General

  • Target

    5ede7f188f5353878c0e62808ce3e770_NeikiAnalytics.exe

  • Size

    7.0MB

  • Sample

    240523-afp8paed42

  • MD5

    5ede7f188f5353878c0e62808ce3e770

  • SHA1

    45304918cd64e289cdfbf9639f75d727e11f7762

  • SHA256

    53b234f3e654f6f92e483116e611983d854fe9ea80e2ffe33ca78969a15c2b9e

  • SHA512

    48bcbef48b95b920cf6723b623fd7de1ef9e5929577a67dc6d00906d793015bc954a88655cb0dc4e72d3f43663ec9ee8e0152f23a58def8c68827d4e4783f505

  • SSDEEP

    98304:D0VImDH9VZ9LiH/aU0qblzBjnaZxUdtnWupousn:DADDp9L5QzBjnJdNlpPsn

Malware Config

Targets

    • Target

      5ede7f188f5353878c0e62808ce3e770_NeikiAnalytics.exe

    • Size

      7.0MB

    • MD5

      5ede7f188f5353878c0e62808ce3e770

    • SHA1

      45304918cd64e289cdfbf9639f75d727e11f7762

    • SHA256

      53b234f3e654f6f92e483116e611983d854fe9ea80e2ffe33ca78969a15c2b9e

    • SHA512

      48bcbef48b95b920cf6723b623fd7de1ef9e5929577a67dc6d00906d793015bc954a88655cb0dc4e72d3f43663ec9ee8e0152f23a58def8c68827d4e4783f505

    • SSDEEP

      98304:D0VImDH9VZ9LiH/aU0qblzBjnaZxUdtnWupousn:DADDp9L5QzBjnJdNlpPsn

    • Modifies firewall policy service

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

2
T1112

Virtualization/Sandbox Evasion

1
T1497

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Tasks