Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 07:03

General

  • Target

    a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe

  • Size

    211KB

  • MD5

    a40cef77c32e47d2afed6f2ad797e6a0

  • SHA1

    9aac73cf0d199bdadc931cbdb4dd53419159810d

  • SHA256

    5e1338efd0474116d2e8b44b979af06595fc0bf0f749a0bc2e7a099245dc82d5

  • SHA512

    60c61b0b7bef7ca65a718bf7eeb2d6a36930c528590c306e219ccb30497c5721bd5d998cb3e02eddca25eb3005ecead75c5e34f0281d6c8f9e82e814b2000c49

  • SSDEEP

    3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOTHHHH1:Jh8cBzHLRMpZ4d1Zh

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2864
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4696
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3440
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4520
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:404

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\mrsys.exe

          Filesize

          211KB

          MD5

          c6870633b46a05208b2845f9595a8fbf

          SHA1

          a0c945a917a86fc8ecc9aa582e95223978dd512a

          SHA256

          c198ef806df6c20e8446a470b10fdd4d554f57a68c7569fb730b3a707f7f76a9

          SHA512

          a5a4aab4a2bf514eac121e8ce92b376387bf666b554027a0d1d0188f861bdf3ebf230f000119da778b1d219e88bbc2de841d7d6209def87b9c90ed82c85b1bc0

        • C:\Windows\spoolsw.exe

          Filesize

          211KB

          MD5

          1f7faa7d124afba20a8ff5b9ab78323e

          SHA1

          6b2479a1071141f3a5fd13d836fca50d5222e071

          SHA256

          88232cec2ba91682543b2f058772d4a89d0ffc5dcb0b24f1528ced1f2bdf408f

          SHA512

          0717dface8c763a6b88efc51e3dfa26655c8bf0de0f6cf5efd60a08fddaf8b348b3247f5496341032d821e5a767be68a21ff5b8e7d87b9b7c01d8766823948a5

        • C:\Windows\swchost.exe

          Filesize

          211KB

          MD5

          524e624accd2a24a1125705b67e8240e

          SHA1

          73ffcaf92dabdd9e61d8f9601d892c4f383429de

          SHA256

          bc631bcd6dd066ce136d9e22765ee4e240e9e97b8db2af41044b63c53edba3a1

          SHA512

          fe30ea9cb28c9be331ebdad2348d25a0644fda154641a61180407483b9a2f88687d0049fe51333e4bca34aa2d530eb26db583fe2d67618609e7030ba2c7f0651

        • C:\Windows\userinit.exe

          Filesize

          211KB

          MD5

          73318a053b04276cfc2fd369b0a902b6

          SHA1

          9fdbe895d9798c780da87577b0ea53001bfacd35

          SHA256

          3a55bbdfb0949d7801151885f26228017c050de2ff2ac3e50c1dc2a73a2b3570

          SHA512

          b88635ad2f6df6be11d3f49f78f96d7811522893e1828bfa0ef9ba519cc6e80d2c1cc4aa697cec0179443c57135cf93a57f8ad0f949ef8632b11ace6395e5594