Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 03:39

General

  • Target

    9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe

  • Size

    206KB

  • MD5

    9a36e51f014ff30dd4276b7142e29c00

  • SHA1

    3f14f74efc64640705894317c721a4660075f1f3

  • SHA256

    8e839452e84c83d2dc3cbdec7d6ecd828797e6195ddf887c033742fc5b1a9032

  • SHA512

    e78da95e819c7bd45fe74e33722ecbe565167996c6b13c867a4e8084a13434c593dc4fb952c4831f5393f5e51fa21b346ffc888fa232a968d5eb653f28f63bac

  • SSDEEP

    3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unZ0:zvEN2U+T6i5LirrllHy4HUcMQY6H

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9a36e51f014ff30dd4276b7142e29c00_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1492
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3932
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3516
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4832
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1080
          • C:\Windows\SysWOW64\at.exe
            at 03:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1176
            • C:\Windows\SysWOW64\at.exe
              at 03:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4480
              • C:\Windows\SysWOW64\at.exe
                at 03:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1120

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          206KB

          MD5

          62bcc3d996fb1d771a142da702a4781a

          SHA1

          d78d88a8d12e68b88cc610c6fae285ece0bf40c1

          SHA256

          a3a1aead7713823bb260a8a0eb1a1247aca75db8bb9866c3b772504ffb52d43f

          SHA512

          92dd5ebc1480231fafa84f272b5f1d8ebda3df50b724c484d9852a9722dc8f9457f3f76abd883d23ebbecde86b4e35c3b2ab4dba949264c3d758bdb36512eb8b

        • C:\Windows\System\explorer.exe

          Filesize

          206KB

          MD5

          4cc2bd7c4049e736619d17805aa4002c

          SHA1

          71f37285918e50bac3c77fa96312b2c955a06fce

          SHA256

          bd4c99bde892a6945a692659115556e23c5be7c6847ac470fde05955619fb027

          SHA512

          9c9f38d325524c11aff68163a8bd94d68563f08c913cbfdf8ce0f0084159235528785fb2c30b54d17241f9497fe73c3877c9d7bf9cc5b5af66000c48385f88ff

        • C:\Windows\System\spoolsv.exe

          Filesize

          206KB

          MD5

          9105b162e8db51662ea612f86cc8c6b5

          SHA1

          80a4672be3c4551aa30b257e6dfff2e09f1eae48

          SHA256

          8653f7fd3066d8a640fa4240a8ed0755a19081392559c430034223723304432a

          SHA512

          6729f8de76365af25424fb51fc79f2d1179c8bf5df8b8f414535dd7bd2e2006c6eb5bf4ac4cf497761e263538653de95667b5ec320da722a2e3009215fb5a52b

        • C:\Windows\System\svchost.exe

          Filesize

          206KB

          MD5

          a2b822f2277fb47c0ade347a849529f7

          SHA1

          6c58e825cfe49164f68493de07d4169c5e68f4ca

          SHA256

          463b0b9a7a630ae76189ee335b16faaaa9c50877923cb70c4eb974c905ef9edf

          SHA512

          3ecda9d179e1a4ae05687eee98227384bffc86e2ba460ad25bb15dd58cd44a84b53f88f99d50508bd8bd2e6f9014016e8b40db5e9519464bcc0345717589bfe5