Analysis

  • max time kernel
    150s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 22:20

General

  • Target

    1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe

  • Size

    2.5MB

  • MD5

    1d7c209d3fe49b48f00d22a367a25d20

  • SHA1

    e188291b372a858870658efc1d965f04f89cbeb1

  • SHA256

    b9264329c052618a08c48ba39c16263c7e06af5dee8704d78d73222cb820e4c6

  • SHA512

    a55c758417613332c6f68fa1405906e4c673bebd4827cc52797c5e6fe8ff65ad34468f8a932528d8ea672db7bb0c8b652d183542828f3b587d4867b12548ce29

  • SSDEEP

    49152:hxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyx4:hxx9NUFkQx753uWuCyyx4

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Themida packer 17 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3276
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4680
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3932
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4424
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    2.5MB

    MD5

    63b702604aea9bf8bf5e1b41d4de5076

    SHA1

    22d63fbb88dab2d3138b54ad771b3a647254b4f2

    SHA256

    58d2592da74c4ddffbccc25469fffbeccfac8724c7477510ed40e8de5d8109b0

    SHA512

    94c9d2e1599687355314ae7aeb9ef214e92b306b4a638377c0962960d06f23039b3aeb436a459371225b8eb37002f00f1b612a3a940ae7f391319b78a44d74af

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    2.5MB

    MD5

    9fa74c5aced43054951794a8a6143e7e

    SHA1

    e10d024ff612298f53e317b1a1c86ccffc616270

    SHA256

    43eb1de6bc4f1536b877612bd153c3a384f7ce9f5db4bc5002503415408d667f

    SHA512

    0fd19df956294da518109af49bd9ed97e07b6723c6f0f75988142f65a8ad7b860d55f4429fd8b9d61bb70a03a8f2d9c51f58fec4ba64368d1f2dc4f13bfea2da

  • C:\Windows\Resources\svchost.exe
    Filesize

    2.5MB

    MD5

    4d34ea94dac5e5b843f7ed4ab3f077b2

    SHA1

    a306ba1359695f479d8c88896090911485337015

    SHA256

    aec95982ba50c8bd2eca8a980ed68cff1f74294b4e90d72d57b07c6b676236ca

    SHA512

    91ac4500fa5fe37170ad59ee5d94812a032ba162321ea4306353146917340912403eea686daad0e2c902fb02551f11a5c6f2a344336d62fc614f4981b9348398

  • memory/2476-33-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

  • memory/2476-40-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

  • memory/3276-1-0x0000000077B24000-0x0000000077B26000-memory.dmp
    Filesize

    8KB

  • memory/3276-42-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

  • memory/3276-0-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

  • memory/3932-19-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

  • memory/3932-39-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

  • memory/4424-28-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

  • memory/4424-44-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

  • memory/4424-65-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

  • memory/4680-10-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

  • memory/4680-43-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

  • memory/4680-45-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

  • memory/4680-50-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB

  • memory/4680-56-0x0000000000400000-0x0000000000A0E000-memory.dmp
    Filesize

    6.1MB