Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2024, 07:03

General

  • Target

    a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe

  • Size

    211KB

  • MD5

    a40cef77c32e47d2afed6f2ad797e6a0

  • SHA1

    9aac73cf0d199bdadc931cbdb4dd53419159810d

  • SHA256

    5e1338efd0474116d2e8b44b979af06595fc0bf0f749a0bc2e7a099245dc82d5

  • SHA512

    60c61b0b7bef7ca65a718bf7eeb2d6a36930c528590c306e219ccb30497c5721bd5d998cb3e02eddca25eb3005ecead75c5e34f0281d6c8f9e82e814b2000c49

  • SSDEEP

    3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOTHHHH1:Jh8cBzHLRMpZ4d1Zh

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3048
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2920
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2560
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2584
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2548

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\mrsys.exe

          Filesize

          211KB

          MD5

          3e3ce31a32465ca83c0070197db1435a

          SHA1

          1fde904afbc48ac59f7cba5a5128858919bf5e08

          SHA256

          01b5eec87b995237e9ab23e06fc00e4ce00cbed85469483d417f7d924c08bda5

          SHA512

          1b4efe8a9c419855223c1f8bf47c895dccbcea7a4ebeb756ffa82ee9e8a459dfe12c34d0ba4512b71768a177d2ad1e8d29c74a63d57830caf78a67f5e8893013

        • C:\Windows\spoolsw.exe

          Filesize

          211KB

          MD5

          590e098355345b163e1b1df035a77424

          SHA1

          3292d737957a240afc4ceaa516fded4e3615a670

          SHA256

          ef2de95bcc6358f114039f614e6ae2166d4c1e9685a4fdd62a22d7de282f5dbf

          SHA512

          3183a8caef0e616656c7e54362658f4f244afd649b7219dbd30c8ccb0d9d6d2e64109360fccdf95a3ad2ce007ca282ca94be50df36b28fe6b929790c7d90b5a6

        • C:\Windows\swchost.exe

          Filesize

          211KB

          MD5

          e909b88bf9a72a500b76c8578d7a40ec

          SHA1

          cbe18fbc77b7dcc4e5ef3c276f6168e50edf09f7

          SHA256

          d867938b4067d87bd42e75c080533694523bf9b465e117d4dff69511f260b7c6

          SHA512

          2724154b95eed76a0953b1d679ff48ec6e3e01e056d395d3f5936d0fbd927cfbb7ac4bb35adfcbb6ac6937d2540864dc425b3e24e4b336cfc469abd53bbefcef

        • C:\Windows\userinit.exe

          Filesize

          211KB

          MD5

          4cd05fe54e673cc2060770e36f2c853d

          SHA1

          a8f1a3e4bcf62db6546c4a3a85edb162d1837006

          SHA256

          2711264e25131ef58b42f1ab852364d145699d851bb8f6af8d68cb21fe1b09a0

          SHA512

          667361a6c032fa2ef4aa821a87145c44f94b12dcf7a959ed0b356116419b6af2c4085cfe98e619c9824a3b759ff5c4c9f8271919174824962511102c4d87a98e