Analysis
-
max time kernel
150s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 05:18
Static task
static1
Behavioral task
behavioral1
Sample
a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe
-
Size
207KB
-
MD5
a511a473c7cd7d3ca87ebf8636fa3a70
-
SHA1
872bd67f81a1ab3c962157f893b6d0aed9917d4a
-
SHA256
2fd3a3575350e2281852d333c0da4a09043f2de39efb9e72941ef00d1a96fc24
-
SHA512
3009286042351a132a153bb34212d33dc33d52e70a2549ada59a9fe287900593704c20edaae075326ecf9e83d0ca8dc766f89867f6ae54eb9d28b81f3a5fb1c7
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL0:5vEN2U+T6i5LirrllHy4HUcMQY6K0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1148 explorer.exe 1436 spoolsv.exe 3344 svchost.exe 2120 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1344 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 1344 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 1148 explorer.exe 1148 explorer.exe 1148 explorer.exe 1148 explorer.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe 3344 svchost.exe 3344 svchost.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe 1148 explorer.exe 1148 explorer.exe 3344 svchost.exe 3344 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1148 explorer.exe 3344 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1344 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 1344 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 1148 explorer.exe 1148 explorer.exe 1436 spoolsv.exe 1436 spoolsv.exe 3344 svchost.exe 3344 svchost.exe 2120 spoolsv.exe 2120 spoolsv.exe 1148 explorer.exe 1148 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1344 wrote to memory of 1148 1344 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 81 PID 1344 wrote to memory of 1148 1344 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 81 PID 1344 wrote to memory of 1148 1344 a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe 81 PID 1148 wrote to memory of 1436 1148 explorer.exe 82 PID 1148 wrote to memory of 1436 1148 explorer.exe 82 PID 1148 wrote to memory of 1436 1148 explorer.exe 82 PID 1436 wrote to memory of 3344 1436 spoolsv.exe 83 PID 1436 wrote to memory of 3344 1436 spoolsv.exe 83 PID 1436 wrote to memory of 3344 1436 spoolsv.exe 83 PID 3344 wrote to memory of 2120 3344 svchost.exe 84 PID 3344 wrote to memory of 2120 3344 svchost.exe 84 PID 3344 wrote to memory of 2120 3344 svchost.exe 84 PID 3344 wrote to memory of 4200 3344 svchost.exe 85 PID 3344 wrote to memory of 4200 3344 svchost.exe 85 PID 3344 wrote to memory of 4200 3344 svchost.exe 85 PID 3344 wrote to memory of 3168 3344 svchost.exe 94 PID 3344 wrote to memory of 3168 3344 svchost.exe 94 PID 3344 wrote to memory of 3168 3344 svchost.exe 94 PID 3344 wrote to memory of 4832 3344 svchost.exe 96 PID 3344 wrote to memory of 4832 3344 svchost.exe 96 PID 3344 wrote to memory of 4832 3344 svchost.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a511a473c7cd7d3ca87ebf8636fa3a70_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2120
-
-
C:\Windows\SysWOW64\at.exeat 05:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4200
-
-
C:\Windows\SysWOW64\at.exeat 05:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3168
-
-
C:\Windows\SysWOW64\at.exeat 05:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4832
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD502d163b39c2d1611f5332ed7296842e0
SHA1fc446d98a0c5d33392daa70374b27580f94a45e5
SHA256814975598dace5ade738abde8fc43686e6543caf915891e76c7d29a332fa269c
SHA512fef8e7775d4a22a97dad59ed3299eb734684e53859d2bfeab94d48b1efd2b6e3b420c2dd52cb0f35282770d22b1816f7822c681a818b50641c104e19bc38cbff
-
Filesize
206KB
MD5bdd47b84122bc94f69276ee8f9ec5b98
SHA1d6d9fc66a6d116efa2e5c844ef0fc4cd0ee6baae
SHA2560a29e648ef70aa4729ef1806f0e902487c795b9bc95d54816e7185c3c5b3328f
SHA512177cb8927d0ef8df9faebb7f1e1c374a85ab49077ee61be20ea45845f2df41c6ead60473b60a279526e1b05eca93a96d0ed7c1ef0bffd2eb0c41a1f5f8ed6818
-
Filesize
206KB
MD5daf75b2e40838e14369c981ad5cbb85a
SHA1753665b2747709b5ce5620587d942bde6977336b
SHA256543c465f0460802341aa433787264a0a1bf1a18deb2a35dbf7c912b9752b722f
SHA5125b96e5b841e63ec2ac6b317e5741f48e0544a4a5529e96f3d5a0f9a109ce8138b868622df64b6dce329f6bc7b3663cf10c125e7a12de668a523d33867fd09cbb
-
Filesize
206KB
MD5b27a152be0194a6fa6af8abf6dd411d0
SHA1f320c597921045d9d6863e511c1ac22b70968202
SHA2560686f685ca8abcefe742f6264369c1e483b4ca7af08537038e351911bde446a3
SHA51200d0e2d166d18982de74c18b19fb1a7dea6745e76ccbd03b91e3757dd77174e73ec170ca7469a4b1a54f7879243ef0e31f99bb633914a439948d79ff11d27048