Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 22:21
Behavioral task
behavioral1
Sample
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe
Resource
win7-20240221-en
6 signatures
150 seconds
General
-
Target
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe
-
Size
3.7MB
-
MD5
4ad0f829cafc58eb5a0f61ef642e3ff0
-
SHA1
cacabb7ef42a0d57b7f2545f85cfe4ae10602863
-
SHA256
3a8e0ad1aef45078317e3475d62fd8af84d50ebd58a5999eb56fec238039daf9
-
SHA512
39e8e70659deb347084ba5ac74d79a6c731da5c5b0f072a0bf2c45076e8e861b60505af293fdc96e818b348bddd24c75f92e74929f3a5229efd905b0e819bac6
-
SSDEEP
98304:81UDBqkepq5aOd2h3rirfXzjvLbMgutSMXps:8gBqpqokSOrfXzdaSMXK
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral2/memory/5044-0-0x00007FF65EF40000-0x00007FF65F932000-memory.dmp themida behavioral2/memory/5044-3-0x00007FF65EF40000-0x00007FF65F932000-memory.dmp themida behavioral2/memory/5044-2-0x00007FF65EF40000-0x00007FF65F932000-memory.dmp themida behavioral2/memory/5044-4-0x00007FF65EF40000-0x00007FF65F932000-memory.dmp themida behavioral2/memory/5044-5-0x00007FF65EF40000-0x00007FF65F932000-memory.dmp themida behavioral2/memory/5044-6-0x00007FF65EF40000-0x00007FF65F932000-memory.dmp themida behavioral2/memory/5044-7-0x00007FF65EF40000-0x00007FF65F932000-memory.dmp themida -
Processes:
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exepid process 5044 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.execmd.exedescription pid process target process PID 5044 wrote to memory of 1140 5044 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe cmd.exe PID 5044 wrote to memory of 1140 5044 4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe cmd.exe PID 1140 wrote to memory of 4560 1140 cmd.exe certutil.exe PID 1140 wrote to memory of 4560 1140 cmd.exe certutil.exe PID 1140 wrote to memory of 3624 1140 cmd.exe find.exe PID 1140 wrote to memory of 3624 1140 cmd.exe find.exe PID 1140 wrote to memory of 1428 1140 cmd.exe find.exe PID 1140 wrote to memory of 1428 1140 cmd.exe find.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\4ad0f829cafc58eb5a0f61ef642e3ff0_NeikiAnalytics.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/5044-0-0x00007FF65EF40000-0x00007FF65F932000-memory.dmpFilesize
9.9MB
-
memory/5044-1-0x00007FF902970000-0x00007FF902972000-memory.dmpFilesize
8KB
-
memory/5044-3-0x00007FF65EF40000-0x00007FF65F932000-memory.dmpFilesize
9.9MB
-
memory/5044-2-0x00007FF65EF40000-0x00007FF65F932000-memory.dmpFilesize
9.9MB
-
memory/5044-4-0x00007FF65EF40000-0x00007FF65F932000-memory.dmpFilesize
9.9MB
-
memory/5044-5-0x00007FF65EF40000-0x00007FF65F932000-memory.dmpFilesize
9.9MB
-
memory/5044-6-0x00007FF65EF40000-0x00007FF65F932000-memory.dmpFilesize
9.9MB
-
memory/5044-7-0x00007FF65EF40000-0x00007FF65F932000-memory.dmpFilesize
9.9MB