Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 05:03
Static task
static1
Behavioral task
behavioral1
Sample
a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
a45c75ee4ccf86cda5643524d14568b0
-
SHA1
c6d47b9d3fb6bb6fb9e2f93e5557aea6ec97e31a
-
SHA256
6aef9ea370a7a355f11c5801112f7671918619837c6a42c91f62f7fea214d4e9
-
SHA512
2a76877c034fcdaec22d4ce0592b9c200ebd0fc0b2feee1a67dba4183f98d094358a30107ac0cbf9b30b3ed07dfcd353be91dc7028fd602b215e879d90dcdb9c
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi7:IeklMMYJhqezw/pXzH9i7
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2884 explorer.exe 2736 spoolsv.exe 2632 svchost.exe 2628 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2420 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 2420 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 2884 explorer.exe 2884 explorer.exe 2736 spoolsv.exe 2736 spoolsv.exe 2632 svchost.exe 2632 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2420 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 2884 explorer.exe 2884 explorer.exe 2884 explorer.exe 2884 explorer.exe 2632 svchost.exe 2632 svchost.exe 2632 svchost.exe 2884 explorer.exe 2884 explorer.exe 2632 svchost.exe 2632 svchost.exe 2884 explorer.exe 2632 svchost.exe 2884 explorer.exe 2632 svchost.exe 2884 explorer.exe 2632 svchost.exe 2884 explorer.exe 2884 explorer.exe 2632 svchost.exe 2632 svchost.exe 2884 explorer.exe 2632 svchost.exe 2884 explorer.exe 2884 explorer.exe 2632 svchost.exe 2884 explorer.exe 2632 svchost.exe 2884 explorer.exe 2632 svchost.exe 2884 explorer.exe 2632 svchost.exe 2632 svchost.exe 2884 explorer.exe 2632 svchost.exe 2884 explorer.exe 2884 explorer.exe 2632 svchost.exe 2632 svchost.exe 2884 explorer.exe 2632 svchost.exe 2884 explorer.exe 2884 explorer.exe 2632 svchost.exe 2632 svchost.exe 2884 explorer.exe 2884 explorer.exe 2632 svchost.exe 2884 explorer.exe 2632 svchost.exe 2632 svchost.exe 2884 explorer.exe 2884 explorer.exe 2632 svchost.exe 2632 svchost.exe 2884 explorer.exe 2632 svchost.exe 2884 explorer.exe 2632 svchost.exe 2884 explorer.exe 2632 svchost.exe 2884 explorer.exe 2884 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2884 explorer.exe 2632 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2420 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 2420 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 2884 explorer.exe 2884 explorer.exe 2736 spoolsv.exe 2736 spoolsv.exe 2632 svchost.exe 2632 svchost.exe 2628 spoolsv.exe 2628 spoolsv.exe 2884 explorer.exe 2884 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2884 2420 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 28 PID 2420 wrote to memory of 2884 2420 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 28 PID 2420 wrote to memory of 2884 2420 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 28 PID 2420 wrote to memory of 2884 2420 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 28 PID 2884 wrote to memory of 2736 2884 explorer.exe 29 PID 2884 wrote to memory of 2736 2884 explorer.exe 29 PID 2884 wrote to memory of 2736 2884 explorer.exe 29 PID 2884 wrote to memory of 2736 2884 explorer.exe 29 PID 2736 wrote to memory of 2632 2736 spoolsv.exe 30 PID 2736 wrote to memory of 2632 2736 spoolsv.exe 30 PID 2736 wrote to memory of 2632 2736 spoolsv.exe 30 PID 2736 wrote to memory of 2632 2736 spoolsv.exe 30 PID 2632 wrote to memory of 2628 2632 svchost.exe 31 PID 2632 wrote to memory of 2628 2632 svchost.exe 31 PID 2632 wrote to memory of 2628 2632 svchost.exe 31 PID 2632 wrote to memory of 2628 2632 svchost.exe 31 PID 2632 wrote to memory of 1264 2632 svchost.exe 32 PID 2632 wrote to memory of 1264 2632 svchost.exe 32 PID 2632 wrote to memory of 1264 2632 svchost.exe 32 PID 2632 wrote to memory of 1264 2632 svchost.exe 32 PID 2632 wrote to memory of 1516 2632 svchost.exe 36 PID 2632 wrote to memory of 1516 2632 svchost.exe 36 PID 2632 wrote to memory of 1516 2632 svchost.exe 36 PID 2632 wrote to memory of 1516 2632 svchost.exe 36 PID 2632 wrote to memory of 1804 2632 svchost.exe 38 PID 2632 wrote to memory of 1804 2632 svchost.exe 38 PID 2632 wrote to memory of 1804 2632 svchost.exe 38 PID 2632 wrote to memory of 1804 2632 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
C:\Windows\SysWOW64\at.exeat 05:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1264
-
-
C:\Windows\SysWOW64\at.exeat 05:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1516
-
-
C:\Windows\SysWOW64\at.exeat 05:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1804
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5f6a501399be819d154c66f0cc4ea4039
SHA10e3a4aec758238998f461c5bb9fb8cd6f81b9168
SHA2569d61d3901bf12fa303bf6f27380aebdb9af636760ada06c7aba90aa22acc50a4
SHA5126f1d473aa06daac57c4102a2c25a25c989c277150cd0f2ae6c6022375a1afe69d8cc4d3b91d9e912ac34ef6ee3d7804cc44be228923b2fd805d8571734e47b3c
-
Filesize
66KB
MD51be42895bf42472d71399d1395ea1347
SHA16c3591a06c88a2ca90e5e263e0ea2ec2c6d63f5f
SHA256b15740969877a81fffab27cb22b062528f0db8310210f52c560338e7f2567b86
SHA5121b3ff925c82b9ed0bdc1e065208fa093d7d57cd6717839b865f5e9a9c3bc5d3a85da7b6f52b95227f599b2007876b887429cfa80efddbd6ea52fb69869f62c92
-
Filesize
66KB
MD5ba1c7936e532f04d9f5b375062f1aaa5
SHA12a3131152e14252d1bc0013f08ac4d9a8c53d446
SHA256427e09ec6ed366187cf703b29e933dadbd4d3a8e8a00301aa5d6af43a0f506bb
SHA512f1287cec8c98d036bfd872b2bf2f93e63d2e82c91f9a910ae0111010c9f3682d6e1903baa9769e9e4a700962f1f36179d8f58c2b12081c7894bcd98656194cdb
-
Filesize
66KB
MD5ab6c11793fc57d260f15f28353dae216
SHA1f4818cb1e9cd0561a54320fbb4d86ec8ec298ebf
SHA25693a5aaab9a9e6ad37fecface1d87d23c7e3836f83b6954c6ff60024f14299c6b
SHA512a48c8b99f8069ceb03e44e385dbf5826373e5c78dfc2c9c6291f3be519be17ecb46408d22315999c420fb6d29472452fec189ecafadbf5049c2874a5bb3b0844