Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 10:32
Static task
static1
General
-
Target
c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe
-
Size
1.8MB
-
MD5
c751a92f994f48bd649ba49dd93d5930
-
SHA1
44b7e2fa7f120f130e57620ae0c44399574d7272
-
SHA256
e21b8e3512ade3cd3cc8fdd64f0a8c611511b1d1bdde9da2f0bc54f0f1aa338b
-
SHA512
dba3e7c36d5a29ac4d2cc3401f31e6e0a7787608ce83d3826b0837c99502d7a830bce552bc2936a648983e0e01aa7264afaa4e7aa17cd879cc574787880b5243
-
SSDEEP
49152:c4AVlITwNJekqw0YqJ5tdrhEpFDZkJP19lH40+MO:9AlgNkqw0YqJ5vGvNiPFHr8
Malware Config
Extracted
amadey
4.20
http://5.42.96.141
http://5.42.96.7
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Extracted
risepro
147.45.47.126:58709
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
Processes:
explorku.exeaxplons.exeab729071bc.exeaxplons.exeexplorku.exeaxplons.exec751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exeaxplons.exeexplorku.exeexplorku.exeamers.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ab729071bc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amers.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorku.exeaxplons.exec751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exeamers.exeaxplons.exeab729071bc.exeexplorku.exeaxplons.exeexplorku.exeexplorku.exeaxplons.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ab729071bc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ab729071bc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
amers.exec751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exeexplorku.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation amers.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation explorku.exe -
Executes dropped EXE 10 IoCs
Processes:
explorku.exeamers.exeaxplons.exeexplorku.exeaxplons.exeab729071bc.exeaxplons.exeexplorku.exeexplorku.exeaxplons.exepid process 3500 explorku.exe 3096 amers.exe 4480 axplons.exe 692 explorku.exe 5012 axplons.exe 3416 ab729071bc.exe 3084 axplons.exe 920 explorku.exe 3924 explorku.exe 4252 axplons.exe -
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exeexplorku.exeaxplons.exeaxplons.exeexplorku.exeexplorku.exeaxplons.exeamers.exeexplorku.exeaxplons.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine explorku.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine explorku.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine explorku.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine amers.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine explorku.exe Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine axplons.exe -
Processes:
resource yara_rule C:\Users\Admin\1000006002\ab729071bc.exe themida behavioral2/memory/3416-77-0x0000000000C80000-0x00000000012F6000-memory.dmp themida behavioral2/memory/3416-78-0x0000000000C80000-0x00000000012F6000-memory.dmp themida behavioral2/memory/3416-80-0x0000000000C80000-0x00000000012F6000-memory.dmp themida behavioral2/memory/3416-79-0x0000000000C80000-0x00000000012F6000-memory.dmp themida behavioral2/memory/3416-81-0x0000000000C80000-0x00000000012F6000-memory.dmp themida behavioral2/memory/3416-82-0x0000000000C80000-0x00000000012F6000-memory.dmp themida behavioral2/memory/3416-84-0x0000000000C80000-0x00000000012F6000-memory.dmp themida behavioral2/memory/3416-85-0x0000000000C80000-0x00000000012F6000-memory.dmp themida behavioral2/memory/3416-83-0x0000000000C80000-0x00000000012F6000-memory.dmp themida behavioral2/memory/3416-93-0x0000000000C80000-0x00000000012F6000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorku.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ab729071bc.exe = "C:\\Users\\Admin\\1000006002\\ab729071bc.exe" explorku.exe -
Processes:
