f6397e60575b7cbf356aefe51a043c7e711d577cbfa30e9f47ac890ae29af46f

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d90f7a8f324b5066c91e22253ee5b650_NeikiAnalytics.exe
Size

211KB
MD5

d90f7a8f324b5066c91e22253ee5b650
SHA1

21fd4bdf7c9e43cd7843456c5d5ed0c7ec69fa12
SHA256

f6397e60575b7cbf356aefe51a043c7e711d577cbfa30e9f47ac890ae29af46f
SHA512

e9ef2d384a0b6b605e40f77f015f2afbe12a6218a0b985abf6b4a126354711ebdf742ceedb771f0b611e91faea6df022b99f5b6bfebd64062b25c4d535298118
SSDEEP

3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOy:Jh8cBzHLRMpZ4d1Zy

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2256	userinit.exe
2680	spoolsw.exe
2776	swchost.exe
2780	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe
File opened for modification	\??\c:\windows\userinit.exe	d90f7a8f324b5066c91e22253ee5b650_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	d90f7a8f324b5066c91e22253ee5b650_NeikiAnalytics.exe
2256	userinit.exe
2256	userinit.exe
2256	userinit.exe
2776	swchost.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe
2256	userinit.exe
2776	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2256	userinit.exe
2776	swchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2208	d90f7a8f324b5066c91e22253ee5b650_NeikiAnalytics.exe
2208	d90f7a8f324b5066c91e22253ee5b650_NeikiAnalytics.exe
2256	userinit.exe
2256	userinit.exe
2680	spoolsw.exe
2680	spoolsw.exe
2776	swchost.exe
2776	swchost.exe
2780	spoolsw.exe
2780	spoolsw.exe
2256	userinit.exe
2256	userinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2256	2208	d90f7a8f324b5066c91e22253ee5b650_NeikiAnalytics.exe	29
PID 2208 wrote to memory of 2256	2208	d90f7a8f324b5066c91e22253ee5b650_NeikiAnalytics.exe	29
PID 2208 wrote to memory of 2256	2208	d90f7a8f324b5066c91e22253ee5b650_NeikiAnalytics.exe	29
PID 2208 wrote to memory of 2256	2208	d90f7a8f324b5066c91e22253ee5b650_NeikiAnalytics.exe	29
PID 2256 wrote to memory of 2680	2256	userinit.exe	30
PID 2256 wrote to memory of 2680	2256	userinit.exe	30
PID 2256 wrote to memory of 2680	2256	userinit.exe	30
PID 2256 wrote to memory of 2680	2256	userinit.exe	30
PID 2680 wrote to memory of 2776	2680	spoolsw.exe	31
PID 2680 wrote to memory of 2776	2680	spoolsw.exe	31
PID 2680 wrote to memory of 2776	2680	spoolsw.exe	31
PID 2680 wrote to memory of 2776	2680	spoolsw.exe	31
PID 2776 wrote to memory of 2780	2776	swchost.exe	32
PID 2776 wrote to memory of 2780	2776	swchost.exe	32
PID 2776 wrote to memory of 2780	2776	swchost.exe	32
PID 2776 wrote to memory of 2780	2776	swchost.exe	32

C:\Users\Admin\AppData\Local\Temp\d90f7a8f324b5066c91e22253ee5b650_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d90f7a8f324b5066c91e22253ee5b650_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2256
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2776
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
0b8144db56e7c00bc4b95053e65ce918

SHA1
016912940310809c68d7c3ded8555f3161e6d9e4

SHA256
d3cf81ea34b807594c54124a3f66de1903fc7b2eb4e3eae9f65ce84b25306ba5

SHA512
fb97926f6353705ed723a7a8a12356dc86268a594029c97b1932783395d80532b262409ed2546a7b00fd0eb22c7ad60005eeae2cbdfb1e8a3f14071ad2563c5c

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
75b4e9dda590b7789340b906b3bc45dc

SHA1
544625a9f2e5f55814d3aed310bc171170fef052

SHA256
b2bb703e600a5447775d81812c202e17b41428ee18ef0cde57c3f35dba1b2d4f

SHA512
f4f651966329c05623804581dbea6a5cbade2228b64f64579aafa51137b4302bb811499cc6b2ad583f6677898f61b7e6d9283850f1a91d34500ffb3bdb9ab645

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
48cf34cf735d689ca789468e5ded7aaa

SHA1
1010fd95c6bf720d459af8d409ef88f99a5f7b47

SHA256
a02452cc2a826d10152c840d978e1ea8227ed9a7778a2c19ba4dca5acc6172df

SHA512
a4220b6d330acd5e01c34c69ead9c8252078456766173f56cf2155b6d0d076a5719476de3312cea855e669127462e717b8b5f44b29fcb6bc76bd4eb64fca41f5

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
fefb2e3eec89716126c39476b593609f

SHA1
3e21cc2075808fbb0f6029402ac557d8627ce77e

SHA256
6ac55e578b2c78c6b55f66c41a9de21420ad51ab7de3ada66f54360c5fd43ef1

SHA512
2a226337560be1a775e18e500aee8600d4d9a755f7791bc665c4320dc070d7f6a96be03c931b592baac0e75d8ec6f10d0dc38665b152103c73c2c2fa6e859e12

Download Submit