Analysis
-
max time kernel
140s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 06:40
Behavioral task
behavioral1
Sample
191a74129466d6d03bb9a7feb552cd40_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
191a74129466d6d03bb9a7feb552cd40_NeikiAnalytics.dll
-
Size
3.4MB
-
MD5
191a74129466d6d03bb9a7feb552cd40
-
SHA1
04297292aafeea03b067b1545502f1965d73e379
-
SHA256
5fcb6d4d6e1bcf1ac788eda74429912dbd94d544fecbd239873d45f3cf95dd28
-
SHA512
d5741842b5f5f2844e86a28e990fc1912acca3e04100b2c0c88931a7c0a85a5edf47c02cf481937aa37eea599941a642cc938b4bf4654cffc2a4d712de2aaf19
-
SSDEEP
49152:A5iyZnFmglolcjQ2CLIUFwMrLWkhLjxAN4YfOPCeHuyutAWSEafHO4tsBQPywe/6:A1lBULFLWkhpAN4XPHdWFavbswnx9
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
resource yara_rule behavioral2/memory/4056-0-0x00000000744C0000-0x0000000074D37000-memory.dmp themida behavioral2/memory/4056-2-0x00000000744C0000-0x0000000074D37000-memory.dmp themida behavioral2/memory/4056-4-0x00000000744C0000-0x0000000074D37000-memory.dmp themida behavioral2/memory/4056-8-0x00000000744C0000-0x0000000074D37000-memory.dmp themida behavioral2/memory/4056-7-0x00000000744C0000-0x0000000074D37000-memory.dmp themida behavioral2/memory/4056-6-0x00000000744C0000-0x0000000074D37000-memory.dmp themida behavioral2/memory/4056-3-0x00000000744C0000-0x0000000074D37000-memory.dmp themida behavioral2/memory/4056-5-0x00000000744C0000-0x0000000074D37000-memory.dmp themida behavioral2/memory/4056-9-0x00000000744C0000-0x0000000074D37000-memory.dmp themida behavioral2/memory/4056-10-0x00000000744C0000-0x0000000074D37000-memory.dmp themida -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 4056 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4056 rundll32.exe 4056 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1420 wrote to memory of 4056 1420 rundll32.exe rundll32.exe PID 1420 wrote to memory of 4056 1420 rundll32.exe rundll32.exe PID 1420 wrote to memory of 4056 1420 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\191a74129466d6d03bb9a7feb552cd40_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\191a74129466d6d03bb9a7feb552cd40_NeikiAnalytics.dll,#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4056-0-0x00000000744C0000-0x0000000074D37000-memory.dmpFilesize
8.5MB
-
memory/4056-1-0x00000000772D4000-0x00000000772D6000-memory.dmpFilesize
8KB
-
memory/4056-2-0x00000000744C0000-0x0000000074D37000-memory.dmpFilesize
8.5MB
-
memory/4056-4-0x00000000744C0000-0x0000000074D37000-memory.dmpFilesize
8.5MB
-
memory/4056-8-0x00000000744C0000-0x0000000074D37000-memory.dmpFilesize
8.5MB
-
memory/4056-7-0x00000000744C0000-0x0000000074D37000-memory.dmpFilesize
8.5MB
-
memory/4056-6-0x00000000744C0000-0x0000000074D37000-memory.dmpFilesize
8.5MB
-
memory/4056-3-0x00000000744C0000-0x0000000074D37000-memory.dmpFilesize
8.5MB
-
memory/4056-5-0x00000000744C0000-0x0000000074D37000-memory.dmpFilesize
8.5MB
-
memory/4056-9-0x00000000744C0000-0x0000000074D37000-memory.dmpFilesize
8.5MB
-
memory/4056-10-0x00000000744C0000-0x0000000074D37000-memory.dmpFilesize
8.5MB