Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 22:21
Behavioral task
behavioral1
Sample
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe
-
Size
3.7MB
-
MD5
4ad0f829cafc58eb5a0f61ef642e3ff0
-
SHA1
cacabb7ef42a0d57b7f2545f85cfe4ae10602863
-
SHA256
3a8e0ad1aef45078317e3475d62fd8af84d50ebd58a5999eb56fec238039daf9
-
SHA512
39e8e70659deb347084ba5ac74d79a6c731da5c5b0f072a0bf2c45076e8e861b60505af293fdc96e818b348bddd24c75f92e74929f3a5229efd905b0e819bac6
-
SSDEEP
98304:81UDBqkepq5aOd2h3rirfXzjvLbMgutSMXps:8gBqpqokSOrfXzdaSMXK
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral1/memory/2204-0-0x000000013F170000-0x000000013FB62000-memory.dmp themida behavioral1/memory/2204-2-0x000000013F170000-0x000000013FB62000-memory.dmp themida behavioral1/memory/2204-4-0x000000013F170000-0x000000013FB62000-memory.dmp themida behavioral1/memory/2204-6-0x000000013F170000-0x000000013FB62000-memory.dmp themida behavioral1/memory/2204-5-0x000000013F170000-0x000000013FB62000-memory.dmp themida behavioral1/memory/2204-3-0x000000013F170000-0x000000013FB62000-memory.dmp themida behavioral1/memory/2204-7-0x000000013F170000-0x000000013FB62000-memory.dmp themida -
Processes:
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exepid process 2204 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.execmd.exedescription pid process target process PID 2204 wrote to memory of 3044 2204 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe cmd.exe PID 2204 wrote to memory of 3044 2204 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe cmd.exe PID 2204 wrote to memory of 3044 2204 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe cmd.exe PID 3044 wrote to memory of 2520 3044 cmd.exe certutil.exe PID 3044 wrote to memory of 2520 3044 cmd.exe certutil.exe PID 3044 wrote to memory of 2520 3044 cmd.exe certutil.exe PID 3044 wrote to memory of 3040 3044 cmd.exe find.exe PID 3044 wrote to memory of 3040 3044 cmd.exe find.exe PID 3044 wrote to memory of 3040 3044 cmd.exe find.exe PID 3044 wrote to memory of 2004 3044 cmd.exe find.exe PID 3044 wrote to memory of 2004 3044 cmd.exe find.exe PID 3044 wrote to memory of 2004 3044 cmd.exe find.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2204-0-0x000000013F170000-0x000000013FB62000-memory.dmpFilesize
9.9MB
-
memory/2204-1-0x0000000077B50000-0x0000000077B52000-memory.dmpFilesize
8KB
-
memory/2204-2-0x000000013F170000-0x000000013FB62000-memory.dmpFilesize
9.9MB
-
memory/2204-4-0x000000013F170000-0x000000013FB62000-memory.dmpFilesize
9.9MB
-
memory/2204-6-0x000000013F170000-0x000000013FB62000-memory.dmpFilesize
9.9MB
-
memory/2204-5-0x000000013F170000-0x000000013FB62000-memory.dmpFilesize
9.9MB
-
memory/2204-3-0x000000013F170000-0x000000013FB62000-memory.dmpFilesize
9.9MB
-
memory/2204-7-0x000000013F170000-0x000000013FB62000-memory.dmpFilesize
9.9MB