1972669fc9b3fb869e568876786b6ca53727ca66a8e847945025927c1ec8a21e

General

Target

53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
Size

3.6MB
MD5

53380073aa98e7bbbc09ef97cad9f6c0
SHA1

a7471cd91ba5f0a35c583c3a37d9537ab4b93d00
SHA256

1972669fc9b3fb869e568876786b6ca53727ca66a8e847945025927c1ec8a21e
SHA512

d22f4ebf79153c9ed0a55b9f58d7ae929abe6bdf6b5b933b734151e79db2c0aa7966e6de1f7ba06a3c25f3315f311c10519c35b8c8a196a3d93cb5dbd7c6e093
SSDEEP

49152:dsgY1bXNn4iM1mo7JFAU9YfLxd4cY1DJmXTHX1bLu1LriJzf64iVDJEh:+gwrNn4Yo7Lefb4cY1DY5bL4Lrc7NaJS

Score

10^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

svchost.exespoolsv.exe53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exeexplorer.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe

Checks BIOS information in registry 2 TTPs 15 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

spoolsv.exe53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

880 explorer.exe
3916 spoolsv.exe
2524 svchost.exe
4956 spoolsv.exe

pid	process
880	explorer.exe
3916	spoolsv.exe
2524	svchost.exe
4956	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	spoolsv.exe
File opened for modification	\??\PhysicalDrive0	svchost.exe
File opened for modification	\??\PhysicalDrive0	spoolsv.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1728 53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
880 explorer.exe
3916 spoolsv.exe
2524 svchost.exe
4956 spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exe53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exeexplorer.exe

pid	process
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

880 explorer.exe
2524 svchost.exe

pid	process
880	explorer.exe
2524	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
880	explorer.exe
880	explorer.exe
3916	spoolsv.exe
3916	spoolsv.exe
2524	svchost.exe
2524	svchost.exe
4956	spoolsv.exe
4956	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1728 wrote to memory of 880	1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe	explorer.exe
PID 1728 wrote to memory of 880	1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe	explorer.exe
PID 1728 wrote to memory of 880	1728	53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe	explorer.exe
PID 880 wrote to memory of 3916	880	explorer.exe	spoolsv.exe
PID 880 wrote to memory of 3916	880	explorer.exe	spoolsv.exe
PID 880 wrote to memory of 3916	880	explorer.exe	spoolsv.exe
PID 3916 wrote to memory of 2524	3916	spoolsv.exe	svchost.exe
PID 3916 wrote to memory of 2524	3916	spoolsv.exe	svchost.exe
PID 3916 wrote to memory of 2524	3916	spoolsv.exe	svchost.exe
PID 2524 wrote to memory of 4956	2524	svchost.exe	spoolsv.exe
PID 2524 wrote to memory of 4956	2524	svchost.exe	spoolsv.exe
PID 2524 wrote to memory of 4956	2524	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\53380073aa98e7bbbc09ef97cad9f6c0_NeikiAnalytics.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

1

T1497

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mntemp
Filesize
16B

MD5
54fd8ae71831d9afc54c3b3a9cad01e8

SHA1
c8cd04c1fd27990aaaf98c16d28d9fddaa61beb5

SHA256
143ac77670384287b780c744a95ce45e95b28747cdc93a75069be8ffb8da2962

SHA512
de6fb3af41c9b3831625935c29998f106bd9361edb13a1b9ce02f5295298b17771e9bf01dec7ca749ff00b517de9e6ea77935185c1081a1795cbf0e69af17f40

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
3.6MB

MD5
eb3e4e6b46514597797ae002336092f1

SHA1
1147dd9f8a688cb476036006fc8e37059635c6b8

SHA256
e205e9a9a50e3968823c2c937e6c67b933cd142ed12c77039325913efdd0c66b

SHA512
d6fb8e724cca088071c775626f942acc86e3f5c07ec4316074cc4b053b458103f634c1219de2e709c247b088140f8777f83a015db18301f313017ed2f9ab4ce7

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
3.6MB

MD5
bf1652fb65cae0f7b3fac0ffa74e9659

SHA1
118743639748c7e50c3b9268b063a01ed9e248d9

SHA256
212ea8151c8a6d0f5eea6ca7cdfffd132766fa194e7597e361d8dc4c65619ad4

SHA512
6d425c53c4992aa4998865d7874aa6854ec6161c7fc6f33510df247e3f5dd9bde1850849b3c8555f925da23f76d4448ca1442934635ce04a2c73d7e308cd71ca

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
3.6MB

MD5
4a91bc0dfd39beca8b101deaf1f2071d

SHA1
34ed107d2607cf069076fc5038cea5f8313ff2fb

SHA256
5dcb1c637ed672773e73946d8a74d6ea690a35471bd34b0794b3cc54f9e7cca5

SHA512
be5587961a8be71e2f4f2940a7326ed255fe9f205096540395c17822222fa7ef000523cbf9d4b0e2ca3230402267b2d14ccc5c78b2e90d7ba981aea630b30d3c

Download Submit
memory/880-11-0x0000000000400000-0x0000000000C23000-memory.dmp

Filesize
8.1MB

Download
memory/880-57-0x0000000000400000-0x0000000000C23000-memory.dmp

Filesize
8.1MB

Download
memory/880-45-0x0000000000400000-0x0000000000C23000-memory.dmp

Filesize
8.1MB

Download
memory/1728-44-0x0000000000400000-0x0000000000C23000-memory.dmp

Filesize
8.1MB

Download
memory/1728-1-0x00000000772B4000-0x00000000772B6000-memory.dmp

Filesize
8KB

Download
memory/1728-0-0x0000000000400000-0x0000000000C23000-memory.dmp

Filesize
8.1MB

Download
memory/2524-30-0x0000000000400000-0x0000000000C23000-memory.dmp

Filesize
8.1MB

Download
memory/2524-46-0x0000000000400000-0x0000000000C23000-memory.dmp

Filesize
8.1MB

Download
memory/3916-43-0x0000000000400000-0x0000000000C23000-memory.dmp

Filesize
8.1MB

Download
memory/3916-21-0x0000000000400000-0x0000000000C23000-memory.dmp

Filesize
8.1MB

Download
memory/4956-40-0x0000000000400000-0x0000000000C23000-memory.dmp

Filesize
8.1MB

Download
memory/4956-35-0x0000000000400000-0x0000000000C23000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads