c97713dc7fdb92138ee0646173b6b2ed654bfd63deab5e89957c3698e52c5386

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8d63706ff403194fdebf9ca283e0e50_NeikiAnalytics.exe
Size

211KB
MD5

c8d63706ff403194fdebf9ca283e0e50
SHA1

f80876a58894ae3c9198846bf004838745ebc37d
SHA256

c97713dc7fdb92138ee0646173b6b2ed654bfd63deab5e89957c3698e52c5386
SHA512

19ec157554fe4541749d0b37587b96ee0d7c8039ca0e8cef1f263f392525ea8e28f34dacb3623d22a6bff25503ec7489140130a752646765a8571e9cfaba8c88
SSDEEP

3072:vDEPeJlYW1ea8HKHSRUN3jjXs9Y+MiMVB/w68PEAjAfIrAvGPZz6sPJBIiFe/GcA:vSAl1IK1aY+MiMVBSeC

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe"	swchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	swchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR"	swchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	swchost.exe

Executes dropped EXE 4 IoCs

pid	Process
2652	userinit.exe
2400	spoolsw.exe
2432	swchost.exe
2448	spoolsw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	swchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO"	userinit.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\udsys.exe	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\spoolsw.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	spoolsw.exe
File opened for modification	\??\c:\windows\userinit.exe	userinit.exe
File opened for modification	\??\c:\windows\swchost.exe	swchost.exe
File opened for modification	\??\c:\windows\userinit.exe	c8d63706ff403194fdebf9ca283e0e50_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	c8d63706ff403194fdebf9ca283e0e50_NeikiAnalytics.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2432	swchost.exe
2652	userinit.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2432	swchost.exe
2652	userinit.exe
2652	userinit.exe
2432	swchost.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2652	userinit.exe
2432	swchost.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2652	userinit.exe
2432	swchost.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe
2652	userinit.exe
2432	swchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2432	swchost.exe
2652	userinit.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2908	c8d63706ff403194fdebf9ca283e0e50_NeikiAnalytics.exe
2908	c8d63706ff403194fdebf9ca283e0e50_NeikiAnalytics.exe
2652	userinit.exe
2652	userinit.exe
2400	spoolsw.exe
2400	spoolsw.exe
2432	swchost.exe
2432	swchost.exe
2448	spoolsw.exe
2448	spoolsw.exe
2652	userinit.exe
2652	userinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2652	2908	c8d63706ff403194fdebf9ca283e0e50_NeikiAnalytics.exe	29
PID 2908 wrote to memory of 2652	2908	c8d63706ff403194fdebf9ca283e0e50_NeikiAnalytics.exe	29
PID 2908 wrote to memory of 2652	2908	c8d63706ff403194fdebf9ca283e0e50_NeikiAnalytics.exe	29
PID 2908 wrote to memory of 2652	2908	c8d63706ff403194fdebf9ca283e0e50_NeikiAnalytics.exe	29
PID 2652 wrote to memory of 2400	2652	userinit.exe	30
PID 2652 wrote to memory of 2400	2652	userinit.exe	30
PID 2652 wrote to memory of 2400	2652	userinit.exe	30
PID 2652 wrote to memory of 2400	2652	userinit.exe	30
PID 2400 wrote to memory of 2432	2400	spoolsw.exe	31
PID 2400 wrote to memory of 2432	2400	spoolsw.exe	31
PID 2400 wrote to memory of 2432	2400	spoolsw.exe	31
PID 2400 wrote to memory of 2432	2400	spoolsw.exe	31
PID 2432 wrote to memory of 2448	2432	swchost.exe	32
PID 2432 wrote to memory of 2448	2432	swchost.exe	32
PID 2432 wrote to memory of 2448	2432	swchost.exe	32
PID 2432 wrote to memory of 2448	2432	swchost.exe	32

C:\Users\Admin\AppData\Local\Temp\c8d63706ff403194fdebf9ca283e0e50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c8d63706ff403194fdebf9ca283e0e50_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- \??\c:\windows\userinit.exe
  c:\windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2652
- - \??\c:\windows\spoolsw.exe
    c:\windows\spoolsw.exe SE
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - \??\c:\windows\swchost.exe
      c:\windows\swchost.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2432
    - - \??\c:\windows\spoolsw.exe
        
        c:\windows\spoolsw.exe PR
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mrsys.exe

Filesize
211KB

MD5
119a6a4f2f8812d1a851e0c31255d748

SHA1
50e30faad4e24c052f83eb3f21c62076af85e1f1

SHA256
e0c352e5fc2ca0739febf613684b13d4004cfb2811a7bafd6b7f39f07bdbd4c8

SHA512
9154f2dc22a3fed4b6acad0a49a86b2faed734ea33b2b8004ce1a3bca978e6c55218735e4d73ae98d3e945297f6438e887773ba133d3a49bf29235540cf70f94

Download Submit
C:\Windows\spoolsw.exe

Filesize
211KB

MD5
c6ec8ddfe619c5703428667b580809af

SHA1
d7740ccda4ea1caa35e73e876b7892e9fbd10aea

SHA256
a8abb2434e9fa60b68bf44418e959a9664ea6f6ed8a6841d9bf394171f8d884a

SHA512
4c2871df7dff5b41ad53d6c10fb185a69be4b7ccc80a4e122c24316dcad231c354872382e4b81848cac6ba03ce6b4d640852a176362f62f26ebf78770802a051

Download Submit
C:\Windows\swchost.exe

Filesize
211KB

MD5
9a5f8413b025b73882619ae108b7d7da

SHA1
a8adfa4b7d7b0a2142de5b3e81c318cc4a5e6035

SHA256
579454ce623db91005443f79929eacdf6d075099913fd332ded28bb1586c28a5

SHA512
b81c1d27455d419ce5cb0c9160340142e90e5710a8f573de499189d6bb29ed4c11b4e01ee6ea475b76182a7d19a7a98dba9073097565620b9f9bdb3049b184e0

Download Submit
C:\Windows\userinit.exe

Filesize
211KB

MD5
03d5565e78b5176affe875253b34dd78

SHA1
4de6e866a2f6d224245f799b72846b2821c363ee

SHA256
535a5797aa56a63f1565259d88192f138bc34c2a6f4c16f46835305c02b65379

SHA512
5a6eeeb3a3d5993fcefb60d965a9138c9227e3a06c9dac06b6afcb540a88a968725504220171029b670f0a3eaf87dc4854e3d6ede09491b6cf5913d77d1d891c

Download Submit