b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 19:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
Size

741KB
MD5

9d5ca5707818ea88dd6c0a7d15329530
SHA1

6897dc5cf40878f91c7839329459e169a98b7f8d
SHA256

b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d
SHA512

7cea3256443cdc72cd8b6f79fb2d820143e97a130b4c59c830d26c60b0a4a2f9087c9b111808a27a2b8378f55ee65aee712aee3efe198d0cdeed61f295ada98d
SSDEEP

12288:ltTuhrf45I8jWtJ8OgL27rd69bk5NCgGhSFB79gYhLIf6EQ9EYcw1Fa:lIt4kt0Kd6F6CNzYhUiEWEYcwi

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2384	explorer.exe
2196	spoolsv.exe
2768	svchost.exe
2760	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2384	explorer.exe
2196	spoolsv.exe
2768	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

pid	Process
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2384	explorer.exe
2196	spoolsv.exe
2768	svchost.exe
2760	spoolsv.exe
2384	explorer.exe
2768	svchost.exe
2384	explorer.exe
2768	svchost.exe
2384	explorer.exe
2768	svchost.exe
2384	explorer.exe
2768	svchost.exe
2384	explorer.exe
2768	svchost.exe
2384	explorer.exe
2768	svchost.exe
2384	explorer.exe
2768	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2576	schtasks.exe
288	schtasks.exe
2080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2196	spoolsv.exe
2196	spoolsv.exe
2196	spoolsv.exe
2196	spoolsv.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2384	explorer.exe
2768	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
2384	explorer.exe
2384	explorer.exe
2384	explorer.exe
2196	spoolsv.exe
2196	spoolsv.exe
2196	spoolsv.exe
2768	svchost.exe
2768	svchost.exe
2768	svchost.exe
2760	spoolsv.exe
2760	spoolsv.exe
2760	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2384	2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 2384	2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 2384	2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 2384	2228	b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe	28
PID 2384 wrote to memory of 2196	2384	explorer.exe	29
PID 2384 wrote to memory of 2196	2384	explorer.exe	29
PID 2384 wrote to memory of 2196	2384	explorer.exe	29
PID 2384 wrote to memory of 2196	2384	explorer.exe	29
PID 2196 wrote to memory of 2768	2196	spoolsv.exe	30
PID 2196 wrote to memory of 2768	2196	spoolsv.exe	30
PID 2196 wrote to memory of 2768	2196	spoolsv.exe	30
PID 2196 wrote to memory of 2768	2196	spoolsv.exe	30
PID 2768 wrote to memory of 2760	2768	svchost.exe	31
PID 2768 wrote to memory of 2760	2768	svchost.exe	31
PID 2768 wrote to memory of 2760	2768	svchost.exe	31
PID 2768 wrote to memory of 2760	2768	svchost.exe	31
PID 2384 wrote to memory of 2696	2384	explorer.exe	32
PID 2384 wrote to memory of 2696	2384	explorer.exe	32
PID 2384 wrote to memory of 2696	2384	explorer.exe	32
PID 2384 wrote to memory of 2696	2384	explorer.exe	32
PID 2768 wrote to memory of 2576	2768	svchost.exe	33
PID 2768 wrote to memory of 2576	2768	svchost.exe	33
PID 2768 wrote to memory of 2576	2768	svchost.exe	33
PID 2768 wrote to memory of 2576	2768	svchost.exe	33
PID 2768 wrote to memory of 288	2768	svchost.exe	38
PID 2768 wrote to memory of 288	2768	svchost.exe	38
PID 2768 wrote to memory of 288	2768	svchost.exe	38
PID 2768 wrote to memory of 288	2768	svchost.exe	38
PID 2768 wrote to memory of 2080	2768	svchost.exe	40
PID 2768 wrote to memory of 2080	2768	svchost.exe	40
PID 2768 wrote to memory of 2080	2768	svchost.exe	40
PID 2768 wrote to memory of 2080	2768	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b9aeac8f43184efc2cc75d6da5fcc967f6f7fa4f0ed499af471b26ababfd574d_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2384
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2768
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2760
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:58 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2576
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:59 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:288
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:00 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2080
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
742KB

MD5
603fdaa20f652047eb59f3710dd54be3

SHA1
ca6b1de685c6e3ee4aa4720f28058085d07ecc74

SHA256
ddc1cbf92a3065c66d7ddb4bf01e61e33eef82069b94d756813a4309a320d5bd

SHA512
f8ddbb9ef148ca529d70d64340eba6f0c5a7f3a4965542c9a07269f5eb6f76dd898e3a1bb7e87bce801eb3afb3e24b5cb6bccd3980e367023baa6323e2b807c5

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
741KB

MD5
c9812c3e7a3cdf4a8ef879f484d50332

SHA1
363053483340d658b5be3ec9a56be5acaade28b0

SHA256
8b725983452f73e53344b73f4ac763e5564db7c2b6e341bdb024bf0cf2c42944

SHA512
c60acd50e1e5d1d09c509be802b288a9af964748f49748787054fad3545fa9c9cd1366069aea95f9416b65eb864ebcd1e25a7eab465b0bad247b0303c0c0c794

Download Submit
\Windows\Resources\svchost.exe

Filesize
741KB

MD5
a130dc1d3ae3ea06f375c274a0dfabd1

SHA1
8c1381a5a4037888b8a2f8859da07f1b0550e9ee

SHA256
2625e55b2cf7953d4d7d8f49e977a2fa8b727d9c923df0ae1002753054379625

SHA512
6e991ab49aa882743475b69210a2e60d65e72beaf8a0a96999d7a5e55c2e9dcb0bc42df095cadb73d3c1ea33788cf75af3b66aa38023920aceb66b2d4f81dbb8

Download Submit
memory/2196-48-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2196-21-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2196-32-0x0000000003D70000-0x00000000040E2000-memory.dmp

Filesize
3.4MB

Download
memory/2228-0-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2228-50-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2228-49-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2384-63-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2384-65-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2384-77-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2384-73-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2384-67-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2384-51-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2384-10-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2384-53-0x0000000003F10000-0x0000000004282000-memory.dmp

Filesize
3.4MB

Download
memory/2384-54-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2384-57-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2760-41-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2760-47-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2768-56-0x0000000003870000-0x0000000003BE2000-memory.dmp

Filesize
3.4MB

Download
memory/2768-55-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2768-52-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2768-33-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2768-68-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2768-72-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2768-40-0x0000000003870000-0x0000000003BE2000-memory.dmp

Filesize
3.4MB

Download
memory/2768-78-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download