Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 10:33
Static task
static1
Behavioral task
behavioral1
Sample
b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe
-
Size
211KB
-
MD5
b2c530383049901ba8715981c0c79cb0
-
SHA1
21f3d4ddb62bdf4f920512e0c4aaa0666f7826a8
-
SHA256
0a2af68859bc99d653c9a97fa617e77ad71c81dfa3c3789ef9366459ec9cab46
-
SHA512
8e493cefd59cb5190c398a7cfc32780aff610c29b555b5a222b83b9f071ec5a7b72f4c7efd3fe43889b0734464e62d406add95229b3cdaa88d2ec8d4830c0a3f
-
SSDEEP
3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOk:Jh8cBzHLRMpZ4d1Zk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" swchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" userinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" swchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" userinit.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2680 userinit.exe 2464 spoolsw.exe 2484 swchost.exe 2568 spoolsw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" userinit.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\system\udsys.exe userinit.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\userinit.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe swchost.exe File opened for modification \??\c:\windows\userinit.exe b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe File opened for modification \??\c:\windows\spoolsw.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe spoolsw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2380 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 2680 userinit.exe 2680 userinit.exe 2680 userinit.exe 2484 swchost.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe 2680 userinit.exe 2484 swchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2680 userinit.exe 2484 swchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2380 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 2380 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 2680 userinit.exe 2680 userinit.exe 2464 spoolsw.exe 2464 spoolsw.exe 2484 swchost.exe 2484 swchost.exe 2568 spoolsw.exe 2568 spoolsw.exe 2680 userinit.exe 2680 userinit.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2680 2380 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 29 PID 2380 wrote to memory of 2680 2380 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 29 PID 2380 wrote to memory of 2680 2380 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 29 PID 2380 wrote to memory of 2680 2380 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 29 PID 2680 wrote to memory of 2464 2680 userinit.exe 30 PID 2680 wrote to memory of 2464 2680 userinit.exe 30 PID 2680 wrote to memory of 2464 2680 userinit.exe 30 PID 2680 wrote to memory of 2464 2680 userinit.exe 30 PID 2464 wrote to memory of 2484 2464 spoolsw.exe 31 PID 2464 wrote to memory of 2484 2464 spoolsw.exe 31 PID 2464 wrote to memory of 2484 2464 spoolsw.exe 31 PID 2464 wrote to memory of 2484 2464 spoolsw.exe 31 PID 2484 wrote to memory of 2568 2484 swchost.exe 32 PID 2484 wrote to memory of 2568 2484 swchost.exe 32 PID 2484 wrote to memory of 2568 2484 swchost.exe 32 PID 2484 wrote to memory of 2568 2484 swchost.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\windows\userinit.exec:\windows\userinit.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\windows\swchost.exec:\windows\swchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2568
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5e55dcbc8ae55ae5e72b70cf8608f6522
SHA134db31aae0160437e17525c47aa95fe9f9305f23
SHA2563cd9f82eeb7e349e0a7aeec8022c24346163ab021673e023340e8101efa13006
SHA5126916b6275b6d1c763d41157d3ca60c3ca015b9169080502dc6597541044a2ed7cea9e7649750a55dcdaad947a2da35c6d471bfb2f11cb57df68cc16bdf85b6e9
-
Filesize
211KB
MD51b7ff2bd5000b1be9156f49ea4e3d0fb
SHA1edf3201517c68d01b87c386b39abf1fe348a59ed
SHA256c0d15ad23bba837089278744a36de232200d3b7265b684f17ff7e8339e9370c8
SHA512549b6895f24a2214d82e43962c58ba8a14e5242029adf14686c4c0cd503b5a9ffb1d28f62d41ba4ae2f36acba9e672314a3ed0c56bb30a0bbc95e3086efb21e2
-
Filesize
211KB
MD5cc6d664b3ac515d0e91528330dd29ecc
SHA197df29ec0d697991a2639b4d2ca48880a42c0f78
SHA256893e4a3414bb68e74e5ba508416fae76db7528f5448a843475a06ed184a1d346
SHA512e9c3d91d4b954181380642159853d83f9f1853042a2a1a5b99810c7e631eeff0d53352b53bdd6a78a03b303ddaf388cdadc9fc89341e360b7065060a4569e119
-
Filesize
211KB
MD59c1ae662767d607a1ac1516ccc255bdf
SHA18eb80f87c9fe2b184463b2293bb348e292b266ad
SHA256921d46774098333a45b83927d84fb4bd20b792addbb653cf3d0456f80f367182
SHA512cda67be30853478e4643c08f13870ec9643afe825be45da6e7e344d28f187ffdc2f808bd5d040e9983302653c966a2ccbfa725f1df953a5ff53d1ab3afa5910d