a2d0eef8d0ec6fb3cc1ac491e1c07e3f7b0403650a386981e94702bbd2751652

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 17:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

19134052edae30119ce4a8365fb0b970_NeikiAnalytics.exe
Size

211KB
MD5

19134052edae30119ce4a8365fb0b970
SHA1

2a3f376c42746dd17298d80d69fa5edd4e629209
SHA256

a2d0eef8d0ec6fb3cc1ac491e1c07e3f7b0403650a386981e94702bbd2751652
SHA512

563b8ff2037e74ce42a9a9254d6f7d71da68d6c847808560c0bc70cb3339922aaf31273f5ca7cb55d648523317c674ed4ab36bb7d3f9b2e1969908dec8f17edf
SSDEEP

6144:b1iNKQxENHLfMgw7y9ZrhwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwM:aKQxQwe9ZrhwwwwwwwwwwwwwwwwwwwwU

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe

Executes dropped EXE 4 IoCs

pid	Process
3044	userinit.exe
2744	spoolsw.exe
2792	swchost.exe
2712	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe
File opened for modification	\??\c:\windows\userinit.exe	19134052edae30119ce4a8365fb0b970_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	19134052edae30119ce4a8365fb0b970_NeikiAnalytics.exe
3044	userinit.exe
3044	userinit.exe
2792	swchost.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
2792	swchost.exe
3044	userinit.exe
3044	userinit.exe
2792	swchost.exe
2792	swchost.exe
3044	userinit.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
3044	userinit.exe
2792	swchost.exe
3044	userinit.exe
2792	swchost.exe
2792	swchost.exe
3044	userinit.exe
3044	userinit.exe
2792	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3044	userinit.exe
2792	swchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1700	19134052edae30119ce4a8365fb0b970_NeikiAnalytics.exe
1700	19134052edae30119ce4a8365fb0b970_NeikiAnalytics.exe
3044	userinit.exe
3044	userinit.exe
2744	spoolsw.exe
2744	spoolsw.exe
2792	swchost.exe
2792	swchost.exe
2712	spoolsw.exe
2712	spoolsw.exe
3044	userinit.exe
3044	userinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 3044	1700	19134052edae30119ce4a8365fb0b970_NeikiAnalytics.exe	29
PID 1700 wrote to memory of 3044	1700	19134052edae30119ce4a8365fb0b970_NeikiAnalytics.exe	29
PID 1700 wrote to memory of 3044	1700	19134052edae30119ce4a8365fb0b970_NeikiAnalytics.exe	29
PID 1700 wrote to memory of 3044	1700	19134052edae30119ce4a8365fb0b970_NeikiAnalytics.exe	29
PID 3044 wrote to memory of 2744	3044	userinit.exe	30
PID 3044 wrote to memory of 2744	3044	userinit.exe	30
PID 3044 wrote to memory of 2744	3044	userinit.exe	30
PID 3044 wrote to memory of 2744	3044	userinit.exe	30
PID 2744 wrote to memory of 2792	2744	spoolsw.exe	31
PID 2744 wrote to memory of 2792	2744	spoolsw.exe	31
PID 2744 wrote to memory of 2792	2744	spoolsw.exe	31
PID 2744 wrote to memory of 2792	2744	spoolsw.exe	31
PID 2792 wrote to memory of 2712	2792	swchost.exe	32
PID 2792 wrote to memory of 2712	2792	swchost.exe	32
PID 2792 wrote to memory of 2712	2792	swchost.exe	32
PID 2792 wrote to memory of 2712	2792	swchost.exe	32

C:\Users\Admin\AppData\Local\Temp\19134052edae30119ce4a8365fb0b970_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\19134052edae30119ce4a8365fb0b970_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3044
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2792
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
714a6f8b475496a28a2e0fddbe4f1d2d

SHA1
b38a9fb9eeedcf2c20f1ce09a2f54675c405ed61

SHA256
56ae43dcddfe9aab5791b60d80035b4fe76753567e67d655a5ccc665541bf9cc

SHA512
d12f962b3a6caeeb6fcda725a6d755f2cac9b15d651d7fed2d13404e5fa9c81774c29a4b9fe61a09051df71340e8cfa82763b9b06b5cedb6fb64f875a1a3dbf5

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
d9b86f0a877a756a65ab4114f89f2be2

SHA1
58c7e4f1e7e48a701d13c83b1ae26fbba88492eb

SHA256
a9385471992be8c045ef061d7af8a89f86a449c41d1f4a7116321bc8e42d1f0f

SHA512
eeb7fe6d7a368985a786044152d131f3994ccd7ee3d8443f88e1e6eecfc92ab7111e6e93e0c3dc2f7436778e8ca0c67cbb4e8a976aaf46f35b999e91f3f2ff34

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
3493d82f9e50a212046ee855c040c5bd

SHA1
21a7a18f74a8d55168733f54e88b5d76833cf399

SHA256
c57a4bd2d1808d63a75a7d89a57b8da5e91edbd32dbbe2dc502980464d6324b8

SHA512
077a56947380b50d29d8f88e3cad967f1322874ef652f12d1acb806aa27d04ae18f8d6b66d42b78edf2e4b2ff776c75e8a2f3cf5f358dbf3ba053ca6f182c07a

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
c8462f6e00e3f6bd3d5ff4e8c5ea3f7d

SHA1
1b41e6bae7f3038d9230618563b46e3269bcb283

SHA256
4a426c47bd97c13864d08268d6cbebb006b577c38f782aee52ce5ff614b9befe

SHA512
a8b7a36085728ae9b210859fe12b063e562ca3ecd14b96e07717ad58966a3bf2c085ce9af7f7a183e4a6b52ae8389180e47718a977330fb9d6cdc877d9b78c15

Download Submit