Malware Analysis Report

2025-03-15 05:53

Sample ID 240628-wjky2a1clr
Target a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
SHA256 a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8
Tags
evasion persistence vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8

Threat Level: Known bad

The file a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence vmprotect

Modifies visiblity of hidden/system files in Explorer

Loads dropped DLL

Executes dropped EXE

VMProtect packed file

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 17:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 17:57

Reported

2024-06-28 17:59

Platform

win7-20231129-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1108 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe 
PID 1108 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe 
PID 1108 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe 
PID 1108 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe 
PID 1108 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1108 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1108 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1108 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2384 wrote to memory of 2792 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2384 wrote to memory of 2792 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2384 wrote to memory of 2792 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2384 wrote to memory of 2792 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2792 wrote to memory of 2636 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2792 wrote to memory of 2636 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2792 wrote to memory of 2636 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2792 wrote to memory of 2636 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2636 wrote to memory of 2568 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2636 wrote to memory of 2568 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2636 wrote to memory of 2568 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2636 wrote to memory of 2568 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2568 wrote to memory of 2472 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2568 wrote to memory of 2472 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2568 wrote to memory of 2472 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2568 wrote to memory of 2472 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2792 wrote to memory of 2708 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2792 wrote to memory of 2708 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2792 wrote to memory of 2708 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2792 wrote to memory of 2708 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2568 wrote to memory of 2512 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 2512 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 2512 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 2512 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 2292 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 2292 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 2292 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 2292 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 448 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 448 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 448 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2568 wrote to memory of 448 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe"

\??\c:\users\admin\appdata\local\temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe 

c:\users\admin\appdata\local\temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 17:59 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:00 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 18:01 /f

Network

N/A

Files

memory/1108-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe 

MD5 d3698cfcec3e1728d519ae88bca852a5
SHA1 08cb8b83ee9245a6703ec1a327f8572479cc0418
SHA256 6fbca8741926f4809e0788b6439b2a1a9922f13953641e4dfd0b77d4cbba74ad
SHA512 6a349b315328c15f377c9c0000f25089b122742d82018a60f4930adb300d21e2fe74bb5d6b69b89572055d6e6f27d956993729ab75708384953006fe600170c3

memory/2760-11-0x00000000740AE000-0x00000000740AF000-memory.dmp

memory/2760-12-0x0000000000FD0000-0x0000000001002000-memory.dmp

\Windows\Resources\Themes\icsys.icn.exe

MD5 d2d60ae76b8ee4e618f057d398ea831b
SHA1 fe595e683918af0e1ddc9568c181e14f803a1392
SHA256 0d84ea404758277ed045ac3734fc6d3b3e91a67d3063832d61ad784eb8ccae06
SHA512 ba97c12e6b1ed055f2bb17c157b37e856c6a41539e175feb81cfab588113974f25986c893c70c43dd929bb4edf2a4bed1ad07d5f11b1bdf88d028cb9c1bc8e14

C:\Windows\Resources\Themes\explorer.exe

MD5 87058ba0a9c4085364f972bbc6e7d1bb
SHA1 b2b22f39fb10aef0ad055840895b47f35ade0e46
SHA256 51e4113e8f7111e3e908d860b12b7afc310bb34f0e5062022efa4fa109ef6a0b
SHA512 033abc5d006da8e15ff1a1fcc07d5288573beefa4ae0fb8c878425b345e90023e04d109da54eec5d324a075b67f9ff84e13378a5ca62fa497e72f5e514fc3400

memory/2760-24-0x00000000740A0000-0x000000007478E000-memory.dmp

memory/2384-29-0x00000000002A0000-0x00000000002BF000-memory.dmp

memory/2384-28-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1108-32-0x00000000003C0000-0x00000000003DF000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 f492bfe99681330dd1fd493eab174e9a
SHA1 09cb16743eb6b7addf233fe7caf769453e62a88d
SHA256 19c3cf9ce8047939d0a8cc0a13490c87e48a46efef72c0ff42e224eff1361b6f
SHA512 3f544d1fcf70369773688a730ac56a5d3cf441a9316e801157cf987608f7d5d237c8467995b689a5fbde1b1ab8d08560ad9b3c9e9d98bbc7763403e79ae32ea0

\Windows\Resources\svchost.exe

MD5 c3e40deae1dffa018bb1c6ce1da092c6
SHA1 e5986258d845ef276d354de208b8793f61ed66f8
SHA256 699635d8169ca547dd80d24df94690a1ed7c2caa78b5185a1b54db2e039b8f0e
SHA512 a82020ced870f083865bb1dccfe7aaf373f24e227eb8f0a1385e7eae5528137e2994039172b5db46d9b07ef4d8d16efb3cd7ce586b0c71fc5e35da7bc76bcdc8

memory/2568-53-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2568-58-0x0000000000420000-0x000000000043F000-memory.dmp

memory/2472-62-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2636-63-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1108-65-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2384-64-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2760-66-0x00000000740AE000-0x00000000740AF000-memory.dmp

memory/2760-67-0x00000000740A0000-0x000000007478E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 17:57

