Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 04:31
Static task
static1
Behavioral task
behavioral1
Sample
35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe
-
Size
206KB
-
MD5
1319493968a0db54c5d716f913b14060
-
SHA1
b2ade583a1c27b734448ca18ff1891041e34e1dc
-
SHA256
35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8
-
SHA512
c9b12ab6a20e8e29b6fb51ead2ff739f238b412a4799b7671edf8f1520c2c0f21c36b47551bf6df8bca4810b3a47f7175c1f5edbd6808a9062c754e42e3f2ef2
-
SSDEEP
3072:KvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unv:KvEN2U+T6i5LirrllHy4HUcMQY6E
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 1740 explorer.exe 2612 spoolsv.exe 2604 svchost.exe 2796 spoolsv.exe -
Loads dropped DLL 8 IoCs
Processes:
35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 2056 35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe 2056 35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe 1740 explorer.exe 1740 explorer.exe 2612 spoolsv.exe 2612 spoolsv.exe 2604 svchost.exe 2604 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
spoolsv.exeexplorer.exesvchost.exe35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exedescription ioc process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exeexplorer.exesvchost.exepid process 2056 35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 2604 svchost.exe 2604 svchost.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 2604 svchost.exe 1740 explorer.exe 1740 explorer.exe 2604 svchost.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 1740 explorer.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe 2604 svchost.exe 1740 explorer.exe 2604 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1740 explorer.exe 2604 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2056 35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe 2056 35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe 1740 explorer.exe 1740 explorer.exe 2612 spoolsv.exe 2612 spoolsv.exe 2604 svchost.exe 2604 svchost.exe 2796 spoolsv.exe 2796 spoolsv.exe 1740 explorer.exe 1740 explorer.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2056 wrote to memory of 1740 2056 35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe explorer.exe PID 2056 wrote to memory of 1740 2056 35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe explorer.exe PID 2056 wrote to memory of 1740 2056 35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe explorer.exe PID 2056 wrote to memory of 1740 2056 35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe explorer.exe PID 1740 wrote to memory of 2612 1740 explorer.exe spoolsv.exe PID 1740 wrote to memory of 2612 1740 explorer.exe spoolsv.exe PID 1740 wrote to memory of 2612 1740 explorer.exe spoolsv.exe PID 1740 wrote to memory of 2612 1740 explorer.exe spoolsv.exe PID 2612 wrote to memory of 2604 2612 spoolsv.exe svchost.exe PID 2612 wrote to memory of 2604 2612 spoolsv.exe svchost.exe PID 2612 wrote to memory of 2604 2612 spoolsv.exe svchost.exe PID 2612 wrote to memory of 2604 2612 spoolsv.exe svchost.exe PID 2604 wrote to memory of 2796 2604 svchost.exe spoolsv.exe PID 2604 wrote to memory of 2796 2604 svchost.exe spoolsv.exe PID 2604 wrote to memory of 2796 2604 svchost.exe spoolsv.exe PID 2604 wrote to memory of 2796 2604 svchost.exe spoolsv.exe PID 2604 wrote to memory of 2464 2604 svchost.exe at.exe PID 2604 wrote to memory of 2464 2604 svchost.exe at.exe PID 2604 wrote to memory of 2464 2604 svchost.exe at.exe PID 2604 wrote to memory of 2464 2604 svchost.exe at.exe PID 2604 wrote to memory of 2396 2604 svchost.exe at.exe PID 2604 wrote to memory of 2396 2604 svchost.exe at.exe PID 2604 wrote to memory of 2396 2604 svchost.exe at.exe PID 2604 wrote to memory of 2396 2604 svchost.exe at.exe PID 2604 wrote to memory of 2140 2604 svchost.exe at.exe PID 2604 wrote to memory of 2140 2604 svchost.exe at.exe PID 2604 wrote to memory of 2140 2604 svchost.exe at.exe PID 2604 wrote to memory of 2140 2604 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\35833fd954a1f2c69c8c2e65706f61ce81be3c31c0b292b772d82e982d47a1e8_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 04:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 04:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
-
C:\Windows\SysWOW64\at.exeat 04:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Active Setup
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
206KB
MD58c03f1450ee4c1c8d18547736260f466
SHA1e5435e8725413cd152adace5ddab6f8dc4e8ecd6
SHA2568fe431e7a6f50d7959b6ecf5a2bdb3502fa2ad8d6dc67a22f3e7263d373e9388
SHA5125941ccde303bad8c2c4f45f23c0cabf5143b5841b517c2aefa1861cab6bbd20e4b80f205f6e43a5dd48a4b178bd6b04ea70368e18a0f8da2a327b9fea5292290
-
\Windows\system\explorer.exeFilesize
206KB
MD53848a853936c78a245ee5ba28f5db6eb
SHA143c9d498c8405934f99ec9742c7f2660d219ca8a
SHA25656becb377e337318d48ec2877f5e9bf339c0b7b6006ced886ec5b34b57682671
SHA5127748d375456ccc973395e238ab57f86116ee59d265c1368cddbbb07f98bb750d63e9a0513ea53b24060cac0a44da47900c9e862b4501ebe6e151997460bfb94e
-
\Windows\system\spoolsv.exeFilesize
206KB
MD5745bba88e32cfec2f843034ee16f0b10
SHA110cb6e79113676bb04840bda82c1b3533ac63e9b
SHA25637409c29aa118b1def9aaee4159c40a413dd0c9505df946e83ac5af0f883ee07
SHA51295aca89ad5c4794328df4a01f8204a40545fc271e845b7500c974a24d075572f617303ea7b05df9361a691371c27cd14bacfe9da20b3338a42f8d83571954c26
-
\Windows\system\svchost.exeFilesize
206KB
MD563ac6c2ee6b91e2e4d6437e24a271904
SHA18c357d0d7fde5492a67f750e8ea0542a54770459
SHA256c539c02227c22483c564d74eed933a654027a07507a6f501a220af03b6d8d18b
SHA5121ef453644d0fb7123b5c691964f17c2ea6670b16072cfeaaf41a19af2fe366a566c4fcdc7d7a409215393b0708088c92f8714f7eb792acdeed3db6e796112658
-
memory/2056-0-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2056-13-0x0000000002760000-0x00000000027A1000-memory.dmpFilesize
260KB
-
memory/2056-55-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2612-39-0x0000000003190000-0x00000000031D1000-memory.dmpFilesize
260KB
-
memory/2612-54-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/2796-51-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB