Analysis
-
max time kernel
155s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 02:50
Static task
static1
Behavioral task
behavioral1
Sample
588692ef32964190d1891feb14366750_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
588692ef32964190d1891feb14366750_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
588692ef32964190d1891feb14366750_NeikiAnalytics.exe
-
Size
211KB
-
MD5
588692ef32964190d1891feb14366750
-
SHA1
0fcc4c6b45d2ba191ee871b9d0ef29ada5cc80de
-
SHA256
8324a2a62879ef7f0e12d9fca0749fd8742b6aebe1f19f60364ce8f80e96bafe
-
SHA512
817d3de64d5816d27ba8fd571e92a0f26d478eae95f21e8df37c3c0ae0e1f6480e52053fda75cb72ae45267af49a8591bfa4782d01a334d2c9483dc6e2f286bc
-
SSDEEP
3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1FqnL:b1iNKQxENHLfMgw7y9Zro
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" userinit.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" userinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" swchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" userinit.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} userinit.exe -
Executes dropped EXE 4 IoCs
pid Process 2352 userinit.exe 3564 spoolsw.exe 1128 swchost.exe 2372 spoolsw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" swchost.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\udsys.exe userinit.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\spoolsw.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe spoolsw.exe File opened for modification \??\c:\windows\swchost.exe swchost.exe File opened for modification \??\c:\windows\userinit.exe userinit.exe File opened for modification \??\c:\windows\userinit.exe 588692ef32964190d1891feb14366750_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2252 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 2252 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 2352 userinit.exe 2352 userinit.exe 2352 userinit.exe 2352 userinit.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe 1128 swchost.exe 1128 swchost.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe 2352 userinit.exe 2352 userinit.exe 1128 swchost.exe 1128 swchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2352 userinit.exe 1128 swchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2252 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 2252 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 2352 userinit.exe 2352 userinit.exe 3564 spoolsw.exe 3564 spoolsw.exe 1128 swchost.exe 1128 swchost.exe 2372 spoolsw.exe 2372 spoolsw.exe 2352 userinit.exe 2352 userinit.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2352 2252 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 92 PID 2252 wrote to memory of 2352 2252 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 92 PID 2252 wrote to memory of 2352 2252 588692ef32964190d1891feb14366750_NeikiAnalytics.exe 92 PID 2352 wrote to memory of 3564 2352 userinit.exe 93 PID 2352 wrote to memory of 3564 2352 userinit.exe 93 PID 2352 wrote to memory of 3564 2352 userinit.exe 93 PID 3564 wrote to memory of 1128 3564 spoolsw.exe 94 PID 3564 wrote to memory of 1128 3564 spoolsw.exe 94 PID 3564 wrote to memory of 1128 3564 spoolsw.exe 94 PID 1128 wrote to memory of 2372 1128 swchost.exe 95 PID 1128 wrote to memory of 2372 1128 swchost.exe 95 PID 1128 wrote to memory of 2372 1128 swchost.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\588692ef32964190d1891feb14366750_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\windows\userinit.exec:\windows\userinit.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\windows\swchost.exec:\windows\swchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2372
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5164 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵PID:4136
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD56cd292c51c478916738af971fb0556e0
SHA149d70b9f7d1a0e1ca2704971916fd66656883af6
SHA25690961c95368a66b6757dae173f484870a6aa12b1daaa558e099c5edcb8a1e468
SHA5128714fc3b1a1a3e4889553540d09d4b11e12834c03bc6adf6bb303876de3df0e57f4d280c5e3c63bf02e12790ee3f58321d6aa5f75a352f27d67c09e578ed872c
-
Filesize
211KB
MD55053e13ba2b34d02b82175b013b63694
SHA1533f9fdcf0ba3ea2b63d6c6846b04e9107ddb02c
SHA25606616bf5a63c448470b8d90a5b486e4538e38d3ffd2b56287c578b65a87dfb31
SHA51201b4fcfde7876938be3c240f91f4de22fb969df4073446b93fc8eebb5bc0f1961708073ca8505f26c86867f4545b824971d3a3986a65aaea0aea89a73da4b3f9
-
Filesize
211KB
MD5c5b59cad1ab2d0eb193d26db4405f5e1
SHA1748e82bf0783c71c6fb397583e7dad36903ef736
SHA256d9d560eb1fe30e098f2a5d2e0229e7c35d7825c007366f9cff6575607c5e834f
SHA512e7b506d4c1969c63043b554139fb215e042507c621970c2768cc766aef9612f2f691877e9a8adc2068426247ac3bc7bd9d63ba6147c7aae3dd30bbba058d0330
-
Filesize
211KB
MD5e8db695048a476743c0203a19a4e9b6f
SHA122b9e007bd470ea840002fb22dc0b3c61b2b7e2b
SHA2566e35040302101914347bd5d73d8687dbca4c8290944d877c07badfe10b018b05
SHA5125c86ef99c6773c15ca05ca9e0b64c9d05772cb08a4d98dbae67f50e1642342234b150658b115b8b96b0dbfd2bf13c73eb24271e7513bb9f43c6ad61abe5eb6cb