Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:50
Static task
static1
Behavioral task
behavioral1
Sample
588692ef32964190d1891feb14366750_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
588692ef32964190d1891feb14366750_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
588692ef32964190d1891feb14366750_NeikiAnalytics.exe
-
Size
211KB
-
MD5
588692ef32964190d1891feb14366750
-
SHA1
0fcc4c6b45d2ba191ee871b9d0ef29ada5cc80de
-
SHA256
8324a2a62879ef7f0e12d9fca0749fd8742b6aebe1f19f60364ce8f80e96bafe
-
SHA512
817d3de64d5816d27ba8fd571e92a0f26d478eae95f21e8df37c3c0ae0e1f6480e52053fda75cb72ae45267af49a8591bfa4782d01a334d2c9483dc6e2f286bc
-
SSDEEP
3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1FqnL:b1iNKQxENHLfMgw7y9Zro
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" swchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" userinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" swchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" userinit.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2924 userinit.exe 2704 spoolsw.exe 2816 swchost.exe 2916 spoolsw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" swchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\udsys.exe userinit.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\userinit.exe 588692ef32964190d1891feb14366750_NeikiAnalytics.exe File opened for modification \??\c:\windows\spoolsw.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe spoolsw.exe File opened for modification \??\c:\windows\userinit.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe swchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2468 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 2924 userinit.exe 2924 userinit.exe 2924 userinit.exe 2816 swchost.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe 2924 userinit.exe 2816 swchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2924 userinit.exe 2816 swchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2468 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 2468 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 2924 userinit.exe 2924 userinit.exe 2704 spoolsw.exe 2704 spoolsw.exe 2816 swchost.exe 2816 swchost.exe 2916 spoolsw.exe 2916 spoolsw.exe 2924 userinit.exe 2924 userinit.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2924 2468 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 29 PID 2468 wrote to memory of 2924 2468 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 29 PID 2468 wrote to memory of 2924 2468 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 29 PID 2468 wrote to memory of 2924 2468 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 29 PID 2924 wrote to memory of 2704 2924 userinit.exe 30 PID 2924 wrote to memory of 2704 2924 userinit.exe 30 PID 2924 wrote to memory of 2704 2924 userinit.exe 30 PID 2924 wrote to memory of 2704 2924 userinit.exe 30 PID 2704 wrote to memory of 2816 2704 spoolsw.exe 31 PID 2704 wrote to memory of 2816 2704 spoolsw.exe 31 PID 2704 wrote to memory of 2816 2704 spoolsw.exe 31 PID 2704 wrote to memory of 2816 2704 spoolsw.exe 31 PID 2816 wrote to memory of 2916 2816 swchost.exe 32 PID 2816 wrote to memory of 2916 2816 swchost.exe 32 PID 2816 wrote to memory of 2916 2816 swchost.exe 32 PID 2816 wrote to memory of 2916 2816 swchost.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\windows\userinit.exec:\windows\userinit.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\windows\swchost.exec:\windows\swchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2916
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD597e428a96edebf3b22a66b9f31afe3b5
SHA1b4f7472bfb2c7432b4ddc9bd0122497cdbf6f2f4
SHA2560da13314b3aac2b8030cbdcaf8de5855132009c0eba42cefb0b3f20658356a47
SHA512992a7802bc2696f1c91805124cfdb2b6f6e6508709ef570e86024276ac892381a977fa600889a6181160e47f3dfa52f753e295e7f0f6df1e7bb784cbc809fd7f
-
Filesize
211KB
MD5d831ce41600566fd40e8653bfa12d7ea
SHA1c1dde4775aa574f26534e39cb6f1a79a30007a0b
SHA25682ab3fdce666e7704b17d2a99f9432fc27150a454780d13ebc51fc0554149a1d
SHA5121b97d375730c7b8259b2df83a83795ae49c198c882f3333a1f688335d2aa263924de2d007a510754a281a42b2466934a745de30dea4a361b3cfc5f81ef381232
-
Filesize
211KB
MD5eea4dd198fa23140940a73af1ba74aa6
SHA1406c57f6e416b8580b6314f04225f41788698b8c
SHA25610c80c3304b93890630977ee540177e765da50502528798e30569a656d2275c6
SHA51252f3d45fe6df498bb08db8b16f46a7cd168e575d46fc0b2c9630b35803330808027af72f9a561980ce1923e6c93375b4c0805d4ece8bfaf5a8df9e3fc2fb0503
-
Filesize
211KB
MD5b92fbdc5ac17be823446940de8ca664e
SHA1d0aa971ff7fc553e8e96325f61e23f5cc1569c61
SHA25682602815f42f82ab0a6cdfb6772f908d814333fc5967b67144a80f5e9f629a88
SHA5125aec6354eaec023a1bfba9ebbaf4a856b400a37e596173c7da0b3b1bf6095542e3c77dd363f241e5e7590f175e85b5dccd6acf9ce951a61d4b3b519402e274f8