Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe
-
Size
211KB
-
MD5
a40cef77c32e47d2afed6f2ad797e6a0
-
SHA1
9aac73cf0d199bdadc931cbdb4dd53419159810d
-
SHA256
5e1338efd0474116d2e8b44b979af06595fc0bf0f749a0bc2e7a099245dc82d5
-
SHA512
60c61b0b7bef7ca65a718bf7eeb2d6a36930c528590c306e219ccb30497c5721bd5d998cb3e02eddca25eb3005ecead75c5e34f0281d6c8f9e82e814b2000c49
-
SSDEEP
3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOTHHHH1:Jh8cBzHLRMpZ4d1Zh
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" swchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" userinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" swchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" userinit.exe -
Executes dropped EXE 4 IoCs
pid Process 4696 userinit.exe 3440 spoolsw.exe 4520 swchost.exe 404 spoolsw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" swchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\system\udsys.exe userinit.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\swchost.exe swchost.exe File opened for modification \??\c:\windows\userinit.exe a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe File opened for modification \??\c:\windows\spoolsw.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe spoolsw.exe File opened for modification \??\c:\windows\userinit.exe userinit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2864 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 2864 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 4696 userinit.exe 4696 userinit.exe 4696 userinit.exe 4696 userinit.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe 4520 swchost.exe 4520 swchost.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe 4696 userinit.exe 4696 userinit.exe 4520 swchost.exe 4520 swchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4696 userinit.exe 4520 swchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2864 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 2864 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 4696 userinit.exe 4696 userinit.exe 3440 spoolsw.exe 3440 spoolsw.exe 4520 swchost.exe 4520 swchost.exe 404 spoolsw.exe 404 spoolsw.exe 4696 userinit.exe 4696 userinit.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2864 wrote to memory of 4696 2864 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 83 PID 2864 wrote to memory of 4696 2864 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 83 PID 2864 wrote to memory of 4696 2864 a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe 83 PID 4696 wrote to memory of 3440 4696 userinit.exe 84 PID 4696 wrote to memory of 3440 4696 userinit.exe 84 PID 4696 wrote to memory of 3440 4696 userinit.exe 84 PID 3440 wrote to memory of 4520 3440 spoolsw.exe 85 PID 3440 wrote to memory of 4520 3440 spoolsw.exe 85 PID 3440 wrote to memory of 4520 3440 spoolsw.exe 85 PID 4520 wrote to memory of 404 4520 swchost.exe 86 PID 4520 wrote to memory of 404 4520 swchost.exe 86 PID 4520 wrote to memory of 404 4520 swchost.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a40cef77c32e47d2afed6f2ad797e6a0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\windows\userinit.exec:\windows\userinit.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\windows\swchost.exec:\windows\swchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:404
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5c6870633b46a05208b2845f9595a8fbf
SHA1a0c945a917a86fc8ecc9aa582e95223978dd512a
SHA256c198ef806df6c20e8446a470b10fdd4d554f57a68c7569fb730b3a707f7f76a9
SHA512a5a4aab4a2bf514eac121e8ce92b376387bf666b554027a0d1d0188f861bdf3ebf230f000119da778b1d219e88bbc2de841d7d6209def87b9c90ed82c85b1bc0
-
Filesize
211KB
MD51f7faa7d124afba20a8ff5b9ab78323e
SHA16b2479a1071141f3a5fd13d836fca50d5222e071
SHA25688232cec2ba91682543b2f058772d4a89d0ffc5dcb0b24f1528ced1f2bdf408f
SHA5120717dface8c763a6b88efc51e3dfa26655c8bf0de0f6cf5efd60a08fddaf8b348b3247f5496341032d821e5a767be68a21ff5b8e7d87b9b7c01d8766823948a5
-
Filesize
211KB
MD5524e624accd2a24a1125705b67e8240e
SHA173ffcaf92dabdd9e61d8f9601d892c4f383429de
SHA256bc631bcd6dd066ce136d9e22765ee4e240e9e97b8db2af41044b63c53edba3a1
SHA512fe30ea9cb28c9be331ebdad2348d25a0644fda154641a61180407483b9a2f88687d0049fe51333e4bca34aa2d530eb26db583fe2d67618609e7030ba2c7f0651
-
Filesize
211KB
MD573318a053b04276cfc2fd369b0a902b6
SHA19fdbe895d9798c780da87577b0ea53001bfacd35
SHA2563a55bbdfb0949d7801151885f26228017c050de2ff2ac3e50c1dc2a73a2b3570
SHA512b88635ad2f6df6be11d3f49f78f96d7811522893e1828bfa0ef9ba519cc6e80d2c1cc4aa697cec0179443c57135cf93a57f8ad0f949ef8632b11ace6395e5594