Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe
-
Size
211KB
-
MD5
9a988c6d6e79862014355cfd15de3880
-
SHA1
35c096be0fec01146e8322bf0e4b11b56f45e022
-
SHA256
9162b42d29acba7304b15c72248286e2fab156fc71787d4dad94df98f56894d1
-
SHA512
99857d9335ac45ca6c9bf179cb61f974da0403d41e715040c753774d53626c6bc61c05cfd39c10a30ec1d6866b9a1fa994460abf466b4a1e955c85a6805eec39
-
SSDEEP
3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOH:Jh8cBzHLRMpZ4d1ZH
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
userinit.exeswchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\userinit.exe" swchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
userinit.exeswchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" userinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" swchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
userinit.exeswchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" userinit.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrsys.exe MR" swchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} swchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} userinit.exe -
Executes dropped EXE 4 IoCs
Processes:
userinit.exespoolsw.exeswchost.exespoolsw.exepid process 1284 userinit.exe 1252 spoolsw.exe 3192 swchost.exe 2152 spoolsw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
userinit.exeswchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" userinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\userinit.exe RO" swchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Swchost = "c:\\windows\\swchost.exe RO" swchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
userinit.exedescription ioc process File opened for modification C:\Windows\SysWOW64\system\udsys.exe userinit.exe -
Drops file in Windows directory 5 IoCs
Processes:
swchost.exe9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exeuserinit.exespoolsw.exedescription ioc process File opened for modification \??\c:\windows\swchost.exe swchost.exe File opened for modification \??\c:\windows\userinit.exe 9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe File opened for modification \??\c:\windows\spoolsw.exe userinit.exe File opened for modification \??\c:\windows\swchost.exe spoolsw.exe File opened for modification \??\c:\windows\userinit.exe userinit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exeuserinit.exeswchost.exepid process 4176 9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe 4176 9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe 1284 userinit.exe 1284 userinit.exe 1284 userinit.exe 1284 userinit.exe 3192 swchost.exe 3192 swchost.exe 1284 userinit.exe 1284 userinit.exe 3192 swchost.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 1284 userinit.exe 1284 userinit.exe 1284 userinit.exe 3192 swchost.exe 3192 swchost.exe 3192 swchost.exe 1284 userinit.exe 1284 userinit.exe 3192 swchost.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 1284 userinit.exe 1284 userinit.exe 3192 swchost.exe 3192 swchost.exe 1284 userinit.exe 1284 userinit.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 1284 userinit.exe 1284 userinit.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 1284 userinit.exe 3192 swchost.exe 1284 userinit.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
userinit.exeswchost.exepid process 1284 userinit.exe 3192 swchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exeuserinit.exespoolsw.exeswchost.exespoolsw.exepid process 4176 9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe 4176 9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe 1284 userinit.exe 1284 userinit.exe 1252 spoolsw.exe 1252 spoolsw.exe 3192 swchost.exe 3192 swchost.exe 2152 spoolsw.exe 2152 spoolsw.exe 1284 userinit.exe 1284 userinit.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exeuserinit.exespoolsw.exeswchost.exedescription pid process target process PID 4176 wrote to memory of 1284 4176 9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe userinit.exe PID 4176 wrote to memory of 1284 4176 9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe userinit.exe PID 4176 wrote to memory of 1284 4176 9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe userinit.exe PID 1284 wrote to memory of 1252 1284 userinit.exe spoolsw.exe PID 1284 wrote to memory of 1252 1284 userinit.exe spoolsw.exe PID 1284 wrote to memory of 1252 1284 userinit.exe spoolsw.exe PID 1252 wrote to memory of 3192 1252 spoolsw.exe swchost.exe PID 1252 wrote to memory of 3192 1252 spoolsw.exe swchost.exe PID 1252 wrote to memory of 3192 1252 spoolsw.exe swchost.exe PID 3192 wrote to memory of 2152 3192 swchost.exe spoolsw.exe PID 3192 wrote to memory of 2152 3192 swchost.exe spoolsw.exe PID 3192 wrote to memory of 2152 3192 swchost.exe spoolsw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4176 -
\??\c:\windows\userinit.exec:\windows\userinit.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\windows\swchost.exec:\windows\swchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\windows\spoolsw.exec:\windows\spoolsw.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2152
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5a6ad05ed3ffd6b902158e9f269d3f430
SHA1ee5adc2c4294cc68c98cc0a42746c0e42c3f1462
SHA256898960067df5fd6e1e3bb0d6fd06d29cdd465f35af0644f703e68d7e611c249a
SHA5122ad5186bdcd3db0a370699527685a8587c8fe4a04b43f5c7674e2a271d7be673a499828c908d68ff1020365a0059b043ccf65faca2f411c0c6f1fc6ed76225f1
-
Filesize
211KB
MD52f41b572e3166aad48c0b91074f410a7
SHA15e11eaab54a748f99541b365d0ab5f65e18f7887
SHA256bd1926b39c7367aabe24c28b8ac099d0178379039780860420accc5e1b5e3c8c
SHA5129cbfa316906d307fbcba8d44a32d148170b715562ffda2cbfcf6a8f1684f2837a48dde8cfebe0c74cda32924a33434a7c4212ef7742895df4d5242aa8b30d96a
-
Filesize
211KB
MD5f67c3f86f2fb434cbd8ca3b68272ad3a
SHA1365dab3078a745635be575733f5b7b9ef283c363
SHA256a7be9529df1d70eecdd0bbab2a95ad3c81ae8b23afaed7e34c12c4bd30e30b6f
SHA5128e1c318fa71bfd8d5c0996c62bf9d5718958b1c3e270698bbcc7d700aca2d2a3e64af3131fb07bd2d31ad0903bea554a87b2565d054b0377fc1aa156c39f6fa8
-
Filesize
211KB
MD5a71616c6cd99d17a35242f5e539f7039
SHA15f116a5d50c0886b66f92c1f2264c6aa67a97ce4
SHA2563acd48033b9414fa3e0b9b56b58f468ba16808134e5b846b33a52b8a389d3764
SHA512dfe2177d4976ddaf6806c77206150652db2e667aeaadf7150a553db2d945c910a9e9ef8483fcd200ad01824eb5c11402a3631efe3fcabc81da568e1e0885587b