Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22-05-2024 21:35
General
-
Target
416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe
-
Size
2.5MB
-
MD5
416e6ac71d6a6c2b1684857e749bea10
-
SHA1
c5c56bb1f686127e6a868db4502a2dc5aace1f5a
-
SHA256
95e1f5ce0db239bd421f4fa9f887ac75446d232340b5dcfbefea74d63553e6ed
-
SHA512
6b48218048b697a7449cac072393d4a67af0a4744b3376284d5633b7a65f29f32a447b9bba8b8cc090e5fd1d8a37de101799b5e92f18f38c0efd973a7e1d6bd1
-
SSDEEP
49152:PxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxy:Pxx9NUFkQx753uWuCyyxy
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 4 IoCs
-
Themida packer 17 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Windows directory 4 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:37 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:38 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:39 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\spoolsv.exeFilesize
2.5MB
MD587c95ab8ec9adeb4284f19689fc71513
SHA14f22ec8f8db463205b80bc9d7c2e7ce05691962a
SHA256bf8f6fd8e92ab2081aa54bd50de2d4a832d071de4280e53dcf30a58c5bfb8a01
SHA512cea26e1766be81b060a8bedface537a08f2440026448778cbdbd2d9e2a85dc0fde49be3c9df8203d3dc63500c71af500a188d9a7732c4713c738458c42766f20
-
C:\Windows\Resources\svchost.exeFilesize
2.5MB
MD5c0816699e5fee93ba734b6e24d0f74e9
SHA125425acba1270c7185ace4bb056a1334b9d66168
SHA256b5c4331f03a2f29d396ae4f6d6d4948f648a087b042dfff6d018e9ccaf00dfe8
SHA512ece5a852a876640b3a3d1ac44faaa931a5f468736c71981e6f3566964d2b6ccd14e179dee8edca54e76ee10e08b5d593ef52438ba15b77755d954d1c2d11cbac
-
\Windows\Resources\Themes\explorer.exeFilesize
2.5MB
MD523642af50057c346ff8e9f1913f94d83
SHA13d6d702f3bc22a1c72618f160edafb93bf01ec68
SHA2561e1d8906f177d88b509ffbdb73d686abab8f50c167d37d45c5f9bf56d0b39560
SHA512ba186acecbf55c5eac193ee0064161f6131e3a60a8ecd0362e887b52f1843c59016d08f4fb7aa9ccfb82fc70f063afd99018ea8d5eb386465bdf598e6567b747
-
memory/1688-1-0x0000000076FD0000-0x0000000076FD2000-memory.dmpFilesize
8KB
-
memory/1688-0-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1688-52-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2580-48-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2580-43-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2648-74-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2648-54-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2648-35-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2648-42-0x0000000003250000-0x000000000385E000-memory.dmpFilesize
6.1MB
-
memory/2728-53-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2728-22-0x0000000003800000-0x0000000003E0E000-memory.dmpFilesize
6.1MB
-
memory/2728-55-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2728-56-0x0000000003800000-0x0000000003E0E000-memory.dmpFilesize
6.1MB
-
memory/2728-61-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2728-67-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2728-11-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2980-50-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2980-34-0x0000000003580000-0x0000000003B8E000-memory.dmpFilesize
6.1MB
-
memory/2980-23-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB