Malware Analysis Report

2024-10-16 07:01

Sample ID 240609-f16daseb3y
Target 10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe
SHA256 0c0245cc8321bea32eeec4dea5505bc5dcd4579297f95d40dfe86e7811de4538
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c0245cc8321bea32eeec4dea5505bc5dcd4579297f95d40dfe86e7811de4538

Threat Level: Known bad

The file 10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Themida packer

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 05:21

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 05:21

Reported

2024-06-09 05:24

Platform

win7-20240508-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2428 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2428 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2428 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2080 wrote to memory of 2448 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2080 wrote to memory of 2448 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2080 wrote to memory of 2448 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2080 wrote to memory of 2448 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2448 wrote to memory of 2360 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2448 wrote to memory of 2360 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2448 wrote to memory of 2360 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2448 wrote to memory of 2360 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2360 wrote to memory of 2664 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2360 wrote to memory of 2664 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2360 wrote to memory of 2664 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2360 wrote to memory of 2664 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2080 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2080 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2080 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2080 wrote to memory of 2644 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2360 wrote to memory of 2676 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2676 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2676 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2676 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 1568 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 1568 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 1568 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 1568 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2312 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2312 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2312 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2312 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:23 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:24 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:25 /f

Network

N/A

Files

memory/2428-0-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2428-1-0x00000000770B0000-0x00000000770B2000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 be9472b2a28c362e6649f79eda49c157
SHA1 dd646c572bc170da250a08892c32ed0934aa4d51
SHA256 0f3299572a38c10d501936f095da18b2fc6d668729b0a3dddd01fef068e22e41
SHA512 f1b0192f0dea2305b70570c0a4c6f9f09aad145e5c5545580c5fdc9d7492ee115ed797b1a3d0908ab2c5a6a50f2bddb5082090a5adc44c5d8e567fcc1b57e717

memory/2428-11-0x00000000036D0000-0x0000000003D30000-memory.dmp

memory/2080-12-0x0000000000400000-0x0000000000A60000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 f07a5b5af505ac08d979e048fba849e1
SHA1 07d0d4b09e1054022e16881f9172fe670e3e4b45
SHA256 0017c0e4f0f80cc65db0fc7ffbb9a9795162e56bf229e88f7a742167dbb1c197
SHA512 0e21f09df509aea3927c665a945f29d772c18eb1c10ba1276b3ee3af65bc898605e8e314b5b4c04253e12bb0c2df3959e665cf9887b18c20b0c0871aa81ab797

memory/2448-24-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2080-22-0x00000000038D0000-0x0000000003F30000-memory.dmp

\Windows\Resources\svchost.exe

MD5 44ee2b9801d077645292d930f48844ab
SHA1 7151571ab0aa7d4abffe27123d2e17e59f5c76b1
SHA256 e4f43c2ef5c746f419f6c22dff41bdeae2f948a3b7d48a0b3aefebd19a9ce783
SHA512 329ad864f41ceecd91f0d59b9596f93d6ad8f927d6f69ffd449ced04b85bfae924da5e9cd392f120a67d792cc7157f75d9ec779f7e2fcb9313438d3f3eac95de

memory/2448-35-0x0000000003640000-0x0000000003CA0000-memory.dmp

memory/2360-36-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2664-44-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2428-43-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2448-51-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2664-50-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2428-52-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2080-53-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2360-55-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2080-56-0x00000000038D0000-0x0000000003F30000-memory.dmp

memory/2080-67-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2360-72-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/2360-78-0x0000000000400000-0x0000000000A60000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 05:21

Reported

2024-06-09 05:24

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4588 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4588 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 3672 wrote to memory of 4580 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3672 wrote to memory of 4580 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3672 wrote to memory of 4580 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4580 wrote to memory of 3668 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4580 wrote to memory of 3668 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4580 wrote to memory of 3668 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3668 wrote to memory of 652 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3668 wrote to memory of 652 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3668 wrote to memory of 652 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\10d1c4883ccc8186cf3a868b3eab2340_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4588-0-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/4588-1-0x0000000077BC4000-0x0000000077BC6000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 3cb6000a2a84f6f1b552045328bd5b9a
SHA1 abc59cbc4ea818baa9eade62aeaa84204930e78c
SHA256 0169ead7985beba52c169ceaca6aa7721b19575c3037664c8be9760ab5e729e5
SHA512 cc7f3299ec118ce2aa3c0792f4e300a9729bac8b316eec2d951479481b4b0680ec7440a4bffddaa8bb0874fea72e9d0cd9c8b8f5eb0621e8063dda2288736a23

memory/3672-10-0x0000000000400000-0x0000000000A60000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 88267e7abb7c92ba34b69d1fa8ed1d9a
SHA1 e0f5f70f64e23f303d809ac2f478b2de3421445c
SHA256 2846d97dba5f1362c5ea8d9e0cc8ce693310b46c3110402a5ed21d6c839e66a2
SHA512 18eabe2b8a0dd724f8210cf9f7ed4fd13f80bf6c95a1221ad1f7dff0d12df71ef104edc958dc1262f561a36cd12d27dccf36f50ae18a1f964b6fd6a22ff54538

memory/4580-19-0x0000000000400000-0x0000000000A60000-memory.dmp

\??\c:\windows\resources\svchost.exe

MD5 1067e6d8c1a15a73088f555b35653850
SHA1 ec03d82d89494122ee02d0a09163b51f4b781261
SHA256 bdc38842564bf921f72c52fe185be7a0ff81ebedc2e57a54da5ff96fca3ec62f
SHA512 b309e79e57b98eb3c456f65619eaf418d0371d006ba58a12ace01db029146e2378ee48031ca8c10d537bbbc23a8f8f853a35decb6401e95b65c1c6d1b300501d

memory/3668-28-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/652-33-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/652-38-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/4588-41-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/4580-42-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/3672-43-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/3672-45-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/3668-44-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/3672-56-0x0000000000400000-0x0000000000A60000-memory.dmp

memory/3668-63-0x0000000000400000-0x0000000000A60000-memory.dmp