35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe
Size

206KB
MD5

1319493968a0db54c5d716f913b14060
SHA1

b2ade583a1c27b734448ca18ff1891041e34e1dc
SHA256

35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8
SHA512

c9b12ab6a20e8e29b6fb51ead2ff739f238b412a4799b7671edf8f1520c2c0f21c36b47551bf6df8bca4810b3a47f7175c1f5edbd6808a9062c754e42e3f2ef2
SSDEEP

3072:KvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unv:KvEN2U+T6i5LirrllHy4HUcMQY6E

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1740 explorer.exe
2612 spoolsv.exe
2604 svchost.exe
2796 spoolsv.exe

pid	process
1740	explorer.exe
2612	spoolsv.exe
2604	svchost.exe
2796	spoolsv.exe

Loads dropped DLL 8 IoCs

Processes:

35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2056	35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe
2056	35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe
1740	explorer.exe
1740	explorer.exe
2612	spoolsv.exe
2612	spoolsv.exe
2604	svchost.exe
2604	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

spoolsv.exeexplorer.exesvchost.exe35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exeexplorer.exesvchost.exe

pid	process
2056	35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
2604	svchost.exe
2604	svchost.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
2604	svchost.exe
1740	explorer.exe
1740	explorer.exe
2604	svchost.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
1740	explorer.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe
2604	svchost.exe
1740	explorer.exe
2604	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1740 explorer.exe
2604 svchost.exe

pid	process
1740	explorer.exe
2604	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2056	35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe
2056	35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe
1740	explorer.exe
1740	explorer.exe
2612	spoolsv.exe
2612	spoolsv.exe
2604	svchost.exe
2604	svchost.exe
2796	spoolsv.exe
2796	spoolsv.exe
1740	explorer.exe
1740	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2056 wrote to memory of 1740	2056	35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe	explorer.exe
PID 2056 wrote to memory of 1740	2056	35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe	explorer.exe
PID 2056 wrote to memory of 1740	2056	35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe	explorer.exe
PID 2056 wrote to memory of 1740	2056	35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe	explorer.exe
PID 1740 wrote to memory of 2612	1740	explorer.exe	spoolsv.exe
PID 1740 wrote to memory of 2612	1740	explorer.exe	spoolsv.exe
PID 1740 wrote to memory of 2612	1740	explorer.exe	spoolsv.exe
PID 1740 wrote to memory of 2612	1740	explorer.exe	spoolsv.exe
PID 2612 wrote to memory of 2604	2612	spoolsv.exe	svchost.exe
PID 2612 wrote to memory of 2604	2612	spoolsv.exe	svchost.exe
PID 2612 wrote to memory of 2604	2612	spoolsv.exe	svchost.exe
PID 2612 wrote to memory of 2604	2612	spoolsv.exe	svchost.exe
PID 2604 wrote to memory of 2796	2604	svchost.exe	spoolsv.exe
PID 2604 wrote to memory of 2796	2604	svchost.exe	spoolsv.exe
PID 2604 wrote to memory of 2796	2604	svchost.exe	spoolsv.exe
PID 2604 wrote to memory of 2796	2604	svchost.exe	spoolsv.exe
PID 2604 wrote to memory of 2464	2604	svchost.exe	at.exe
PID 2604 wrote to memory of 2464	2604	svchost.exe	at.exe
PID 2604 wrote to memory of 2464	2604	svchost.exe	at.exe
PID 2604 wrote to memory of 2464	2604	svchost.exe	at.exe
PID 2604 wrote to memory of 2396	2604	svchost.exe	at.exe
PID 2604 wrote to memory of 2396	2604	svchost.exe	at.exe
PID 2604 wrote to memory of 2396	2604	svchost.exe	at.exe
PID 2604 wrote to memory of 2396	2604	svchost.exe	at.exe
PID 2604 wrote to memory of 2140	2604	svchost.exe	at.exe
PID 2604 wrote to memory of 2140	2604	svchost.exe	at.exe
PID 2604 wrote to memory of 2140	2604	svchost.exe	at.exe
PID 2604 wrote to memory of 2140	2604	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2796

C:\Windows\SysWOW64\at.exe
at 04:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2464

C:\Windows\SysWOW64\at.exe
at 04:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2396

C:\Windows\SysWOW64\at.exe
at 04:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
5⤵
PID:2140

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
206KB

MD5
8c03f1450ee4c1c8d18547736260f466

SHA1
e5435e8725413cd152adace5ddab6f8dc4e8ecd6

SHA256
8fe431e7a6f50d7959b6ecf5a2bdb3502fa2ad8d6dc67a22f3e7263d373e9388

SHA512
5941ccde303bad8c2c4f45f23c0cabf5143b5841b517c2aefa1861cab6bbd20e4b80f205f6e43a5dd48a4b178bd6b04ea70368e18a0f8da2a327b9fea5292290

Download Submit
\Windows\system\explorer.exe
Filesize
206KB

MD5
3848a853936c78a245ee5ba28f5db6eb

SHA1
43c9d498c8405934f99ec9742c7f2660d219ca8a

SHA256
56becb377e337318d48ec2877f5e9bf339c0b7b6006ced886ec5b34b57682671

SHA512
7748d375456ccc973395e238ab57f86116ee59d265c1368cddbbb07f98bb750d63e9a0513ea53b24060cac0a44da47900c9e862b4501ebe6e151997460bfb94e

Download Submit
\Windows\system\spoolsv.exe
Filesize
206KB

MD5
745bba88e32cfec2f843034ee16f0b10

SHA1
10cb6e79113676bb04840bda82c1b3533ac63e9b

SHA256
37409c29aa118b1def9aaee4159c40a413dd0c9505df946e83ac5af0f883ee07

SHA512
95aca89ad5c4794328df4a01f8204a40545fc271e845b7500c974a24d075572f617303ea7b05df9361a691371c27cd14bacfe9da20b3338a42f8d83571954c26

Download Submit
\Windows\system\svchost.exe
Filesize
206KB

MD5
63ac6c2ee6b91e2e4d6437e24a271904

SHA1
8c357d0d7fde5492a67f750e8ea0542a54770459

SHA256
c539c02227c22483c564d74eed933a654027a07507a6f501a220af03b6d8d18b

SHA512
1ef453644d0fb7123b5c691964f17c2ea6670b16072cfeaaf41a19af2fe366a566c4fcdc7d7a409215393b0708088c92f8714f7eb792acdeed3db6e796112658

Download Submit
memory/2056-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2056-13-0x0000000002760000-0x00000000027A1000-memory.dmp

Filesize
260KB

Download
memory/2056-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2612-39-0x0000000003190000-0x00000000031D1000-memory.dmp

Filesize
260KB

Download
memory/2612-54-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2796-51-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads