7c7d15743143eeabf16fe8c34b2fc368ed5f48cb9bf0ef455876d78c862869e6

Analysis

max time kernel
150s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62e26a49937c7a6717961656a54477c0_NEIKI.exe
Size

2.6MB
MD5

62e26a49937c7a6717961656a54477c0
SHA1

10aacec56172ab5814ae036958d65b23f0447591
SHA256

7c7d15743143eeabf16fe8c34b2fc368ed5f48cb9bf0ef455876d78c862869e6
SHA512

bedb187c6cb122bad355ed7a3e95e0db0d1cc4a1221bc5257439d6b22ab7a65aa9f2046bb8cc22fe0b63a6063a61459854adee75c30f62b3fb873bdcdf247977
SSDEEP

49152:lS5IvAG44oOCdcSzNIJG70V6Do4yV/5mc5aNZJ350zg5bEJ60IZGnpw/Y0:lS5G4DOT5JGIVzh/5aZX0zgd0IZGpwx

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	62e26a49937c7a6717961656a54477c0_NEIKI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	62e26a49937c7a6717961656a54477c0_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	62e26a49937c7a6717961656a54477c0_NEIKI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
8	explorer.exe
1604	spoolsv.exe
536	svchost.exe
3156	spoolsv.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/652-0-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/files/0x000b000000023b8d-8.dat	themida
behavioral2/memory/8-10-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/files/0x000b000000023b8f-15.dat	themida
behavioral2/memory/1604-18-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/files/0x000b000000023b91-25.dat	themida
behavioral2/memory/536-28-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/3156-37-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/1604-38-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/652-40-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/8-42-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/536-43-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/536-49-0x0000000000400000-0x0000000000A13000-memory.dmp	themida
behavioral2/memory/8-54-0x0000000000400000-0x0000000000A13000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	62e26a49937c7a6717961656a54477c0_NEIKI.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
8	explorer.exe
1604	spoolsv.exe
536	svchost.exe
3156	spoolsv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	62e26a49937c7a6717961656a54477c0_NEIKI.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe
8	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
8	explorer.exe
536	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
652	62e26a49937c7a6717961656a54477c0_NEIKI.exe
8	explorer.exe
8	explorer.exe
1604	spoolsv.exe
1604	spoolsv.exe
536	svchost.exe
536	svchost.exe
3156	spoolsv.exe
3156	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 8	652	62e26a49937c7a6717961656a54477c0_NEIKI.exe	85
PID 652 wrote to memory of 8	652	62e26a49937c7a6717961656a54477c0_NEIKI.exe	85
PID 652 wrote to memory of 8	652	62e26a49937c7a6717961656a54477c0_NEIKI.exe	85
PID 8 wrote to memory of 1604	8	explorer.exe	87
PID 8 wrote to memory of 1604	8	explorer.exe	87
PID 8 wrote to memory of 1604	8	explorer.exe	87
PID 1604 wrote to memory of 536	1604	spoolsv.exe	88
PID 1604 wrote to memory of 536	1604	spoolsv.exe	88
PID 1604 wrote to memory of 536	1604	spoolsv.exe	88
PID 536 wrote to memory of 3156	536	svchost.exe	90
PID 536 wrote to memory of 3156	536	svchost.exe	90
PID 536 wrote to memory of 3156	536	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\62e26a49937c7a6717961656a54477c0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\62e26a49937c7a6717961656a54477c0_NEIKI.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:8
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:536
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
d745e76f272f5ccd8d30542fc15bccdf

SHA1
baef4f9fe6083f3dcb3cbea45edf52090140b81e

SHA256
48035019ae83adca47602dda0ec43137e1874f0059c5e5490bf061bf788971cb

SHA512
6f36a88e18fbb64b45e7d396e69aec18cd875dd01b4b768f53e75075c2103d343dd15da1eec5b7f0a7a0d6785ad2f91189f5c6fdb1cf5d50155e7bd36f792a4f

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
c25339619f831b359d1159336df6db69

SHA1
fcd245fe8edc3a0cbfcb2466ae234aea3626281e

SHA256
dae3e20b352d9b7506f5ba41335b6e21caccf435f11e6c56575699a297c7105b

SHA512
724edb4a50334369c7a21e1a10236871354ac00f9a93a156d6984087af497c286d604f7178f32ebc844568acfff837794f5021ebe424e4eb0308fc256d7b53ce

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
a334bcb08548803625a25f174b94b0d8

SHA1
4f9c3103e6e5f2524de74cc39e3d4d118a3a92d6

SHA256
43ac8a7f410a90207f809d5a189391ba6894ec441704a30ab67499ff4bc392a7

SHA512
70916600fd41593d5651578509a48f3bd5c58017d6b0cebe15b396529f69f95b84537427a0eca39af6c169ec4760d87ab6e1a667aea76331aaa3d804abae93f2

Download Submit
memory/8-10-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/8-42-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/8-54-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/536-28-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/536-43-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/536-49-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/652-0-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/652-1-0x0000000076EF4000-0x0000000076EF6000-memory.dmp

Filesize
8KB

Download
memory/652-40-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1604-18-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1604-38-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/3156-37-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download