Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 02:17

General

  • Target

    9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe

  • Size

    211KB

  • MD5

    9a988c6d6e79862014355cfd15de3880

  • SHA1

    35c096be0fec01146e8322bf0e4b11b56f45e022

  • SHA256

    9162b42d29acba7304b15c72248286e2fab156fc71787d4dad94df98f56894d1

  • SHA512

    99857d9335ac45ca6c9bf179cb61f974da0403d41e715040c753774d53626c6bc61c05cfd39c10a30ec1d6866b9a1fa994460abf466b4a1e955c85a6805eec39

  • SSDEEP

    3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOH:Jh8cBzHLRMpZ4d1ZH

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2436
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2348
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2160
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2896
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe

    Filesize

    211KB

    MD5

    6d83a07b32984250bdd1fc2742dc7a5d

    SHA1

    f485891fdf02e5fc3dc6b6cde471146b325d3fe2

    SHA256

    a45eab6100e471b06f3d7c9b7c9f8a7576ebd9d4df619760ed6d359e331c5ece

    SHA512

    2f3710e9c1427b8f2bc6e7de6e35ecd5231c59b21537a2d3aba76c9e0bb0a03024f7bcfb2042f241115d7c1c54f7c7823597fcc633b5682185e994f9d8c614c4

  • C:\Windows\spoolsw.exe

    Filesize

    211KB

    MD5

    b11cc491b34331ae5e4488a908e2d8ce

    SHA1

    db728ab7400dfca011b2350ff7756506d55e1d1f

    SHA256

    a2ff1bacabadf27ac79358e563b60fa569b2b88232a1275907faef6fbd1bdd89

    SHA512

    99eeaae5c44904aacee86135893e8ab06c06bbd29383efa3127ab2fd7de00a42444d32d6eec0e0279b84c56df60272958f2f0c42dcd66ee7071c6e7d6c43017d

  • C:\Windows\swchost.exe

    Filesize

    211KB

    MD5

    cef476eb8683e268b3c72455148a470d

    SHA1

    bd5917d15d500520e8b2dccaa064c193c836cee4

    SHA256

    2c4ec805f769a7409e37fc9e05646216ee183b1c0b5be88ab7c6f350c539348f

    SHA512

    ca5bafc90033482fb271c6624c0a015b6616032a01b942fa0a6c266e19c00323ead0297cab4c0661a752187b67835028055964570a3d7c4e1ed7fefb62f67de4

  • C:\Windows\userinit.exe

    Filesize

    211KB

    MD5

    248632488064c618f792a4f7bdf21c35

    SHA1

    939d9559dbd3e9877f22a317b17d8a77eca0f2a3

    SHA256

    65b30f1fe56ef5359e0e8f01ee97007890af8b99a97b28edc9a50b854b49b95f

    SHA512

    1f9171122ebcae67cf010ad2fc2db2898300fa2da2daf8b8900cc6206385f0901a03a955a1bbba1a1d700a7c8db44510d56ae2f65b5aff6096eac24032906113