598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
Size

741KB
MD5

f0ecef46a42c0a3aa2b7c065d5b5dee0
SHA1

eb76f4aa956a788cb65b2ca1e42c0f6fff640fce
SHA256

598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d
SHA512

625177fa4160001f65946cfecb7787e3fb0c721d991b63884886b48731d59f137f24a21497763fc7da9a281b7322002775b8db23b21f10fa5a68b4ba6f7c9d6c
SSDEEP

12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1FuAAAAAAAAQ:lIt4kt0Kd6F6CNzYhUiEWEYcwJ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2516	explorer.exe
2676	spoolsv.exe
2572	svchost.exe
2588	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2516	explorer.exe
2676	spoolsv.exe
2572	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

pid	Process
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2516	explorer.exe
2676	spoolsv.exe
2572	svchost.exe
2588	spoolsv.exe
2572	svchost.exe
2516	explorer.exe
2572	svchost.exe
2516	explorer.exe
2572	svchost.exe
2516	explorer.exe
2572	svchost.exe
2516	explorer.exe
2572	svchost.exe
2516	explorer.exe
2572	svchost.exe
2516	explorer.exe
2572	svchost.exe
2516	explorer.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2464	schtasks.exe
1276	schtasks.exe
1636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2676	spoolsv.exe
2676	spoolsv.exe
2676	spoolsv.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2516	explorer.exe
2572	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2676	spoolsv.exe
2676	spoolsv.exe
2676	spoolsv.exe
2572	svchost.exe
2572	svchost.exe
2572	svchost.exe
2588	spoolsv.exe
2588	spoolsv.exe
2588	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2516	2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe	28
PID 2872 wrote to memory of 2516	2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe	28
PID 2872 wrote to memory of 2516	2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe	28
PID 2872 wrote to memory of 2516	2872	598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe	28
PID 2516 wrote to memory of 2676	2516	explorer.exe	29
PID 2516 wrote to memory of 2676	2516	explorer.exe	29
PID 2516 wrote to memory of 2676	2516	explorer.exe	29
PID 2516 wrote to memory of 2676	2516	explorer.exe	29
PID 2676 wrote to memory of 2572	2676	spoolsv.exe	30
PID 2676 wrote to memory of 2572	2676	spoolsv.exe	30
PID 2676 wrote to memory of 2572	2676	spoolsv.exe	30
PID 2676 wrote to memory of 2572	2676	spoolsv.exe	30
PID 2572 wrote to memory of 2588	2572	svchost.exe	31
PID 2572 wrote to memory of 2588	2572	svchost.exe	31
PID 2572 wrote to memory of 2588	2572	svchost.exe	31
PID 2572 wrote to memory of 2588	2572	svchost.exe	31
PID 2516 wrote to memory of 1888	2516	explorer.exe	33
PID 2516 wrote to memory of 1888	2516	explorer.exe	33
PID 2516 wrote to memory of 1888	2516	explorer.exe	33
PID 2516 wrote to memory of 1888	2516	explorer.exe	33
PID 2572 wrote to memory of 2464	2572	svchost.exe	32
PID 2572 wrote to memory of 2464	2572	svchost.exe	32
PID 2572 wrote to memory of 2464	2572	svchost.exe	32
PID 2572 wrote to memory of 2464	2572	svchost.exe	32
PID 2572 wrote to memory of 1276	2572	svchost.exe	38
PID 2572 wrote to memory of 1276	2572	svchost.exe	38
PID 2572 wrote to memory of 1276	2572	svchost.exe	38
PID 2572 wrote to memory of 1276	2572	svchost.exe	38
PID 2572 wrote to memory of 1636	2572	svchost.exe	40
PID 2572 wrote to memory of 1636	2572	svchost.exe	40
PID 2572 wrote to memory of 1636	2572	svchost.exe	40
PID 2572 wrote to memory of 1636	2572	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\598c5c98eef8f5b4323df4f5188bc5a8d56d15e4ea0130db197ed77e9820ef8d_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2516
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2572
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2588
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:10 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2464
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:11 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1276
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:12 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1636
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
741KB

MD5
7f168ff3cff508e988178ab43acf8687

SHA1
dd1fd10a93c28bd04a4f22f8b1ddf298bc21b81b

SHA256
6eef0910c4e6cd3eef9e2829aba340e4dc2243a2093d556eab0c4bfb21edd52e

SHA512
025e290c1302f02c102d768a9863b50a92ffad46f8780b0d5510d97040c01611f6cea9a74fee88dae373cfbcd090bee2e8b706b979a5ba539135807c536372db

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
741KB

MD5
00e345e8a57709164a5bb42a79210e7e

SHA1
288263bdbf485823e0415c486abe90c14aec138a

SHA256
0c7cf718ec02cd76b434cf1a55df46d81b513dc5e35f23506ebb587c072247b6

SHA512
0a81ea6ff8322736792e45a027a226ae54f6a2fb5a21c28c6173da88dcb473182be2410c3ec718741e593feb148efa42c5074544e2b2becbec5ce45ed01b5f55

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
742KB

MD5
ae69680286dd276892d9f1125de39044

SHA1
137f82f14849c6cc525e8ee7efeae784759030d0

SHA256
e35211a0de51ca262d8a927f274d866a68a848c94c56510012180cfff33504d9

SHA512
388edd048d9627e59ceec5e3cbe0b588cf4344915ef9d6b89748fe74b9f8071e5b5bdbe2939f3962cbd7256d9ff993db77f049782bf8c654f4e4723be7c40bf7

Download Submit
memory/2516-63-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2516-67-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2516-10-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2516-79-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2516-77-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2516-75-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2516-73-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2516-69-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2516-59-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2516-54-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2516-51-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2516-53-0x0000000003D50000-0x00000000040C2000-memory.dmp

Filesize
3.4MB

Download
memory/2572-52-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2572-78-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2572-56-0x0000000003B20000-0x0000000003E92000-memory.dmp

Filesize
3.4MB

Download
memory/2572-55-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2572-33-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2572-64-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2572-40-0x0000000003B20000-0x0000000003E92000-memory.dmp

Filesize
3.4MB

Download
memory/2588-41-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2588-46-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2676-21-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2676-48-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2676-32-0x0000000003CC0000-0x0000000004032000-memory.dmp

Filesize
3.4MB

Download
memory/2872-0-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2872-50-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download