amadey | 31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88

Virtualization/Sandbox Evasion

Processes:

69030ed4bd.exe31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exeexplorku.exeamers.exeaxplons.exead24307970.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	69030ed4bd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amers.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ad24307970.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

axplons.exe69030ed4bd.exead24307970.exeexplorku.exeamers.exe31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	69030ed4bd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	69030ed4bd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ad24307970.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ad24307970.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exeexplorku.exeamers.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	explorku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	amers.exe

Executes dropped EXE 5 IoCs

Processes:

explorku.exeamers.exeaxplons.exead24307970.exe69030ed4bd.exe

pid process

4892 explorku.exe
5084 amers.exe
3644 axplons.exe
4944 ad24307970.exe
760 69030ed4bd.exe

pid	process
4892	explorku.exe
5084	amers.exe
3644	axplons.exe
4944	ad24307970.exe
760	69030ed4bd.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

amers.exeaxplons.exe69030ed4bd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine	amers.exe
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine	69030ed4bd.exe

Themida packer 33 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2916-1-0x0000000000230000-0x0000000000772000-memory.dmp	themida
behavioral2/memory/2916-0-0x0000000000230000-0x0000000000772000-memory.dmp	themida
behavioral2/memory/2916-3-0x0000000000230000-0x0000000000772000-memory.dmp	themida
behavioral2/memory/2916-5-0x0000000000230000-0x0000000000772000-memory.dmp	themida
behavioral2/memory/2916-4-0x0000000000230000-0x0000000000772000-memory.dmp	themida
behavioral2/memory/2916-2-0x0000000000230000-0x0000000000772000-memory.dmp	themida
behavioral2/memory/2916-6-0x0000000000230000-0x0000000000772000-memory.dmp	themida
behavioral2/memory/2916-7-0x0000000000230000-0x0000000000772000-memory.dmp	themida
behavioral2/memory/2916-8-0x0000000000230000-0x0000000000772000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe	themida
behavioral2/memory/2916-21-0x0000000000230000-0x0000000000772000-memory.dmp	themida
behavioral2/memory/4892-24-0x0000000000090000-0x00000000005D2000-memory.dmp	themida
behavioral2/memory/4892-25-0x0000000000090000-0x00000000005D2000-memory.dmp	themida
behavioral2/memory/4892-29-0x0000000000090000-0x00000000005D2000-memory.dmp	themida
behavioral2/memory/4892-30-0x0000000000090000-0x00000000005D2000-memory.dmp	themida
behavioral2/memory/4892-28-0x0000000000090000-0x00000000005D2000-memory.dmp	themida
behavioral2/memory/4892-26-0x0000000000090000-0x00000000005D2000-memory.dmp	themida
behavioral2/memory/4892-23-0x0000000000090000-0x00000000005D2000-memory.dmp	themida
behavioral2/memory/4892-27-0x0000000000090000-0x00000000005D2000-memory.dmp	themida
behavioral2/memory/4892-22-0x0000000000090000-0x00000000005D2000-memory.dmp	themida
behavioral2/memory/4892-49-0x0000000000090000-0x00000000005D2000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\1000014001\ad24307970.exe	themida
behavioral2/memory/4944-83-0x00000000007D0000-0x0000000000E5C000-memory.dmp	themida
behavioral2/memory/4944-85-0x00000000007D0000-0x0000000000E5C000-memory.dmp	themida
behavioral2/memory/4944-87-0x00000000007D0000-0x0000000000E5C000-memory.dmp	themida
behavioral2/memory/4944-86-0x00000000007D0000-0x0000000000E5C000-memory.dmp	themida
behavioral2/memory/4944-84-0x00000000007D0000-0x0000000000E5C000-memory.dmp	themida
behavioral2/memory/4944-88-0x00000000007D0000-0x0000000000E5C000-memory.dmp	themida
behavioral2/memory/4944-90-0x00000000007D0000-0x0000000000E5C000-memory.dmp	themida
behavioral2/memory/4944-89-0x00000000007D0000-0x0000000000E5C000-memory.dmp	themida
behavioral2/memory/4944-91-0x00000000007D0000-0x0000000000E5C000-memory.dmp	themida
behavioral2/memory/4892-109-0x0000000000090000-0x00000000005D2000-memory.dmp	themida
behavioral2/memory/4944-111-0x00000000007D0000-0x0000000000E5C000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorku.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ad24307970.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\ad24307970.exe"	explorku.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exeexplorku.exead24307970.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ad24307970.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

amers.exeaxplons.exe69030ed4bd.exe

pid process

5084 amers.exe
3644 axplons.exe
760 69030ed4bd.exe

pid	process
5084	amers.exe
3644	axplons.exe
760	69030ed4bd.exe

Drops file in Windows directory 2 IoCs

Processes:

31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exeamers.exe

description	ioc	process
File created	C:\Windows\Tasks\explorku.job	31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exe
File created	C:\Windows\Tasks\axplons.job	amers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

amers.exeaxplons.exe69030ed4bd.exe

pid process

5084 amers.exe
5084 amers.exe
3644 axplons.exe
3644 axplons.exe
760 69030ed4bd.exe
760 69030ed4bd.exe

pid	process
5084	amers.exe
5084	amers.exe
3644	axplons.exe
3644	axplons.exe
760	69030ed4bd.exe
760	69030ed4bd.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exeexplorku.exeamers.exe

description	pid	process	target process
PID 2916 wrote to memory of 4892	2916	31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exe	explorku.exe
PID 2916 wrote to memory of 4892	2916	31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exe	explorku.exe
PID 2916 wrote to memory of 4892	2916	31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exe	explorku.exe
PID 4892 wrote to memory of 4572	4892	explorku.exe	explorku.exe
PID 4892 wrote to memory of 4572	4892	explorku.exe	explorku.exe
PID 4892 wrote to memory of 4572	4892	explorku.exe	explorku.exe
PID 4892 wrote to memory of 5084	4892	explorku.exe	amers.exe
PID 4892 wrote to memory of 5084	4892	explorku.exe	amers.exe
PID 4892 wrote to memory of 5084	4892	explorku.exe	amers.exe
PID 5084 wrote to memory of 3644	5084	amers.exe	axplons.exe
PID 5084 wrote to memory of 3644	5084	amers.exe	axplons.exe
PID 5084 wrote to memory of 3644	5084	amers.exe	axplons.exe
PID 4892 wrote to memory of 4944	4892	explorku.exe	ad24307970.exe
PID 4892 wrote to memory of 4944	4892	explorku.exe	ad24307970.exe
PID 4892 wrote to memory of 4944	4892	explorku.exe	ad24307970.exe
PID 4892 wrote to memory of 760	4892	explorku.exe	69030ed4bd.exe
PID 4892 wrote to memory of 760	4892	explorku.exe	69030ed4bd.exe
PID 4892 wrote to memory of 760	4892	explorku.exe	69030ed4bd.exe

C:\Users\Admin\AppData\Local\Temp\31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31b3f063f2e15008198227ea53faf480daefb6b3615bde6d028ddc0ea66fdb88_NeikiAnalytics.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
  "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
    3⤵
    PID:4572
- - C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
    "C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:3644
- - C:\Users\Admin\AppData\Local\Temp\1000014001\ad24307970.exe
    "C:\Users\Admin\AppData\Local\Temp\1000014001\ad24307970.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:4944
- - C:\Users\Admin\1000017002\69030ed4bd.exe
    "C:\Users\Admin\1000017002\69030ed4bd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion