Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 19:19
Behavioral task
behavioral1
Sample
08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe
-
Size
2.5MB
-
MD5
08ff27ba3bb7b28c65f4661ea9ce05d0
-
SHA1
ec20cee88d0ec442bff83253434f9b021a838193
-
SHA256
e872b18ef5d4fd0313047588df74d230f61ef8306c4418c1baabbb6737c2a991
-
SHA512
881163ce63412f8aef7e73bc04e61651c27647c4fa01447fbab787e024f548e6cf022cb7a663bfe8d8df31468c60470c825f1e87f785cc057262021ba09f1789
-
SSDEEP
49152:MxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxE:Mxx9NUFkQx753uWuCyyxE
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe -
Executes dropped EXE 4 IoCs
pid Process 2192 explorer.exe 2816 spoolsv.exe 1896 svchost.exe 2756 spoolsv.exe -
Loads dropped DLL 4 IoCs
pid Process 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 2192 explorer.exe 2816 spoolsv.exe 1896 svchost.exe -
resource yara_rule behavioral1/memory/1772-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x000a000000014a94-7.dat themida behavioral1/memory/2192-11-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0009000000014e3d-18.dat themida behavioral1/memory/2192-21-0x0000000003340000-0x000000000394E000-memory.dmp themida behavioral1/memory/2816-23-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/files/0x0008000000014fe1-30.dat themida behavioral1/memory/1896-35-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1772-41-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2756-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2756-49-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2816-51-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1772-53-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2192-54-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2192-55-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1896-56-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1896-62-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2192-67-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 2192 explorer.exe 2816 spoolsv.exe 1896 svchost.exe 2756 spoolsv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1064 schtasks.exe 2784 schtasks.exe 2340 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 1896 svchost.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 2192 explorer.exe 1896 svchost.exe 1896 svchost.exe 2192 explorer.exe 1896 svchost.exe 2192 explorer.exe 1896 svchost.exe 2192 explorer.exe 1896 svchost.exe 2192 explorer.exe 1896 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2192 explorer.exe 1896 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 2192 explorer.exe 2192 explorer.exe 2816 spoolsv.exe 2816 spoolsv.exe 1896 svchost.exe 1896 svchost.exe 2756 spoolsv.exe 2756 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1772 wrote to memory of 2192 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 28 PID 1772 wrote to memory of 2192 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 28 PID 1772 wrote to memory of 2192 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 28 PID 1772 wrote to memory of 2192 1772 08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe 28 PID 2192 wrote to memory of 2816 2192 explorer.exe 29 PID 2192 wrote to memory of 2816 2192 explorer.exe 29 PID 2192 wrote to memory of 2816 2192 explorer.exe 29 PID 2192 wrote to memory of 2816 2192 explorer.exe 29 PID 2816 wrote to memory of 1896 2816 spoolsv.exe 30 PID 2816 wrote to memory of 1896 2816 spoolsv.exe 30 PID 2816 wrote to memory of 1896 2816 spoolsv.exe 30 PID 2816 wrote to memory of 1896 2816 spoolsv.exe 30 PID 1896 wrote to memory of 2756 1896 svchost.exe 31 PID 1896 wrote to memory of 2756 1896 svchost.exe 31 PID 1896 wrote to memory of 2756 1896 svchost.exe 31 PID 1896 wrote to memory of 2756 1896 svchost.exe 31 PID 2192 wrote to memory of 2588 2192 explorer.exe 32 PID 2192 wrote to memory of 2588 2192 explorer.exe 32 PID 2192 wrote to memory of 2588 2192 explorer.exe 32 PID 2192 wrote to memory of 2588 2192 explorer.exe 32 PID 1896 wrote to memory of 2784 1896 svchost.exe 33 PID 1896 wrote to memory of 2784 1896 svchost.exe 33 PID 1896 wrote to memory of 2784 1896 svchost.exe 33 PID 1896 wrote to memory of 2784 1896 svchost.exe 33 PID 1896 wrote to memory of 2340 1896 svchost.exe 38 PID 1896 wrote to memory of 2340 1896 svchost.exe 38 PID 1896 wrote to memory of 2340 1896 svchost.exe 38 PID 1896 wrote to memory of 2340 1896 svchost.exe 38 PID 1896 wrote to memory of 1064 1896 svchost.exe 40 PID 1896 wrote to memory of 1064 1896 svchost.exe 40 PID 1896 wrote to memory of 1064 1896 svchost.exe 40 PID 1896 wrote to memory of 1064 1896 svchost.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\08ff27ba3bb7b28c65f4661ea9ce05d0_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:21 /f5⤵
- Creates scheduled task(s)
PID:2784
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:22 /f5⤵
- Creates scheduled task(s)
PID:2340
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:23 /f5⤵
- Creates scheduled task(s)
PID:1064
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5f920f9922b3d3cc696ee500ad3395dbc
SHA18e96e3363992b5e5f8a16db42daf74001ef338d6
SHA256a971ed450331556b1c7d9a9bab14a7bb76545c72e2d023313c45e2355440e624
SHA5124fd13941962ce76e6f09599516b4e6233fd43bf3468e0a790ba8dd0d2a5320a11de7f05d889b2688857421607d5de91fd79304b6f3595c26fc3c28930abf9a0f
-
Filesize
2.5MB
MD5908685f18f958357da696e9f3f65cf6c
SHA1a86ab444092832dc8ff2966f6037cd97426d5567
SHA2566d5c90f75569c5215f85ca55b053c7e2bf25135249b411c539fac77736e3c5f8
SHA512ce51f2b3f2519c078d433a7c2032cf48ae164236435b5551f558a89a26faef7e96309995b65c2d6896d50bb83a7ffd1a26f77624f560f2bfa18f92308fced6c3
-
Filesize
2.5MB
MD58c2695aaae46d1894771a95fafd3f27b
SHA19e7fbb156ad4bcb1fdd23ada6c58dc217da4cdc3
SHA256e953b582feea6986cf9bcfe86853e4f2b201da9a5041120040efe061db24b8f6
SHA5121a3f2fd010bbf2e1fbfb8b6ca2bd392539bafbc9ff1b53c1b1cc56cd9e402bfce8cab8cc34e824d0600b8116957fe99660ded9c8cec476deaa6ec9fd9d057c78