Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 23:30
Behavioral task
behavioral1
Sample
586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe
-
Size
2.5MB
-
MD5
586ea3ffbc4520655a6766e81a43db00
-
SHA1
53f179721a753049ca76111a5e5d451067e2cb0c
-
SHA256
1c661c2a242d779c6efa39818ea1b4563629069858cd9d4ee366251c47d1c521
-
SHA512
61aa659c00bb157a33d1441708a623a72f5d7ce0d3677625e5c42bcc2c63051fffb663e19413fc49d6688467940f4ed9078a926bf8428d86c173f344b62e9fc8
-
SSDEEP
49152:dxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxU:dxx9NUFkQx753uWuCyyxU
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
svchost.exespoolsv.exe586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exeexplorer.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2364 explorer.exe 4688 spoolsv.exe 5072 svchost.exe 2496 spoolsv.exe -
Processes:
resource yara_rule behavioral2/memory/4248-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4248-5-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\Themes\explorer.exe themida behavioral2/memory/2364-11-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral2/memory/4688-20-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\svchost.exe themida behavioral2/memory/5072-29-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4248-30-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/2496-35-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/2496-39-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4688-41-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4248-43-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/2364-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/5072-45-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/5072-48-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/2364-57-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/2364-65-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Processes:
586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 2364 explorer.exe 4688 spoolsv.exe 5072 svchost.exe 2496 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exeexplorer.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\resources\themes\explorer.exe 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exeexplorer.exepid process 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe 2364 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2364 explorer.exe 5072 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe 2364 explorer.exe 2364 explorer.exe 4688 spoolsv.exe 4688 spoolsv.exe 5072 svchost.exe 5072 svchost.exe 2496 spoolsv.exe 2496 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 4248 wrote to memory of 2364 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe explorer.exe PID 4248 wrote to memory of 2364 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe explorer.exe PID 4248 wrote to memory of 2364 4248 586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe explorer.exe PID 2364 wrote to memory of 4688 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 4688 2364 explorer.exe spoolsv.exe PID 2364 wrote to memory of 4688 2364 explorer.exe spoolsv.exe PID 4688 wrote to memory of 5072 4688 spoolsv.exe svchost.exe PID 4688 wrote to memory of 5072 4688 spoolsv.exe svchost.exe PID 4688 wrote to memory of 5072 4688 spoolsv.exe svchost.exe PID 5072 wrote to memory of 2496 5072 svchost.exe spoolsv.exe PID 5072 wrote to memory of 2496 5072 svchost.exe spoolsv.exe PID 5072 wrote to memory of 2496 5072 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\586ea3ffbc4520655a6766e81a43db00_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:5044
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\Themes\explorer.exeFilesize
2.5MB
MD59bf31c6115e14993a99d97869430d6c0
SHA16091e8ac59876cbb944f0dcc7413486c446aa88f
SHA2568802077b51cd6997483b63b551914a542fbb0e6aeeb392cc1ef8616e7d0581c2
SHA51275c5ee1b5df28afbc60bc78ac16d937a7ba5c2ac26170309995287a8291202e425a9a408201a358d9f6c2243de563b0f70c48f95dd770d38a0350c83498980ee
-
C:\Windows\Resources\spoolsv.exeFilesize
2.5MB
MD5b2a3c424b8060217a8bfce79ad7b38ba
SHA10c6792b8871bcde77502c7a499a047828c01d7b0
SHA256647601314fb5ae592a28106c045916e3c170f7122d3ba3d78da9116d4f4714f3
SHA5125ad670b24e15c9f22ab8ecbdf919dea24645233db882b7f238defef43d0ff5b96e0cdf9b326c1d59ffe4726234218e059211c553a6de922f33769bfb4094c107
-
C:\Windows\Resources\svchost.exeFilesize
2.5MB
MD5812b6d9b6a2583a0657ec0cb1bf55d81
SHA1d75b8ba484832bf7e80abbfde48ee3cd11786684
SHA256baa8a26b38e662169b5191458acf37dd5145ac6783ddb930546e22500aafc571
SHA512b0bc833d4dc9c4e4661267c10f0beca4e663233f0293f218d609ae9d8ba1b80887542b9855750ba97b5a4ff204c54a827505778fcf032d6ddfd71b00d558ba81
-
memory/2364-65-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2364-11-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2364-44-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2364-57-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2496-35-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2496-39-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4248-5-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4248-1-0x0000000077A14000-0x0000000077A16000-memory.dmpFilesize
8KB
-
memory/4248-30-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4248-0-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4248-43-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4688-41-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4688-20-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/5072-45-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/5072-48-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/5072-29-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB