Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 05:18
Static task
static1
Behavioral task
behavioral1
Sample
a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe
-
Size
207KB
-
MD5
a511a473c7cd7d3ca87ebf8636fa3a70
-
SHA1
872bd67f81a1ab3c962157f893b6d0aed9917d4a
-
SHA256
2fd3a3575350e2281852d333c0da4a09043f2de39efb9e72941ef00d1a96fc24
-
SHA512
3009286042351a132a153bb34212d33dc33d52e70a2549ada59a9fe287900593704c20edaae075326ecf9e83d0ca8dc766f89867f6ae54eb9d28b81f3a5fb1c7
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL0:5vEN2U+T6i5LirrllHy4HUcMQY6K0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2992 explorer.exe 2836 spoolsv.exe 2732 svchost.exe 2652 spoolsv.exe -
Loads dropped DLL 8 IoCs
pid Process 2964 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 2964 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 2992 explorer.exe 2992 explorer.exe 2836 spoolsv.exe 2836 spoolsv.exe 2732 svchost.exe 2732 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2964 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 2992 explorer.exe 2992 explorer.exe 2992 explorer.exe 2732 svchost.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe 2992 explorer.exe 2732 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2992 explorer.exe 2732 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2964 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 2964 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 2992 explorer.exe 2992 explorer.exe 2836 spoolsv.exe 2836 spoolsv.exe 2732 svchost.exe 2732 svchost.exe 2652 spoolsv.exe 2652 spoolsv.exe 2992 explorer.exe 2992 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2992 2964 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2992 2964 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2992 2964 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2992 2964 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 28 PID 2992 wrote to memory of 2836 2992 explorer.exe 29 PID 2992 wrote to memory of 2836 2992 explorer.exe 29 PID 2992 wrote to memory of 2836 2992 explorer.exe 29 PID 2992 wrote to memory of 2836 2992 explorer.exe 29 PID 2836 wrote to memory of 2732 2836 spoolsv.exe 30 PID 2836 wrote to memory of 2732 2836 spoolsv.exe 30 PID 2836 wrote to memory of 2732 2836 spoolsv.exe 30 PID 2836 wrote to memory of 2732 2836 spoolsv.exe 30 PID 2732 wrote to memory of 2652 2732 svchost.exe 31 PID 2732 wrote to memory of 2652 2732 svchost.exe 31 PID 2732 wrote to memory of 2652 2732 svchost.exe 31 PID 2732 wrote to memory of 2652 2732 svchost.exe 31 PID 2732 wrote to memory of 2532 2732 svchost.exe 32 PID 2732 wrote to memory of 2532 2732 svchost.exe 32 PID 2732 wrote to memory of 2532 2732 svchost.exe 32 PID 2732 wrote to memory of 2532 2732 svchost.exe 32 PID 2732 wrote to memory of 1360 2732 svchost.exe 36 PID 2732 wrote to memory of 1360 2732 svchost.exe 36 PID 2732 wrote to memory of 1360 2732 svchost.exe 36 PID 2732 wrote to memory of 1360 2732 svchost.exe 36 PID 2732 wrote to memory of 2256 2732 svchost.exe 38 PID 2732 wrote to memory of 2256 2732 svchost.exe 38 PID 2732 wrote to memory of 2256 2732 svchost.exe 38 PID 2732 wrote to memory of 2256 2732 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
C:\Windows\SysWOW64\at.exeat 05:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2532
-
-
C:\Windows\SysWOW64\at.exeat 05:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1360
-
-
C:\Windows\SysWOW64\at.exeat 05:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2256
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5e1bfd9dea1b0388c1dc3ea645f0d50cc
SHA15a7c362f345d437647758ea9b384f086b17ab8ab
SHA256931a0305c21ddc5f508f36653869860a30c2cd1f32480fcd8215200f388670b9
SHA512378ebc770f88a6a668fe95de75e128da74e7a594764718475d4cf87c91e70a2190eb989f049a7d3ba946ea62fe33740b97995f023bb7a2cb3294ebe139776055
-
Filesize
206KB
MD5ab091416649b02065639480e23c7a696
SHA1b467d496048b8223fc1ea8db5445b86ba3456a5c
SHA2569d739e170dbdfb9d35c6f9ee4f1dc2601c9ebeb50435f8626b44a57c5d95ec88
SHA5120b40f9b2146004d160d848bfe87943244e86128d4fe7686dff7c3f10b821d3589050aac726455c07d85de6408f88c72816d7952f67a9d08394bd6c034ac8259b
-
Filesize
206KB
MD59a89d4bf2db536ee3918612a44fbc179
SHA1a00bb1f7157b9322e93f27fd557a8d3a79db8a49
SHA2566b6b01972dbccf9055604ac5d27ce93f91ffeb6cd287afad2da992b36c2540b1
SHA512fe124f66daa43c3288bda8f5f6a80ebfa5ed7c7afab7ac50e719c37e800c694db3021e26ce99f73318901a5920ba67a1d0cd9fcf2713f760d0a5dedd8b8d5e9f
-
Filesize
206KB
MD5b817d771ff79563fb85d782438a7e959
SHA141942bf06531f2b6f57a7fe0f0d9fb2536e4dc29
SHA2565532cb542134d361c7177896a41fd372e1105004394ff389333043b42de047b5
SHA5122dee892ff685efd29d8758a2f8a36a7e4211c06c2a913814f3a605b19404803d13817f6ec9a0a1af470192b095e2de681e4fbc0795a0153c5023fb9b1b7b2457