359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
Size

736KB
MD5

eecacd56ecfa840bbefec50a630877f0
SHA1

ac5faf74478fd577adeb52626900f0615b39180e
SHA256

359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4
SHA512

24887971b9461ab2ccad5746c576fcb591058cef7c6a734580e75896d2cd92b87e6dd4503484700fdc19e6c1936b1ffdf2821596786db5a61c15d1a552fc9bae
SSDEEP

12288:kJLUNDaQer/5tX2M/qba+Jq3V8JZP+mALcdYJ0MAEe/gBjvrEH7d:klOaTrB92M/qbDhALcRMRe/CrEH7d

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0005000000022f32-2.dat	acprotect

Executes dropped EXE 6 IoCs

pid	Process
3360	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_neikianalytics.exe
3908	icsys.icn.exe
5004	explorer.exe
748	spoolsv.exe
4128	svchost.exe
3956	spoolsv.exe

Loads dropped DLL 1 IoCs

pid	Process
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0005000000022f32-2.dat	upx
behavioral2/memory/3364-5-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3364-63-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
3908	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5004	explorer.exe
4128	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
3908	icsys.icn.exe
3908	icsys.icn.exe
5004	explorer.exe
5004	explorer.exe
748	spoolsv.exe
748	spoolsv.exe
4128	svchost.exe
4128	svchost.exe
3956	spoolsv.exe
3956	spoolsv.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 3360	3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe	81
PID 3364 wrote to memory of 3360	3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe	81
PID 3364 wrote to memory of 3908	3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe	82
PID 3364 wrote to memory of 3908	3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe	82
PID 3364 wrote to memory of 3908	3364	359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe	82
PID 3908 wrote to memory of 5004	3908	icsys.icn.exe	83
PID 3908 wrote to memory of 5004	3908	icsys.icn.exe	83
PID 3908 wrote to memory of 5004	3908	icsys.icn.exe	83
PID 5004 wrote to memory of 748	5004	explorer.exe	84
PID 5004 wrote to memory of 748	5004	explorer.exe	84
PID 5004 wrote to memory of 748	5004	explorer.exe	84
PID 748 wrote to memory of 4128	748	spoolsv.exe	85
PID 748 wrote to memory of 4128	748	spoolsv.exe	85
PID 748 wrote to memory of 4128	748	spoolsv.exe	85
PID 4128 wrote to memory of 3956	4128	svchost.exe	86
PID 4128 wrote to memory of 3956	4128	svchost.exe	86
PID 4128 wrote to memory of 3956	4128	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364
- \??\c:\users\admin\appdata\local\temp\359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_neikianalytics.exe
  c:\users\admin\appdata\local\temp\359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_neikianalytics.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3908
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:748
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4128
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\359c69d0183ac5a6ae43388910ac72099b3d1ee56ed9745931f306265a8dd0c4_neikianalytics.exe

Filesize
524KB

MD5
4c8eac2a3ecc7de96d8bbacf2b3b8760

SHA1
4369443ecd044a14f99a5be8ff56ca87fc87da6d

SHA256
c32cbcd7bec665237142eb48d6130fc05339702a1ea8250de7fbfc2a462d6304

SHA512
0b2411e84308415ca3644c0ddc81e7e87c2f162004e18b7325bf4e7c81ea350718cf901809a292c6b639c8e6f15ea1b6a10435bd9c6bec9280d992cf2a2255df

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
661e457c7866b25a3e42cfe20ef43ad1

SHA1
2499f846222e4c3695e7e7bd0ed4c6132faac3d1

SHA256
0bb17f95e9f89b204a69fce4e05d4266a2091d456a4d099f095d0ee9e1e9a91d

SHA512
7f855c7ce74955f864fe44637ae3cb0022bfa4a9c57b1b327605ed05c24e3e0fb685767bfaf64670cc8b18be8036a3d5b46f242347220797de1ae9944aa95947

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
3a2cde8407981066338f335dee59de6b

SHA1
24a8019b77dcae9ef514f46a4862624039a6b96a

SHA256
b21f9d78f387412d5609d87680c39c678aaea37fc6d27dad096f117d923d9dc4

SHA512
ec053289c1a204107e73d46f88b8e1056afa2fbeb64e36ca74a079f9e003f11c892847aefb6409e22e82579f2efb3eed409b5cdb76145a4d1e0f17a356c36648

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
eb28a33c9b4b7f6842d79cb182d333a4

SHA1
3600e1e901e25c96358ab89addb53bb8f664a5e1

SHA256
a4c6da925dbd0c1df0ac7c0fdd2d2be84b9dd45df3bc823290cf76c8ab367cf8

SHA512
31a8f3ba7e1229b191c1d42d026999238f866ecee1f757851bd48cb8af665719531c5fa8984184a9de0551289d8d9ec128ee4ef35c920c01d125bff7406db860

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
592b0dcbc9e005e07dafd7ba0d45caa5

SHA1
bcb358b985411d911b6962a7dbf8f2e6dd543bb0

SHA256
2254e4fc0db84082167a9e2e76074c611a664196d5f687ca48ee9e2518bd695c

SHA512
259b202ca2c4250ec1b2c27bf57cc93efb7cabf7b79683126b04332004b148a0f9c1cd826fdbf489942de380e8a92a1b44030f068b39377dad2c43ac661ea821

Download Submit
memory/748-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3364-12-0x0000000000408000-0x000000000040B000-memory.dmp

Filesize
12KB

Download
memory/3364-5-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3364-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3364-63-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3364-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3908-21-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3908-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3956-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5004-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download