Analysis
-
max time kernel
150s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 05:03
Static task
static1
Behavioral task
behavioral1
Sample
a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe
-
Size
66KB
-
MD5
a45c75ee4ccf86cda5643524d14568b0
-
SHA1
c6d47b9d3fb6bb6fb9e2f93e5557aea6ec97e31a
-
SHA256
6aef9ea370a7a355f11c5801112f7671918619837c6a42c91f62f7fea214d4e9
-
SHA512
2a76877c034fcdaec22d4ce0592b9c200ebd0fc0b2feee1a67dba4183f98d094358a30107ac0cbf9b30b3ed07dfcd353be91dc7028fd602b215e879d90dcdb9c
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi7:IeklMMYJhqezw/pXzH9i7
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3700 explorer.exe 1700 spoolsv.exe 4624 svchost.exe 4700 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4404 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 4404 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 3700 explorer.exe 3700 explorer.exe 3700 explorer.exe 3700 explorer.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 4624 svchost.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe 3700 explorer.exe 3700 explorer.exe 4624 svchost.exe 4624 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3700 explorer.exe 4624 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4404 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 4404 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 3700 explorer.exe 3700 explorer.exe 1700 spoolsv.exe 1700 spoolsv.exe 4624 svchost.exe 4624 svchost.exe 4700 spoolsv.exe 4700 spoolsv.exe 3700 explorer.exe 3700 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4404 wrote to memory of 3700 4404 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 88 PID 4404 wrote to memory of 3700 4404 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 88 PID 4404 wrote to memory of 3700 4404 a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe 88 PID 3700 wrote to memory of 1700 3700 explorer.exe 89 PID 3700 wrote to memory of 1700 3700 explorer.exe 89 PID 3700 wrote to memory of 1700 3700 explorer.exe 89 PID 1700 wrote to memory of 4624 1700 spoolsv.exe 90 PID 1700 wrote to memory of 4624 1700 spoolsv.exe 90 PID 1700 wrote to memory of 4624 1700 spoolsv.exe 90 PID 4624 wrote to memory of 4700 4624 svchost.exe 91 PID 4624 wrote to memory of 4700 4624 svchost.exe 91 PID 4624 wrote to memory of 4700 4624 svchost.exe 91 PID 4624 wrote to memory of 3232 4624 svchost.exe 92 PID 4624 wrote to memory of 3232 4624 svchost.exe 92 PID 4624 wrote to memory of 3232 4624 svchost.exe 92 PID 4624 wrote to memory of 1964 4624 svchost.exe 106 PID 4624 wrote to memory of 1964 4624 svchost.exe 106 PID 4624 wrote to memory of 1964 4624 svchost.exe 106 PID 4624 wrote to memory of 4916 4624 svchost.exe 109 PID 4624 wrote to memory of 4916 4624 svchost.exe 109 PID 4624 wrote to memory of 4916 4624 svchost.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a45c75ee4ccf86cda5643524d14568b0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3700 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4700
-
-
C:\Windows\SysWOW64\at.exeat 05:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3232
-
-
C:\Windows\SysWOW64\at.exeat 05:06 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1964
-
-
C:\Windows\SysWOW64\at.exeat 05:07 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4916
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD57a77bd6b421cb7472f3e298277baf264
SHA14d93c4913b08ae1ddbdf2174a61b0ae26e8b1283
SHA256d3ca8eed74480bd9ea5814ad0dab5b54e3dde1f5945f3342d8c5291da04667cd
SHA512b02139f1d62ef2627ce987fecdf6b9a693b7c779cca9467c2130e40c2831e955375ec668e25af15413d6decc55f556b3525971889c4d1be18fd1b5f3696e12d5
-
Filesize
66KB
MD5a470d73f0d2481598c7cb0b7763fa951
SHA11a8c7c773e33098dfa1b326eabfa14b8e5fb769c
SHA256c61ace3660d8813d8a510c158c9df61599b27c5c08400a1242b8ffd7ba49b8b2
SHA5127ba6fccc4ddb58ec43ceeca129cabc22455630f13151f6b705cd30af906e662d9b59682a6144eb488d6186f53cab135f7d7a0082274ce9d95b3b798683a0c693
-
Filesize
66KB
MD5b5fe915489967d311e758d018d501784
SHA1f92f45f0c158aac11a8eb53b8eca9d5e4f45e99b
SHA256e315fba3ecc0feeee2b32ecdd3ff872e79d0cc740ed9a4b4f2f895e82f759ea9
SHA5123c67629182fb166fc9e25e7122121fd64e80e3efed248e1a954ec1393a6cf7de23bc2b08061cf84736e477d61e5fe615bc7911b4704ea623b67552ef5c3d06ac
-
Filesize
66KB
MD5ab6c11793fc57d260f15f28353dae216
SHA1f4818cb1e9cd0561a54320fbb4d86ec8ec298ebf
SHA25693a5aaab9a9e6ad37fecface1d87d23c7e3836f83b6954c6ff60024f14299c6b
SHA512a48c8b99f8069ceb03e44e385dbf5826373e5c78dfc2c9c6291f3be519be17ecb46408d22315999c420fb6d29472452fec189ecafadbf5049c2874a5bb3b0844