a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
Size

282KB
MD5

17bce7ffd31ffc9e39d5676d8e1ed640
SHA1

dbec80e43538e617b7aba1e3d5c9dbf3c222e36f
SHA256

a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8
SHA512

7d03e6dd828c86351015a49769a5ae1a5915231af3945e6d0bb1c8f12c6549f543fed1c85484ecdc58ad17fe8b0895bd4d79789f8b2683c557a29b70625ec622
SSDEEP

3072:UVqoCl/YgjxEufVU0TbTyDDalRqIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIp:UsLqdufVUNDaF4w4lMKxpfrhsK/iBKay

Score

10^/10

evasion persistence vmprotect

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

4536 a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe
5080 icsys.icn.exe
2700 explorer.exe
1684 spoolsv.exe
1784 svchost.exe
2052 spoolsv.exe

pid	process
4536	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe
5080	icsys.icn.exe
2700	explorer.exe
1684	spoolsv.exe
1784	svchost.exe
2052	spoolsv.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe	vmprotect
behavioral2/memory/4536-10-0x00000000002D0000-0x0000000000302000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exeexplorer.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe
File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exespoolsv.exea44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exeicsys.icn.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exeicsys.icn.exe

pid	process
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
5080	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2700 explorer.exe
1784 svchost.exe

pid	process
2700	explorer.exe
1784	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
5080	icsys.icn.exe
5080	icsys.icn.exe
2700	explorer.exe
2700	explorer.exe
1684	spoolsv.exe
1684	spoolsv.exe
1784	svchost.exe
1784	svchost.exe
2052	spoolsv.exe
2052	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2668 wrote to memory of 4536	2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe
PID 2668 wrote to memory of 4536	2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe
PID 2668 wrote to memory of 4536	2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe
PID 2668 wrote to memory of 5080	2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe	icsys.icn.exe
PID 2668 wrote to memory of 5080	2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe	icsys.icn.exe
PID 2668 wrote to memory of 5080	2668	a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe	icsys.icn.exe
PID 5080 wrote to memory of 2700	5080	icsys.icn.exe	explorer.exe
PID 5080 wrote to memory of 2700	5080	icsys.icn.exe	explorer.exe
PID 5080 wrote to memory of 2700	5080	icsys.icn.exe	explorer.exe
PID 2700 wrote to memory of 1684	2700	explorer.exe	spoolsv.exe
PID 2700 wrote to memory of 1684	2700	explorer.exe	spoolsv.exe
PID 2700 wrote to memory of 1684	2700	explorer.exe	spoolsv.exe
PID 1684 wrote to memory of 1784	1684	spoolsv.exe	svchost.exe
PID 1684 wrote to memory of 1784	1684	spoolsv.exe	svchost.exe
PID 1684 wrote to memory of 1784	1684	spoolsv.exe	svchost.exe
PID 1784 wrote to memory of 2052	1784	svchost.exe	spoolsv.exe
PID 1784 wrote to memory of 2052	1784	svchost.exe	spoolsv.exe
PID 1784 wrote to memory of 2052	1784	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668

\??\c:\users\admin\appdata\local\temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe
c:\users\admin\appdata\local\temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe
2⤵
- Executes dropped EXE
PID:4536

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a44e534ba84544b7438305b3afcdd1a638a939f085664a0eb4cd5566efc566b8_neikianalytics.exe
Filesize
147KB

MD5
d3698cfcec3e1728d519ae88bca852a5

SHA1
08cb8b83ee9245a6703ec1a327f8572479cc0418

SHA256
6fbca8741926f4809e0788b6439b2a1a9922f13953641e4dfd0b77d4cbba74ad

SHA512
6a349b315328c15f377c9c0000f25089b122742d82018a60f4930adb300d21e2fe74bb5d6b69b89572055d6e6f27d956993729ab75708384953006fe600170c3

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
d2d60ae76b8ee4e618f057d398ea831b

SHA1
fe595e683918af0e1ddc9568c181e14f803a1392

SHA256
0d84ea404758277ed045ac3734fc6d3b3e91a67d3063832d61ad784eb8ccae06

SHA512
ba97c12e6b1ed055f2bb17c157b37e856c6a41539e175feb81cfab588113974f25986c893c70c43dd929bb4edf2a4bed1ad07d5f11b1bdf88d028cb9c1bc8e14

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
b080f6cce2c5009a7a7ac6697b8ce92d

SHA1
beb73c5ffc539c23ba3b50213ff79703a46bf0c9

SHA256
2318beb635b095ee9cf680c6352bdf06f793be7cbcf19f635076795703c31570

SHA512
1e64972dca18c0a28bc4b2a8cfdb9168f52e10270672de480b5e8ac571a636232497127ca107d38d6561f1720641af2982be97346d22f90943f37831f9c2cdfb

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
48055fd9c96c9e320b16ea04d3274dae

SHA1
be73caab0344e21cf42302cb4e165e58bb8bfd79

SHA256
a0f249dade5758b7afbe2d2574af1ae31913b25db6c655fa9cc40b74cbd1153f

SHA512
a1dcf70ec6c3662b4de5429b5211a967866b103b119bdcf8d6ced4a0a26227497eebcf8cd8a465bad5456622090bcce38e373faef6c91ab703bf45e7750a6ff3

Download Submit
\??\c:\windows\resources\themes\explorer.exe
Filesize
135KB

MD5
d88d5e01009cb5ed4f0bcfc3b0e44121

SHA1
65eee58cdcd4e9f2a2b0d97176c00f8bee004cdc

SHA256
d79e2d738320dc0b6779d50d64075adb6a8fe452cbf1cfe53b3126b8d913cbac

SHA512
a23999b57a73a3f6e63377b5d782202708f7896810724f0ef9ff9cb936c881b2fbf1b560a85361767ce38249cbcce76aa02cfec22f8e39b1de3470d57adb9a64

Download Submit
memory/1684-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2052-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2668-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2668-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4536-14-0x00000000091A0000-0x00000000091AA000-memory.dmp

Filesize
40KB

Download
memory/4536-13-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/4536-12-0x00000000091E0000-0x0000000009272000-memory.dmp

Filesize
584KB

Download
memory/4536-11-0x00000000096F0000-0x0000000009C94000-memory.dmp

Filesize
5.6MB

Download
memory/4536-10-0x00000000002D0000-0x0000000000302000-memory.dmp

Filesize
200KB

Download
memory/4536-9-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/4536-54-0x0000000004E10000-0x0000000004E76000-memory.dmp

Filesize
408KB

Download
memory/4536-55-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/4536-56-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/5080-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5080-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download