ab729071bc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ab729071bc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exeexplorku.exeamers.exeaxplons.exeexplorku.exeaxplons.exeaxplons.exeexplorku.exeaxplons.exeexplorku.exepid process 4360 c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe 3500 explorku.exe 3096 amers.exe 4480 axplons.exe 692 explorku.exe 5012 axplons.exe 3084 axplons.exe 920 explorku.exe 4252 axplons.exe 3924 explorku.exe -
Drops file in Windows directory 2 IoCs
Processes:
c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exeamers.exedescription ioc process File created C:\Windows\Tasks\explorku.job c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe File created C:\Windows\Tasks\axplons.job amers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exeexplorku.exeamers.exeaxplons.exeexplorku.exeaxplons.exeaxplons.exeexplorku.exeexplorku.exeaxplons.exepid process 4360 c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe 4360 c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe 3500 explorku.exe 3500 explorku.exe 3096 amers.exe 3096 amers.exe 4480 axplons.exe 4480 axplons.exe 692 explorku.exe 692 explorku.exe 5012 axplons.exe 5012 axplons.exe 3084 axplons.exe 3084 axplons.exe 920 explorku.exe 920 explorku.exe 3924 explorku.exe 3924 explorku.exe 4252 axplons.exe 4252 axplons.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exeexplorku.exeamers.exedescription pid process target process PID 4360 wrote to memory of 3500 4360 c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe explorku.exe PID 4360 wrote to memory of 3500 4360 c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe explorku.exe PID 4360 wrote to memory of 3500 4360 c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe explorku.exe PID 3500 wrote to memory of 4872 3500 explorku.exe explorku.exe PID 3500 wrote to memory of 4872 3500 explorku.exe explorku.exe PID 3500 wrote to memory of 4872 3500 explorku.exe explorku.exe PID 3500 wrote to memory of 3096 3500 explorku.exe amers.exe PID 3500 wrote to memory of 3096 3500 explorku.exe amers.exe PID 3500 wrote to memory of 3096 3500 explorku.exe amers.exe PID 3096 wrote to memory of 4480 3096 amers.exe axplons.exe PID 3096 wrote to memory of 4480 3096 amers.exe axplons.exe PID 3096 wrote to memory of 4480 3096 amers.exe axplons.exe PID 3500 wrote to memory of 3416 3500 explorku.exe ab729071bc.exe PID 3500 wrote to memory of 3416 3500 explorku.exe ab729071bc.exe PID 3500 wrote to memory of 3416 3500 explorku.exe ab729071bc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c751a92f994f48bd649ba49dd93d5930_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"3⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4480 -
C:\Users\Admin\1000006002\ab729071bc.exe"C:\Users\Admin\1000006002\ab729071bc.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3416
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5012
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:692
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:920
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3084
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3924
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD529ae760d21e9a54c50daaf021b7e2ffc
SHA11114b6e97e0da531fd763aaf46146908f8a067a9
SHA2568a77b3b86e0da5f55e682ea9871014ec07ee7813a88a26f74dd0747675959d55
SHA512f5ac0e28451d9b81eb7b891d4e9555104d418b8f68cddf82fa210e6a642339a6e6f1c795257c219dd01d225420c37962813931a27d3049e4fea2430867f9ca50
-
Filesize
1.8MB
MD576b3df90091f71476b4f7dbbe57aabad
SHA1b8d504ed9a2bc2b88a7561df8359977054c2432f
SHA2569b0acd138f37415b01b9c5bba267c2fbe893fff81d109f886a1cf4edb8443220
SHA512dd6071855345d17df57cafb75dd54363fc5da4f84e0a71920db3eb10c4dcc1a484d8dcfe1541f127afefd3167dfa22e078dfbb4f07cb4989338eb0ac2c8ee5d8
-
Filesize
1.8MB
MD5c751a92f994f48bd649ba49dd93d5930
SHA144b7e2fa7f120f130e57620ae0c44399574d7272
SHA256e21b8e3512ade3cd3cc8fdd64f0a8c611511b1d1bdde9da2f0bc54f0f1aa338b
SHA512dba3e7c36d5a29ac4d2cc3401f31e6e0a7787608ce83d3826b0837c99502d7a830bce552bc2936a648983e0e01aa7264afaa4e7aa17cd879cc574787880b5243