Analysis

  • max time kernel
    150s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 02:17

General

  • Target

    9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe

  • Size

    211KB

  • MD5

    9a988c6d6e79862014355cfd15de3880

  • SHA1

    35c096be0fec01146e8322bf0e4b11b56f45e022

  • SHA256

    9162b42d29acba7304b15c72248286e2fab156fc71787d4dad94df98f56894d1

  • SHA512

    99857d9335ac45ca6c9bf179cb61f974da0403d41e715040c753774d53626c6bc61c05cfd39c10a30ec1d6866b9a1fa994460abf466b4a1e955c85a6805eec39

  • SSDEEP

    3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOH:Jh8cBzHLRMpZ4d1ZH

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9a988c6d6e79862014355cfd15de3880_NeikiAnalytics.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4176
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1284
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1252
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3192
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe

    Filesize

    211KB

    MD5

    a6ad05ed3ffd6b902158e9f269d3f430

    SHA1

    ee5adc2c4294cc68c98cc0a42746c0e42c3f1462

    SHA256

    898960067df5fd6e1e3bb0d6fd06d29cdd465f35af0644f703e68d7e611c249a

    SHA512

    2ad5186bdcd3db0a370699527685a8587c8fe4a04b43f5c7674e2a271d7be673a499828c908d68ff1020365a0059b043ccf65faca2f411c0c6f1fc6ed76225f1

  • C:\Windows\spoolsw.exe

    Filesize

    211KB

    MD5

    2f41b572e3166aad48c0b91074f410a7

    SHA1

    5e11eaab54a748f99541b365d0ab5f65e18f7887

    SHA256

    bd1926b39c7367aabe24c28b8ac099d0178379039780860420accc5e1b5e3c8c

    SHA512

    9cbfa316906d307fbcba8d44a32d148170b715562ffda2cbfcf6a8f1684f2837a48dde8cfebe0c74cda32924a33434a7c4212ef7742895df4d5242aa8b30d96a

  • C:\Windows\swchost.exe

    Filesize

    211KB

    MD5

    f67c3f86f2fb434cbd8ca3b68272ad3a

    SHA1

    365dab3078a745635be575733f5b7b9ef283c363

    SHA256

    a7be9529df1d70eecdd0bbab2a95ad3c81ae8b23afaed7e34c12c4bd30e30b6f

    SHA512

    8e1c318fa71bfd8d5c0996c62bf9d5718958b1c3e270698bbcc7d700aca2d2a3e64af3131fb07bd2d31ad0903bea554a87b2565d054b0377fc1aa156c39f6fa8

  • C:\Windows\userinit.exe

    Filesize

    211KB

    MD5

    a71616c6cd99d17a35242f5e539f7039

    SHA1

    5f116a5d50c0886b66f92c1f2264c6aa67a97ce4

    SHA256

    3acd48033b9414fa3e0b9b56b58f468ba16808134e5b846b33a52b8a389d3764

    SHA512

    dfe2177d4976ddaf6806c77206150652db2e667aeaadf7150a553db2d945c910a9e9ef8483fcd200ad01824eb5c11402a3631efe3fcabc81da568e1e0885587b