Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe
-
Size
211KB
-
MD5
a40cef77c32e47d2afed6f2ad797e6a0
-
SHA1
9aac73cf0d199bdadc931cbdb4dd53419159810d
-
SHA256
5e1338efd0474116d2e8b44b979af06595fc0bf0f749a0bc2e7a099245dc82d5
-
SHA512
60c61b0b7bef7ca65a718bf7eeb2d6a36930c528590c306e219ccb30497c5721bd5d998cb3e02eddca25eb3005ecead75c5e34f0281d6c8f9e82e814b2000c49
-
SSDEEP
3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOTHHHH1:Jh8cBzHLRMpZ4d1Zh
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" swchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" userinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" swchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" userinit.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2920 userinit.exe 2560 spoolsw.exe 2584 swchost.exe 2548 spoolsw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" swchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\system\udsys.exe userinit.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\userinit.exe a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe File opened for modification \??\c:\windows\spoolsw.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe spoolsw.exe File opened for modification \??\c:\windows\userinit.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe swchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3048 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 2920 userinit.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2584 swchost.exe 2920 userinit.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2584 swchost.exe 2920 userinit.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2584 swchost.exe 2920 userinit.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2584 swchost.exe 2920 userinit.exe 2920 userinit.exe 2584 swchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2920 userinit.exe 2584 swchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3048 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 3048 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 2920 userinit.exe 2920 userinit.exe 2560 spoolsw.exe 2560 spoolsw.exe 2584 swchost.exe 2584 swchost.exe 2548 spoolsw.exe 2548 spoolsw.exe 2920 userinit.exe 2920 userinit.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2920 3048 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 29 PID 3048 wrote to memory of 2920 3048 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 29 PID 3048 wrote to memory of 2920 3048 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 29 PID 3048 wrote to memory of 2920 3048 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 29 PID 2920 wrote to memory of 2560 2920 userinit.exe 30 PID 2920 wrote to memory of 2560 2920 userinit.exe 30 PID 2920 wrote to memory of 2560 2920 userinit.exe 30 PID 2920 wrote to memory of 2560 2920 userinit.exe 30 PID 2560 wrote to memory of 2584 2560 spoolsw.exe 31 PID 2560 wrote to memory of 2584 2560 spoolsw.exe 31 PID 2560 wrote to memory of 2584 2560 spoolsw.exe 31 PID 2560 wrote to memory of 2584 2560 spoolsw.exe 31 PID 2584 wrote to memory of 2548 2584 swchost.exe 32 PID 2584 wrote to memory of 2548 2584 swchost.exe 32 PID 2584 wrote to memory of 2548 2584 swchost.exe 32 PID 2584 wrote to memory of 2548 2584 swchost.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\windows\userinit.exec:\windows\userinit.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\windows\swchost.exec:\windows\swchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD53e3ce31a32465ca83c0070197db1435a
SHA11fde904afbc48ac59f7cba5a5128858919bf5e08
SHA25601b5eec87b995237e9ab23e06fc00e4ce00cbed85469483d417f7d924c08bda5
SHA5121b4efe8a9c419855223c1f8bf47c895dccbcea7a4ebeb756ffa82ee9e8a459dfe12c34d0ba4512b71768a177d2ad1e8d29c74a63d57830caf78a67f5e8893013
-
Filesize
211KB
MD5590e098355345b163e1b1df035a77424
SHA13292d737957a240afc4ceaa516fded4e3615a670
SHA256ef2de95bcc6358f114039f614e6ae2166d4c1e9685a4fdd62a22d7de282f5dbf
SHA5123183a8caef0e616656c7e54362658f4f244afd649b7219dbd30c8ccb0d9d6d2e64109360fccdf95a3ad2ce007ca282ca94be50df36b28fe6b929790c7d90b5a6
-
Filesize
211KB
MD5e909b88bf9a72a500b76c8578d7a40ec
SHA1cbe18fbc77b7dcc4e5ef3c276f6168e50edf09f7
SHA256d867938b4067d87bd42e75c080533694523bf9b465e117d4dff69511f260b7c6
SHA5122724154b95eed76a0953b1d679ff48ec6e3e01e056d395d3f5936d0fbd927cfbb7ac4bb35adfcbb6ac6937d2540864dc425b3e24e4b336cfc469abd53bbefcef
-
Filesize
211KB
MD54cd05fe54e673cc2060770e36f2c853d
SHA1a8f1a3e4bcf62db6546c4a3a85edb162d1837006
SHA2562711264e25131ef58b42f1ab852364d145699d851bb8f6af8d68cb21fe1b09a0
SHA512667361a6c032fa2ef4aa821a87145c44f94b12dcf7a959ed0b356116419b6af2c4085cfe98e619c9824a3b759ff5c4c9f8271919174824962511102c4d87a98e