Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
23-05-2024 07:08
General
-
Target
53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
-
Size
3.6MB
-
MD5
53380073aa98e7bbbc09ef97cad9f6c0
-
SHA1
a7471cd91ba5f0a35c583c3a37d9537ab4b93d00
-
SHA256
1972669fc9b3fb869e568876786b6ca53727ca66a8e847945025927c1ec8a21e
-
SHA512
d22f4ebf79153c9ed0a55b9f58d7ae929abe6bdf6b5b933b734151e79db2c0aa7966e6de1f7ba06a3c25f3315f311c10519c35b8c8a196a3d93cb5dbd7c6e093
-
SSDEEP
49152:dsgY1bXNn4iM1mo7JFAU9YfLxd4cY1DJmXTHX1bLu1LriJzf64iVDJEh:+gwrNn4Yo7Lefb4cY1DY5bL4Lrc7NaJS
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Checks BIOS information in registry 2 TTPs 15 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Windows directory 4 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:10 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:11 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 07:12 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mntempFilesize
16B
MD554fd8ae71831d9afc54c3b3a9cad01e8
SHA1c8cd04c1fd27990aaaf98c16d28d9fddaa61beb5
SHA256143ac77670384287b780c744a95ce45e95b28747cdc93a75069be8ffb8da2962
SHA512de6fb3af41c9b3831625935c29998f106bd9361edb13a1b9ce02f5295298b17771e9bf01dec7ca749ff00b517de9e6ea77935185c1081a1795cbf0e69af17f40
-
\Windows\Resources\Themes\explorer.exeFilesize
3.6MB
MD54aa6ac66962dcea5da7329818ff338aa
SHA17b95592bc2210f332968c3be8be01f5188bd3167
SHA2563485adc57e84ef336b333960afbf494be48cd17be0fdaf5f9945445e16e6a930
SHA51249e410100778c930d6ccc0ba9adf7c50c76a079831d78ce51840b4b7977024ac1a54569b28b19d9738ccb44624c75ab745bb74cf2451e2a728306172600f922c
-
\Windows\Resources\spoolsv.exeFilesize
3.6MB
MD5895ac32348369aee98cc275c3f74157f
SHA13b207f9c2153683294f11cd89b5bff652e72bae3
SHA2565345af46200a154e7015169cf34fe7b9c144e2544b6e1c0d5fcf94b4153a4e45
SHA51259a314967e0dfd8d692cd4496f239e1b71894781cc3aaddbb3b3e50be9cd2a290382086d6339db3d58ada02274fb6f1ae169bf69ac15e048f6b7a14f62a8fc27
-
\Windows\Resources\svchost.exeFilesize
3.6MB
MD5d4471d458a9079f57b329d67997d2c0c
SHA18488c4510aaa5f6f1d0976b5057f9edbf0c698dd
SHA2569255198fe0626b8eaf63b678831c05231a57b89110ec3866a99c01a4606aa394
SHA5127bab042c40179d92107e5af570d72fc0e5af02736ea8bb5af56b9b08debfeb3dbd30acb61c7be607eb0b321c81546a5399efaffc53c9df299c839ed06dd1819f
-
memory/1400-68-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/1400-55-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/1400-23-0x0000000003950000-0x0000000004173000-memory.dmpFilesize
8.1MB
-
memory/2108-45-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/2108-50-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/2216-35-0x00000000039A0000-0x00000000041C3000-memory.dmpFilesize
8.1MB
-
memory/2216-52-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/2244-0-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/2244-44-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/2244-53-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/2244-54-0x00000000039E0000-0x0000000004203000-memory.dmpFilesize
8.1MB
-
memory/2244-12-0x00000000039E0000-0x0000000004203000-memory.dmpFilesize
8.1MB
-
memory/2244-1-0x00000000770B0000-0x00000000770B2000-memory.dmpFilesize
8KB
-
memory/3028-36-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB
-
memory/3028-43-0x0000000003870000-0x0000000004093000-memory.dmpFilesize
8.1MB
-
memory/3028-57-0x0000000000400000-0x0000000000C23000-memory.dmpFilesize
8.1MB