Overview

overview

10

Static

static

7

416e6ac71d...cs.exe

windows7-x64

10

416e6ac71d...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 21:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe

  • Size

    2.5MB

  • MD5

    416e6ac71d6a6c2b1684857e749bea10

  • SHA1

    c5c56bb1f686127e6a868db4502a2dc5aace1f5a

  • SHA256

    95e1f5ce0db239bd421f4fa9f887ac75446d232340b5dcfbefea74d63553e6ed

  • SHA512

    6b48218048b697a7449cac072393d4a67af0a4744b3376284d5633b7a65f29f32a447b9bba8b8cc090e5fd1d8a37de101799b5e92f18f38c0efd973a7e1d6bd1

  • SSDEEP

    49152:PxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxy:Pxx9NUFkQx753uWuCyyxy

Score
10/10
evasionpersistencethemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Themida packer 17 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1688
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2728
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2980
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2648
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2580
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:37 /f
            5⤵
            • Creates scheduled task(s)
            PID:2492
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:38 /f
            5⤵
            • Creates scheduled task(s)
            PID:1468
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:39 /f
            5⤵
            • Creates scheduled task(s)
            PID:2088
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2676

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      2.5MB

      MD5

      87c95ab8ec9adeb4284f19689fc71513

      SHA1

      4f22ec8f8db463205b80bc9d7c2e7ce05691962a

      SHA256

      bf8f6fd8e92ab2081aa54bd50de2d4a832d071de4280e53dcf30a58c5bfb8a01

      SHA512

      cea26e1766be81b060a8bedface537a08f2440026448778cbdbd2d9e2a85dc0fde49be3c9df8203d3dc63500c71af500a188d9a7732c4713c738458c42766f20

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      2.5MB

      MD5

      c0816699e5fee93ba734b6e24d0f74e9

      SHA1

      25425acba1270c7185ace4bb056a1334b9d66168

      SHA256

      b5c4331f03a2f29d396ae4f6d6d4948f648a087b042dfff6d018e9ccaf00dfe8

      SHA512

      ece5a852a876640b3a3d1ac44faaa931a5f468736c71981e6f3566964d2b6ccd14e179dee8edca54e76ee10e08b5d593ef52438ba15b77755d954d1c2d11cbac

      Download Submit

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      2.5MB

      MD5

      23642af50057c346ff8e9f1913f94d83

      SHA1

      3d6d702f3bc22a1c72618f160edafb93bf01ec68

      SHA256

      1e1d8906f177d88b509ffbdb73d686abab8f50c167d37d45c5f9bf56d0b39560

      SHA512

      ba186acecbf55c5eac193ee0064161f6131e3a60a8ecd0362e887b52f1843c59016d08f4fb7aa9ccfb82fc70f063afd99018ea8d5eb386465bdf598e6567b747

      Download Submit

    • memory/1688-1-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1688-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1688-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2580-48-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2580-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2648-74-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2648-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2648-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2648-42-0x0000000003250000-0x000000000385E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2728-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2728-22-0x0000000003800000-0x0000000003E0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2728-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2728-56-0x0000000003800000-0x0000000003E0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2728-61-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2728-67-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2728-11-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2980-50-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2980-34-0x0000000003580000-0x0000000003B8E000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2980-23-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

      Download