Analysis
-
max time kernel
152s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 21:35
Behavioral task
behavioral1
Sample
416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe
-
Size
2.5MB
-
MD5
416e6ac71d6a6c2b1684857e749bea10
-
SHA1
c5c56bb1f686127e6a868db4502a2dc5aace1f5a
-
SHA256
95e1f5ce0db239bd421f4fa9f887ac75446d232340b5dcfbefea74d63553e6ed
-
SHA512
6b48218048b697a7449cac072393d4a67af0a4744b3376284d5633b7a65f29f32a447b9bba8b8cc090e5fd1d8a37de101799b5e92f18f38c0efd973a7e1d6bd1
-
SSDEEP
49152:PxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxy:Pxx9NUFkQx753uWuCyyxy
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
spoolsv.exe416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exe416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 3516 explorer.exe 3632 spoolsv.exe 1456 svchost.exe 332 spoolsv.exe -
Processes:
resource yara_rule behavioral2/memory/4832-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4832-1-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\Themes\explorer.exe themida behavioral2/memory/3516-11-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral2/memory/4832-20-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3632-21-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\svchost.exe themida behavioral2/memory/4832-29-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1456-31-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/332-36-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/332-42-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3632-43-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4832-45-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3516-46-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1456-47-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1456-50-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3516-59-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3516-67-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
Processes:
spoolsv.exe416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 3516 explorer.exe 3632 spoolsv.exe 1456 svchost.exe 332 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
explorer.exespoolsv.exe416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exedescription ioc process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exeexplorer.exepid process 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe 3516 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 3516 explorer.exe 1456 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe 3516 explorer.exe 3516 explorer.exe 3632 spoolsv.exe 3632 spoolsv.exe 1456 svchost.exe 1456 svchost.exe 332 spoolsv.exe 332 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 4832 wrote to memory of 3516 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe explorer.exe PID 4832 wrote to memory of 3516 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe explorer.exe PID 4832 wrote to memory of 3516 4832 416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe explorer.exe PID 3516 wrote to memory of 3632 3516 explorer.exe spoolsv.exe PID 3516 wrote to memory of 3632 3516 explorer.exe spoolsv.exe PID 3516 wrote to memory of 3632 3516 explorer.exe spoolsv.exe PID 3632 wrote to memory of 1456 3632 spoolsv.exe svchost.exe PID 3632 wrote to memory of 1456 3632 spoolsv.exe svchost.exe PID 3632 wrote to memory of 1456 3632 spoolsv.exe svchost.exe PID 1456 wrote to memory of 332 1456 svchost.exe spoolsv.exe PID 1456 wrote to memory of 332 1456 svchost.exe spoolsv.exe PID 1456 wrote to memory of 332 1456 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\416e6ac71d6a6c2b1684857e749bea10_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\Themes\explorer.exeFilesize
2.5MB
MD5ded9a545286fbe1498721d3968f64263
SHA1485856aa2430879700a67f6f592972dd9b1f8ec5
SHA256d484ea243cad0007ada744833ded59b37a87950ef5e2bd577a98f03b8f4c7b10
SHA512731171acaf8edb53001208eacdd7dd3252daa24642afadcbcf61eeb899a77139d4cd12672bb8489ec72341f7fadf1d45c5e69d1ba79b6babb5a6397c9d5bcc5a
-
C:\Windows\Resources\spoolsv.exeFilesize
2.5MB
MD507caea604acf80fcc3755d538b44656d
SHA182c3e53bdf9d25c68914082eddaa5faebaf89296
SHA25616a6d259c0beb9e102971cc78d2fe27f1d99951771e408d3faed626977e96c22
SHA512efa90493123c7eb68f41ac0ff409efd01d1fce411bbf1b287d470ad04488c8b73547587f30e46669bb559799a5a197adcb5da97972edfc41269a9b815a53f901
-
C:\Windows\Resources\svchost.exeFilesize
2.5MB
MD51f3f752521b062686ed7586bf007348d
SHA1a9ef1b772e8840fb85fd65836dca8c30723d6a79
SHA256548479916daa91f9e1c8847d70ee8034b05b8a3732a9854332e3208daae64147
SHA512a16d1bb74e0a96ac04b8d23c6af2ee9877bc10a5ebbac94edc59b7dbf8f0eb42fb7c1fed25fb56c73f86d20f2e5d290093a1d4ad5ca052e04454ddef44252011
-
memory/332-42-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/332-36-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1456-31-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1456-50-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1456-47-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3516-46-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3516-11-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3516-67-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3516-59-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3632-21-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3632-43-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4832-29-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4832-45-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4832-1-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4832-2-0x0000000077954000-0x0000000077956000-memory.dmpFilesize
8KB
-
memory/4832-0-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4832-20-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB