-
SHA1
3ca31b9504717940cc42836bab09b84cc8c6d976
-
SHA256
2c00e254f198a688532bf9e3b89fdc43f8d8f320b0051378f021dc707fe1afb5
-
SHA512
74b03042040902dd8211f51a92a4c18be9e025de0bce0aae3f7b1ca2285137f09fe234356f1c6af38396a81069e2780e7ead863998679be046cf3cdfce1aea3e
-
SSDEEP
6144:7vEN2U+T6i5LirrllHy4HUcMQY6KddddddddddddddddddddddddddddW:7ENN+T5xYrllrU7QY6Kdddddddddddd2
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4844 explorer.exe 3264 spoolsv.exe 1992 svchost.exe 8 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5052 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 5052 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 4844 explorer.exe 4844 explorer.exe 4844 explorer.exe 4844 explorer.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe 1992 svchost.exe 1992 svchost.exe 1992 svchost.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe 1992 svchost.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe 1992 svchost.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe 1992 svchost.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe 1992 svchost.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe 1992 svchost.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe 1992 svchost.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe 1992 svchost.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe 1992 svchost.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe 1992 svchost.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe 1992 svchost.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe 1992 svchost.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe 1992 svchost.exe 4844 explorer.exe 4844 explorer.exe 4844 explorer.exe 1992 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4844 explorer.exe 1992 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 5052 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 5052 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 4844 explorer.exe 4844 explorer.exe 3264 spoolsv.exe 3264 spoolsv.exe 1992 svchost.exe 1992 svchost.exe 8 spoolsv.exe 8 spoolsv.exe 4844 explorer.exe 4844 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5052 wrote to memory of 4844 5052 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 82 PID 5052 wrote to memory of 4844 5052 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 82 PID 5052 wrote to memory of 4844 5052 a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe 82 PID 4844 wrote to memory of 3264 4844 explorer.exe 83 PID 4844 wrote to memory of 3264 4844 explorer.exe 83 PID 4844 wrote to memory of 3264 4844 explorer.exe 83 PID 3264 wrote to memory of 1992 3264 spoolsv.exe 84 PID 3264 wrote to memory of 1992 3264 spoolsv.exe 84 PID 3264 wrote to memory of 1992 3264 spoolsv.exe 84 PID 1992 wrote to memory of 8 1992 svchost.exe 86 PID 1992 wrote to memory of 8 1992 svchost.exe 86 PID 1992 wrote to memory of 8 1992 svchost.exe 86 PID 1992 wrote to memory of 2688 1992 svchost.exe 87 PID 1992 wrote to memory of 2688 1992 svchost.exe 87 PID 1992 wrote to memory of 2688 1992 svchost.exe 87 PID 1992 wrote to memory of 3344 1992 svchost.exe 99 PID 1992 wrote to memory of 3344 1992 svchost.exe 99 PID 1992 wrote to memory of 3344 1992 svchost.exe 99 PID 1992 wrote to memory of 4344 1992 svchost.exe 101 PID 1992 wrote to memory of 4344 1992 svchost.exe 101 PID 1992 wrote to memory of 4344 1992 svchost.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a41cb195b4fa25c54fc8401368275220_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:8
-
-
C:\Windows\SysWOW64\at.exeat 05:00 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2688
-
-
C:\Windows\SysWOW64\at.exeat 05:01 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3344
-
-
C:\Windows\SysWOW64\at.exeat 05:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4344
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5af4039dbf06e533f5c2c4a942bb66b7b
SHA12aadc8dba9dbc6bb7a97f6f4c03ebea0fbaeb299
SHA2564410488a12edba237dda7cbea8875260f72cf66500d6d4339a10871c324f9fbd
SHA512e8ae31f3ae844863ddf9ca52d43a19984717515c45efccc86d4192e3f6a31a13ed840a10b911269b83fd332bf0ffb2390d2fedcfb9fdaba57cc201311454c451
-
Filesize
216KB
MD5251c31e1c9de13b4919f5a4e3ab44164
SHA1dc6b810205d6e90ec67170ae78bd4ac8a845464e
SHA25639964da01502ab11e04246bad42e684d44dc69f4de4ab51e2881e966748e32e4
SHA512220821922e381a60c9e4aaaf1e28e09d6c74b195be567c22dcfc1e8b69155505fd96aeb520c429561990ebd15f42cbceeccf37af8ff0b8db546aaa6f946050da
-
Filesize
216KB
MD5245592ce9f5e0cbd22a4b4823c1b5ed7
SHA1dfe1cbece277215ff432712aacf3baac98558190
SHA25698d785551e449eb50e4e7cd08b00d9d82f4e8995b7adaf3d2a97201c32798011
SHA51279bf60deb0ab94d4ab111b1df07970433a0f010564bc3a1e7f6fc5b1adffd8eff9d864997e0726310a65ba79ab46fdb68d6ce875e1e44a08e49701eb399c4fe5
-
Filesize
216KB
MD50f95ef9cae8e76faa32b8753d1abc7bf
SHA1820dacf7a09ec1c393bb2ce3b764131ec71f7a8c
SHA256d4baf497721633870e3a5914cfbbed3fb1a7d0376bce24cb7d34d16c4fd2ebde
SHA512b9a497716a73196b3e644a5aef5eac7159904720cd1d4f242d6065be6910c8d0f252d77fadbdff6519558db1d39e6be8032a4bc9c15ea35c80c7ebc968983eed