3663bcc4745cc5a4a3a71f626f4c39f6a2f9a017b09ed4ebb1b58ab76c4c80e6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 00:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
Size

3.6MB
MD5

c72e9f1b810f52e088693201f1f7bf50
SHA1

32d30807fbf2a0203d9a15a2e148ea41b389a0b0
SHA256

3663bcc4745cc5a4a3a71f626f4c39f6a2f9a017b09ed4ebb1b58ab76c4c80e6
SHA512

45c2307bd3bd8b396dc0b7c4b304576d671d639e54867d67c65a7c657cdab74da254e8e6d1435f3d9fe064def045744e15e8c77d2950b3fd66aaa422b56337a0
SSDEEP

98304:JdByXcdnlLwOrI5Vfeg91hZOhkRpsinjj:Jdien+OrFuBR6cj

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4984	explorer.exe
1652	spoolsv.exe
2496	svchost.exe
4772	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs

pid	Process
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
4984	explorer.exe
1652	spoolsv.exe
1652	spoolsv.exe
2496	svchost.exe
4772	spoolsv.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe
2496	svchost.exe
4984	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4984	explorer.exe
2496	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
4984	explorer.exe
4984	explorer.exe
4984	explorer.exe
1652	spoolsv.exe
1652	spoolsv.exe
1652	spoolsv.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
4772	spoolsv.exe
4772	spoolsv.exe
4772	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 4984	1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe	82
PID 1972 wrote to memory of 4984	1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe	82
PID 1972 wrote to memory of 4984	1972	c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe	82
PID 4984 wrote to memory of 1652	4984	explorer.exe	85
PID 4984 wrote to memory of 1652	4984	explorer.exe	85
PID 4984 wrote to memory of 1652	4984	explorer.exe	85
PID 1652 wrote to memory of 2496	1652	spoolsv.exe	86
PID 1652 wrote to memory of 2496	1652	spoolsv.exe	86
PID 1652 wrote to memory of 2496	1652	spoolsv.exe	86
PID 2496 wrote to memory of 4772	2496	svchost.exe	87
PID 2496 wrote to memory of 4772	2496	svchost.exe	87
PID 2496 wrote to memory of 4772	2496	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c72e9f1b810f52e088693201f1f7bf50_NeikiAnalytics.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4984
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2496
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
3.6MB

MD5
f5183df34675dd0b6cb4803ab5d413de

SHA1
ea41bef970b877a229ec5111be1e543814532b92

SHA256
19a3b431ebb42d9406b96ec7916d811b481f89d585e0ed0a3de67a3971ee1569

SHA512
f9c1d2e80e29daaad7d00080e3bd40d60f57f8e6c0a503df8c626b5a6a347c9f91f0f043fe3bced70c10a37ffd2a3ce3a88ef2f903f7f5c2e0ab847aace48e14

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
3.6MB

MD5
303407767d2e52056c085d948cc1d429

SHA1
4ab2a3274751266c5de9ebac83110e3fef95cc0b

SHA256
bbeb4e64efd7e64ed7535782ab1acc4739a2c423023319c2b13454cfe5aa021e

SHA512
24455c3323bb06dbf8da4fd33c1286fdf137c20ebb8e50a18907fda182182d630382e12258a227b7968c3733ebdb3f25fa58af65528c3f82e0f509738b1f1712

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
3.6MB

MD5
52e73c7c50cf10accd628e32f3a8b5f0

SHA1
9d17988616936eac7b906c23a29aa6500f0a5f5b

SHA256
d2e44aa347a30212ec8da6614e3448e62d5dd4ca30c41ac040b5c53ad4b4145a

SHA512
00e19e755e8d1aea9cd138fd006ea8bb77c1b9f0b93817fca86c023c50aa258dfc8020390512b7af7f8f394d3ae1e8b222cd2621ee6c8a208727bf76082ff276

Download Submit
memory/1652-39-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/1652-20-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/1972-2-0x0000000077D63000-0x0000000077D64000-memory.dmp

Filesize
4KB

Download
memory/1972-1-0x0000000077D62000-0x0000000077D63000-memory.dmp

Filesize
4KB

Download
memory/1972-0-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/1972-41-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2496-60-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2496-64-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2496-29-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2496-70-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2496-43-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2496-68-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2496-46-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2496-66-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2496-62-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2496-50-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2496-56-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2496-52-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2496-54-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4772-38-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-63-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-47-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-57-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-59-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-11-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-49-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-51-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-55-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-61-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-65-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-53-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-67-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-44-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-69-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4984-42-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download