Reported

2024-06-28 17:59

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe 
PID 2668 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe 
PID 2668 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe \??\c:\users\admin\appdata\local\temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe 
PID 2668 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2668 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2668 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 5080 wrote to memory of 2700 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 5080 wrote to memory of 2700 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 5080 wrote to memory of 2700 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2700 wrote to memory of 1684 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2700 wrote to memory of 1684 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2700 wrote to memory of 1684 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1684 wrote to memory of 1784 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1684 wrote to memory of 1784 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1684 wrote to memory of 1784 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1784 wrote to memory of 2052 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1784 wrote to memory of 2052 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1784 wrote to memory of 2052 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe"

\??\c:\users\admin\appdata\local\temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe 

c:\users\admin\appdata\local\temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 95.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/2668-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe 

MD5 d3698cfcec3e1728d519ae88bca852a5
SHA1 08cb8b83ee9245a6703ec1a327f8572479cc0418
SHA256 6fbca8741926f4809e0788b6439b2a1a9922f13953641e4dfd0b77d4cbba74ad
SHA512 6a349b315328c15f377c9c0000f25089b122742d82018a60f4930adb300d21e2fe74bb5d6b69b89572055d6e6f27d956993729ab75708384953006fe600170c3

memory/4536-9-0x000000007424E000-0x000000007424F000-memory.dmp

memory/4536-10-0x00000000002D0000-0x0000000000302000-memory.dmp

memory/4536-11-0x00000000096F0000-0x0000000009C94000-memory.dmp

memory/4536-12-0x00000000091E0000-0x0000000009272000-memory.dmp

memory/4536-13-0x0000000074240000-0x00000000749F0000-memory.dmp

memory/4536-14-0x00000000091A0000-0x00000000091AA000-memory.dmp

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 d2d60ae76b8ee4e618f057d398ea831b
SHA1 fe595e683918af0e1ddc9568c181e14f803a1392
SHA256 0d84ea404758277ed045ac3734fc6d3b3e91a67d3063832d61ad784eb8ccae06
SHA512 ba97c12e6b1ed055f2bb17c157b37e856c6a41539e175feb81cfab588113974f25986c893c70c43dd929bb4edf2a4bed1ad07d5f11b1bdf88d028cb9c1bc8e14

memory/5080-18-0x0000000000400000-0x000000000041F000-memory.dmp

\??\c:\windows\resources\themes\explorer.exe

MD5 d88d5e01009cb5ed4f0bcfc3b0e44121
SHA1 65eee58cdcd4e9f2a2b0d97176c00f8bee004cdc
SHA256 d79e2d738320dc0b6779d50d64075adb6a8fe452cbf1cfe53b3126b8d913cbac
SHA512 a23999b57a73a3f6e63377b5d782202708f7896810724f0ef9ff9cb936c881b2fbf1b560a85361767ce38249cbcce76aa02cfec22f8e39b1de3470d57adb9a64

C:\Windows\Resources\spoolsv.exe

MD5 b080f6cce2c5009a7a7ac6697b8ce92d
SHA1 beb73c5ffc539c23ba3b50213ff79703a46bf0c9
SHA256 2318beb635b095ee9cf680c6352bdf06f793be7cbcf19f635076795703c31570
SHA512 1e64972dca18c0a28bc4b2a8cfdb9168f52e10270672de480b5e8ac571a636232497127ca107d38d6561f1720641af2982be97346d22f90943f37831f9c2cdfb

C:\Windows\Resources\svchost.exe

MD5 48055fd9c96c9e320b16ea04d3274dae
SHA1 be73caab0344e21cf42302cb4e165e58bb8bfd79
SHA256 a0f249dade5758b7afbe2d2574af1ae31913b25db6c655fa9cc40b74cbd1153f
SHA512 a1dcf70ec6c3662b4de5429b5211a967866b103b119bdcf8d6ced4a0a26227497eebcf8cd8a465bad5456622090bcce38e373faef6c91ab703bf45e7750a6ff3

memory/1684-52-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5080-53-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2668-51-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2052-50-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4536-54-0x0000000004E10000-0x0000000004E76000-memory.dmp

memory/4536-55-0x000000007424E000-0x000000007424F000-memory.dmp

memory/4536-56-0x0000000074240000-0x00000000749F0000-memory.dmp