Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 10:33
Static task
static1
Behavioral task
behavioral1
Sample
b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe
-
Size
211KB
-
MD5
b2c530383049901ba8715981c0c79cb0
-
SHA1
21f3d4ddb62bdf4f920512e0c4aaa0666f7826a8
-
SHA256
0a2af68859bc99d653c9a97fa617e77ad71c81dfa3c3789ef9366459ec9cab46
-
SHA512
8e493cefd59cb5190c398a7cfc32780aff610c29b555b5a222b83b9f071ec5a7b72f4c7efd3fe43889b0734464e62d406add95229b3cdaa88d2ec8d4830c0a3f
-
SSDEEP
3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOk:Jh8cBzHLRMpZ4d1Zk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" swchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" userinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" swchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" userinit.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4952 userinit.exe 2980 spoolsw.exe 432 swchost.exe 4660 spoolsw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" swchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\system\udsys.exe userinit.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\spoolsw.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe spoolsw.exe File opened for modification \??\c:\windows\userinit.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe swchost.exe File opened for modification \??\c:\windows\userinit.exe b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4492 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 4492 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 4952 userinit.exe 4952 userinit.exe 4952 userinit.exe 4952 userinit.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe 432 swchost.exe 432 swchost.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe 4952 userinit.exe 4952 userinit.exe 432 swchost.exe 432 swchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4952 userinit.exe 432 swchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4492 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 4492 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 4952 userinit.exe 4952 userinit.exe 2980 spoolsw.exe 2980 spoolsw.exe 432 swchost.exe 432 swchost.exe 4660 spoolsw.exe 4660 spoolsw.exe 4952 userinit.exe 4952 userinit.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4492 wrote to memory of 4952 4492 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 82 PID 4492 wrote to memory of 4952 4492 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 82 PID 4492 wrote to memory of 4952 4492 b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe 82 PID 4952 wrote to memory of 2980 4952 userinit.exe 83 PID 4952 wrote to memory of 2980 4952 userinit.exe 83 PID 4952 wrote to memory of 2980 4952 userinit.exe 83 PID 2980 wrote to memory of 432 2980 spoolsw.exe 84 PID 2980 wrote to memory of 432 2980 spoolsw.exe 84 PID 2980 wrote to memory of 432 2980 spoolsw.exe 84 PID 432 wrote to memory of 4660 432 swchost.exe 85 PID 432 wrote to memory of 4660 432 swchost.exe 85 PID 432 wrote to memory of 4660 432 swchost.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b2c530383049901ba8715981c0c79cb0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\windows\userinit.exec:\windows\userinit.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\windows\swchost.exec:\windows\swchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4660
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD514e8b89fae8537e2bdc541301f1ce044
SHA15b1296a1c1f665ff154c39da7dd9d1998f14090a
SHA25689b090b537221f2c3f9c524a56265d3f8d7a2c048b1083407601ef81cf817002
SHA512249eaf4e5b577b9b2cfef40d52e20c50019ee3621881e1734444ece56264748efec7bd0da6ed99accdfb1813f6cfa7e84c09006573066c081d330787a1bf4193
-
Filesize
211KB
MD559ed49ba1acfdfdf9b00e35582deac13
SHA11393a03b9c5c1c3e6c7783e21256f94241e11ef7
SHA256602e11e780ac05d18b6c5eda633516b374aa5a55b34057b17984080e4cf10f9f
SHA512111113a3ed3291680dd2469efe2ab1ef451ca0ae4882d2da0e38f694062dd310fda50d7ac3d9d18b75f06a8ed18e1b4b5882c1ccdaaf5185a43cf000d4571690
-
Filesize
211KB
MD50fd53134d6b9a1456389aa60bf43ecc7
SHA1f86f2881b2b3b082cb2a9b5fe14b8a0c9b942705
SHA2564b05a005064b9f01fe889438816e18c3752a73c784ccfcca7be5d2b4a1aae37e
SHA51291b5cb4f95e8eeeb20c98c399518fbcbbce08379c6ff964f28d5647453e356568ef52a013778662919dcf43bef4f8c3711b93ce6d4053d6176e7bad730187ace
-
Filesize
211KB
MD5c652131cd6352ca47ca11c8ce59bce4c
SHA13aee04ba3fc8f978d1425b8b906d496a4a5d078c
SHA256972fef7cf9e6c6102baf0412b787ae759287d52973dbc3e36d8d9f5d0a6a7e3c
SHA512f0fed52968864bf6cf8a64ac97ce9555f6c4068e604d39aa62cd3c0204188cebeeedfcf0d50f4991fe1be8f2f8f719bd09147309ab448490fea70e264e7c8df7