Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 02:50

General

  • Target

    588692ef32964190d1891feb14366750_NeikiAnalytics.exe

  • Size

    211KB

  • MD5

    588692ef32964190d1891feb14366750

  • SHA1

    0fcc4c6b45d2ba191ee871b9d0ef29ada5cc80de

  • SHA256

    8324a2a62879ef7f0e12d9fca0749fd8742b6aebe1f19f60364ce8f80e96bafe

  • SHA512

    817d3de64d5816d27ba8fd571e92a0f26d478eae95f21e8df37c3c0ae0e1f6480e52053fda75cb72ae45267af49a8591bfa4782d01a334d2c9483dc6e2f286bc

  • SSDEEP

    3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1FqnL:b1iNKQxENHLfMgw7y9Zro

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2468
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2924
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2704
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2816
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe

    Filesize

    211KB

    MD5

    97e428a96edebf3b22a66b9f31afe3b5

    SHA1

    b4f7472bfb2c7432b4ddc9bd0122497cdbf6f2f4

    SHA256

    0da13314b3aac2b8030cbdcaf8de5855132009c0eba42cefb0b3f20658356a47

    SHA512

    992a7802bc2696f1c91805124cfdb2b6f6e6508709ef570e86024276ac892381a977fa600889a6181160e47f3dfa52f753e295e7f0f6df1e7bb784cbc809fd7f

  • C:\Windows\spoolsw.exe

    Filesize

    211KB

    MD5

    d831ce41600566fd40e8653bfa12d7ea

    SHA1

    c1dde4775aa574f26534e39cb6f1a79a30007a0b

    SHA256

    82ab3fdce666e7704b17d2a99f9432fc27150a454780d13ebc51fc0554149a1d

    SHA512

    1b97d375730c7b8259b2df83a83795ae49c198c882f3333a1f688335d2aa263924de2d007a510754a281a42b2466934a745de30dea4a361b3cfc5f81ef381232

  • C:\Windows\swchost.exe

    Filesize

    211KB

    MD5

    eea4dd198fa23140940a73af1ba74aa6

    SHA1

    406c57f6e416b8580b6314f04225f41788698b8c

    SHA256

    10c80c3304b93890630977ee540177e765da50502528798e30569a656d2275c6

    SHA512

    52f3d45fe6df498bb08db8b16f46a7cd168e575d46fc0b2c9630b35803330808027af72f9a561980ce1923e6c93375b4c0805d4ece8bfaf5a8df9e3fc2fb0503

  • C:\Windows\userinit.exe

    Filesize

    211KB

    MD5

    b92fbdc5ac17be823446940de8ca664e

    SHA1

    d0aa971ff7fc553e8e96325f61e23f5cc1569c61

    SHA256

    82602815f42f82ab0a6cdfb6772f908d814333fc5967b67144a80f5e9f629a88

    SHA512

    5aec6354eaec023a1bfba9ebbaf4a856b400a37e596173c7da0b3b1bf6095542e3c77dd363f241e5e7590f175e85b5dccd6acf9ce951a61d4b3b519402e274f8