Analysis
-
max time kernel
12s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30/06/2024, 22:08
Static task
static1
Behavioral task
behavioral1
Sample
1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe
-
Size
3.5MB
-
MD5
e96f5b3730e7b90512efb76120718ac0
-
SHA1
20e74ac3342fc556a478d5c996532e6f664f3952
-
SHA256
1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232
-
SHA512
c65bb48f47d46f954949c65d517d382dd4cea21eb2684a7282fdae36b9afb8d8d5c7e9e933da1709013cf2291b5778e7d285f86fc2921f6412627703943f61f8
-
SSDEEP
98304:P66Nzf0vCNnowJAHzdZHG6efh3Bbob3+mFiP:7NTD+pZHG6efh3BDm0P
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
pid Process 2360 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_neikianalytics.exe 2740 icsys.icn.exe 2764 explorer.exe 1256 spoolsv.exe 2984 svchost.exe 2584 spoolsv.exe -
Loads dropped DLL 6 IoCs
pid Process 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2740 icsys.icn.exe 2764 explorer.exe 1256 spoolsv.exe 2984 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2568 schtasks.exe 752 schtasks.exe 1264 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2360 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_neikianalytics.exe 2360 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_neikianalytics.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2764 explorer.exe 2984 svchost.exe 2984 svchost.exe 2984 svchost.exe 2984 svchost.exe 2984 svchost.exe 2984 svchost.exe 2984 svchost.exe 2984 svchost.exe 2984 svchost.exe 2984 svchost.exe 2984 svchost.exe 2984 svchost.exe 2984 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2764 explorer.exe 2984 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 2740 icsys.icn.exe 2740 icsys.icn.exe 2764 explorer.exe 2764 explorer.exe 1256 spoolsv.exe 1256 spoolsv.exe 2984 svchost.exe 2984 svchost.exe 2584 spoolsv.exe 2584 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2360 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 28 PID 2236 wrote to memory of 2360 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 28 PID 2236 wrote to memory of 2360 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 28 PID 2236 wrote to memory of 2360 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 28 PID 2236 wrote to memory of 2740 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 29 PID 2236 wrote to memory of 2740 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 29 PID 2236 wrote to memory of 2740 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 29 PID 2236 wrote to memory of 2740 2236 1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe 29 PID 2740 wrote to memory of 2764 2740 icsys.icn.exe 30 PID 2740 wrote to memory of 2764 2740 icsys.icn.exe 30 PID 2740 wrote to memory of 2764 2740 icsys.icn.exe 30 PID 2740 wrote to memory of 2764 2740 icsys.icn.exe 30 PID 2764 wrote to memory of 1256 2764 explorer.exe 31 PID 2764 wrote to memory of 1256 2764 explorer.exe 31 PID 2764 wrote to memory of 1256 2764 explorer.exe 31 PID 2764 wrote to memory of 1256 2764 explorer.exe 31 PID 1256 wrote to memory of 2984 1256 spoolsv.exe 32 PID 1256 wrote to memory of 2984 1256 spoolsv.exe 32 PID 1256 wrote to memory of 2984 1256 spoolsv.exe 32 PID 1256 wrote to memory of 2984 1256 spoolsv.exe 32 PID 2984 wrote to memory of 2584 2984 svchost.exe 33 PID 2984 wrote to memory of 2584 2984 svchost.exe 33 PID 2984 wrote to memory of 2584 2984 svchost.exe 33 PID 2984 wrote to memory of 2584 2984 svchost.exe 33 PID 2764 wrote to memory of 2612 2764 explorer.exe 34 PID 2764 wrote to memory of 2612 2764 explorer.exe 34 PID 2764 wrote to memory of 2612 2764 explorer.exe 34 PID 2764 wrote to memory of 2612 2764 explorer.exe 34 PID 2984 wrote to memory of 2568 2984 svchost.exe 35 PID 2984 wrote to memory of 2568 2984 svchost.exe 35 PID 2984 wrote to memory of 2568 2984 svchost.exe 35 PID 2984 wrote to memory of 2568 2984 svchost.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\users\admin\appdata\local\temp\1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_neikianalytics.exec:\users\admin\appdata\local\temp\1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_neikianalytics.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2584
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:10 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2568
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:11 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:752
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:12 /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:1264
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2612
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1de0d2f56e61a044f68fcb9bd111982a6c68bbcefc0587e81e9495bacecb7232_neikianalytics.exe
Filesize3.4MB
MD54ac6b7f3a1f778bfb9e97bdf7d71c0db
SHA1b6fe449294ddafda2d269200fb9930d1b2e7b5f2
SHA2561a90efb3a89c7ef2795d12de927e3123a30b278234c8c92ff0479767021b92a5
SHA5121e44a65df80e240fb39880d6a8da8d6f815b0ac15ecd2838189f0a73ebc2854be0250b2ddb74b193d6f2225f9e3ea9cbeaf96c131400dc9dc11267fa8afc85ef
-
Filesize
135KB
MD511c0e3f9d707fd7cdac52c1125e0bd34
SHA1115e5264b90f5a2ff68bc8e94777b296af0cee86
SHA256958a5e6e4d2dfd1a47924100c35817fb3dcb3916385465316a506d57451a3241
SHA512d1f515067ec9be74ba4485c0aa266174d5d88546a91e8ab5234fe32be954020312da036a934d3424db61528026e83a85471dd9ee05d474f29ce8de6d7e45f770
-
Filesize
135KB
MD53e95e3e774a7628a84caaf5f746cb4f0
SHA113b25155f094a7efbfa79d7a956eed24c2ecd480
SHA256d0498b27e0b27d2ca9b6528f845bf4fd3f706d85d808411f8870b028fcf788a8
SHA512cad4ad43cadbf099de1c1e707e4176542d0d85ecbea4339418b2fd1afc9d00ac6a63823975158d587eab5f8c6d42ad6df1c0f9784714b92869b9c8e8e06f70b4
-
Filesize
135KB
MD5d932e116a4a1fc19a31d4a03d272cd39
SHA15375297fe87cba5b634d256622a7cc469391d56d
SHA2561469ad8b900424e6124619b278f3315a4b834ca038a7e3d206e3144a62ed11c1
SHA512a1e56ec7c357e11ea495a6684935ea91b2965995abde1dabd1ba123db54f8422195b4620eefc021cf0c31b1542dd3bacbe90216ea34e2ae851b804dedb911149
-
Filesize
135KB
MD5782aa15313a009f6dbe4ee5e88e3bf3c
SHA1921c81d6a84a8c7bc34a26017ffe9e171cbc20d3
SHA2563b444a28a40b5fcac01afe4746c9064d3cbc37f1f9fd6fac745488f548910a45
SHA5122aaba0c1480fcac2bc1d0e98abe25c443d0abfd6ab79ed3a36b90034efa0918fb3f54cd291f772f468ae1545f5ac1642ff26b60ee44e66dc1c684aff210e0b5e