b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 15:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
Size

741KB
MD5

99a7ec08d91b74be23c646b7ea720f20
SHA1

6b5120be77f269614904f4fc3c44d3f665abdfea
SHA256

b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0
SHA512

1a484e56098d65ffadf36b85c3558d7a268883e14ac0e7fa2a322744a876af692567b6486acc691b2a96e3ee4a8e65152fbe5f98679e416d946c0c7d8e0878f4
SSDEEP

12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1Fn:lIt4kt0Kd6F6CNzYhUiEWEYcwP

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1132	explorer.exe
4168	spoolsv.exe
3564	svchost.exe
4616	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1132	explorer.exe
4168	spoolsv.exe
3564	svchost.exe
4616	spoolsv.exe
1132	explorer.exe
3564	svchost.exe
1132	explorer.exe
3564	svchost.exe
1132	explorer.exe
3564	svchost.exe
1132	explorer.exe
3564	svchost.exe
1132	explorer.exe
3564	svchost.exe
1132	explorer.exe
3564	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1132	explorer.exe
3564	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
1132	explorer.exe
1132	explorer.exe
1132	explorer.exe
4168	spoolsv.exe
4168	spoolsv.exe
4168	spoolsv.exe
3564	svchost.exe
3564	svchost.exe
3564	svchost.exe
4616	spoolsv.exe
4616	spoolsv.exe
4616	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1132	1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe	80
PID 1508 wrote to memory of 1132	1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe	80
PID 1508 wrote to memory of 1132	1508	b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe	80
PID 1132 wrote to memory of 4168	1132	explorer.exe	81
PID 1132 wrote to memory of 4168	1132	explorer.exe	81
PID 1132 wrote to memory of 4168	1132	explorer.exe	81
PID 4168 wrote to memory of 3564	4168	spoolsv.exe	82
PID 4168 wrote to memory of 3564	4168	spoolsv.exe	82
PID 4168 wrote to memory of 3564	4168	spoolsv.exe	82
PID 3564 wrote to memory of 4616	3564	svchost.exe	83
PID 3564 wrote to memory of 4616	3564	svchost.exe	83
PID 3564 wrote to memory of 4616	3564	svchost.exe	83

C:\Users\Admin\AppData\Local\Temp\b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b09fe17984461dec2f9beece4166a5f9ce67346791acc785dd7d1da907ac77e0_NeikiAnalytics.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1132
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3564
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
741KB

MD5
91d70530de3b14370cd5ffb8c9946f5e

SHA1
4d81c0d458aaae09153b335084dba571c153f8c6

SHA256
c330811d772f8436945fb70afbcdb7333f8ada275a68fe03434ae879e7eb76e0

SHA512
14ea29b12a7405c49a0358d42581743cef966fecebfe688e5c0428b71f305dc9b5311017baedb026e7f81b2a6917f16062ea5a75c30d8eccbecc59ca69e797aa

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
741KB

MD5
8cd1b15381fc820c74cdbb0fa759331a

SHA1
42e73ef96f91981c921daf0963f353c270cadf82

SHA256
8218095dce67fafc66d7e63bfe988968b08a2cf07bf249f6ab9cff164ab2a155

SHA512
909d98f111698e658f222e2862ac5b206377ed3576c40e0e56a913cefd88d82c4203e08ff278cd448ca7cc26cbe61190dc443927b763c77f386458219b1ea289

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
741KB

MD5
f27fb687e8609409acf2a910bc9c6c6e

SHA1
4c01e6d192e194835bd6164dacbbf854f909d12c

SHA256
dbcb30f2c9b39fa2e8706678dcc781e350255b6d435c6074e93db86c8d9d9ce4

SHA512
1680d393750219f6731473165395eab54dad0b19e86640f515d7a19b16e2892a08ccb4d0875e467f4591a231ba118cda973b2d49f1ef6cee33a55dd238683c6f

Download Submit
memory/1132-39-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1132-43-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1132-9-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1132-61-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1132-57-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1132-55-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1132-51-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1132-47-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1508-38-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/1508-0-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3564-54-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3564-42-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/3564-40-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/4168-18-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/4168-37-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/4616-35-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/4616-31-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download