Analysis

  • max time kernel
    155s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:50

General

  • Target

    588692ef32964190d1891feb14366750_NeikiAnalytics.exe

  • Size

    211KB

  • MD5

    588692ef32964190d1891feb14366750

  • SHA1

    0fcc4c6b45d2ba191ee871b9d0ef29ada5cc80de

  • SHA256

    8324a2a62879ef7f0e12d9fca0749fd8742b6aebe1f19f60364ce8f80e96bafe

  • SHA512

    817d3de64d5816d27ba8fd571e92a0f26d478eae95f21e8df37c3c0ae0e1f6480e52053fda75cb72ae45267af49a8591bfa4782d01a334d2c9483dc6e2f286bc

  • SSDEEP

    3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1FqnL:b1iNKQxENHLfMgw7y9Zro

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2252
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2352
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3564
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1128
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2372
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4136

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\mrsys.exe

      Filesize

      211KB

      MD5

      6cd292c51c478916738af971fb0556e0

      SHA1

      49d70b9f7d1a0e1ca2704971916fd66656883af6

      SHA256

      90961c95368a66b6757dae173f484870a6aa12b1daaa558e099c5edcb8a1e468

      SHA512

      8714fc3b1a1a3e4889553540d09d4b11e12834c03bc6adf6bb303876de3df0e57f4d280c5e3c63bf02e12790ee3f58321d6aa5f75a352f27d67c09e578ed872c

    • C:\Windows\spoolsw.exe

      Filesize

      211KB

      MD5

      5053e13ba2b34d02b82175b013b63694

      SHA1

      533f9fdcf0ba3ea2b63d6c6846b04e9107ddb02c

      SHA256

      06616bf5a63c448470b8d90a5b486e4538e38d3ffd2b56287c578b65a87dfb31

      SHA512

      01b4fcfde7876938be3c240f91f4de22fb969df4073446b93fc8eebb5bc0f1961708073ca8505f26c86867f4545b824971d3a3986a65aaea0aea89a73da4b3f9

    • C:\Windows\swchost.exe

      Filesize

      211KB

      MD5

      c5b59cad1ab2d0eb193d26db4405f5e1

      SHA1

      748e82bf0783c71c6fb397583e7dad36903ef736

      SHA256

      d9d560eb1fe30e098f2a5d2e0229e7c35d7825c007366f9cff6575607c5e834f

      SHA512

      e7b506d4c1969c63043b554139fb215e042507c621970c2768cc766aef9612f2f691877e9a8adc2068426247ac3bc7bd9d63ba6147c7aae3dd30bbba058d0330

    • C:\Windows\userinit.exe

      Filesize

      211KB

      MD5

      e8db695048a476743c0203a19a4e9b6f

      SHA1

      22b9e007bd470ea840002fb22dc0b3c61b2b7e2b

      SHA256

      6e35040302101914347bd5d73d8687dbca4c8290944d877c07badfe10b018b05

      SHA512

      5c86ef99c6773c15ca05ca9e0b64c9d05772cb08a4d98dbae67f50e1642342234b150658b115b8b96b0dbfd2bf13c73eb24271e7513bb9f43c6ad61abe5eb6cb