Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2024, 10:33

General

  • Target

    b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe

  • Size

    211KB

  • MD5

    b2c530383049901ba8715981c0c79cb0

  • SHA1

    21f3d4ddb62bdf4f920512e0c4aaa0666f7826a8

  • SHA256

    0a2af68859bc99d653c9a97fa617e77ad71c81dfa3c3789ef9366459ec9cab46

  • SHA512

    8e493cefd59cb5190c398a7cfc32780aff610c29b555b5a222b83b9f071ec5a7b72f4c7efd3fe43889b0734464e62d406add95229b3cdaa88d2ec8d4830c0a3f

  • SSDEEP

    3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOk:Jh8cBzHLRMpZ4d1Zk

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2380
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2680
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2464
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2484
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2568

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\mrsys.exe

          Filesize

          211KB

          MD5

          e55dcbc8ae55ae5e72b70cf8608f6522

          SHA1

          34db31aae0160437e17525c47aa95fe9f9305f23

          SHA256

          3cd9f82eeb7e349e0a7aeec8022c24346163ab021673e023340e8101efa13006

          SHA512

          6916b6275b6d1c763d41157d3ca60c3ca015b9169080502dc6597541044a2ed7cea9e7649750a55dcdaad947a2da35c6d471bfb2f11cb57df68cc16bdf85b6e9

        • C:\Windows\spoolsw.exe

          Filesize

          211KB

          MD5

          1b7ff2bd5000b1be9156f49ea4e3d0fb

          SHA1

          edf3201517c68d01b87c386b39abf1fe348a59ed

          SHA256

          c0d15ad23bba837089278744a36de232200d3b7265b684f17ff7e8339e9370c8

          SHA512

          549b6895f24a2214d82e43962c58ba8a14e5242029adf14686c4c0cd503b5a9ffb1d28f62d41ba4ae2f36acba9e672314a3ed0c56bb30a0bbc95e3086efb21e2

        • C:\Windows\swchost.exe

          Filesize

          211KB

          MD5

          cc6d664b3ac515d0e91528330dd29ecc

          SHA1

          97df29ec0d697991a2639b4d2ca48880a42c0f78

          SHA256

          893e4a3414bb68e74e5ba508416fae76db7528f5448a843475a06ed184a1d346

          SHA512

          e9c3d91d4b954181380642159853d83f9f1853042a2a1a5b99810c7e631eeff0d53352b53bdd6a78a03b303ddaf388cdadc9fc89341e360b7065060a4569e119

        • C:\Windows\userinit.exe

          Filesize

          211KB

          MD5

          9c1ae662767d607a1ac1516ccc255bdf

          SHA1

          8eb80f87c9fe2b184463b2293bb348e292b266ad

          SHA256

          921d46774098333a45b83927d84fb4bd20b792addbb653cf3d0456f80f367182

          SHA512

          cda67be30853478e4643c08f13870ec9643afe825be45da6e7e344d28f187ffdc2f808bd5d040e9983302653c966a2ccbfa725f1df953a5ff53d1ab3afa5910d