Malware Analysis Report

2024-10-10 08:10

Sample ID 240610-186n9asgna
Target 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe
SHA256 b9264329c052618a08c48ba39c16263c7e06af5dee8704d78d73222cb820e4c6
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9264329c052618a08c48ba39c16263c7e06af5dee8704d78d73222cb820e4c6

Threat Level: Known bad

The file 1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Themida packer

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 22:20

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 22:20

Reported

2024-06-10 22:22

Platform

win7-20240419-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1752 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1752 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 1752 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2424 wrote to memory of 2348 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2424 wrote to memory of 2348 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2424 wrote to memory of 2348 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2424 wrote to memory of 2348 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2348 wrote to memory of 2824 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2348 wrote to memory of 2824 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2348 wrote to memory of 2824 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2348 wrote to memory of 2824 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2824 wrote to memory of 2944 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2824 wrote to memory of 2944 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2824 wrote to memory of 2944 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2824 wrote to memory of 2944 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2424 wrote to memory of 2756 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2424 wrote to memory of 2756 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2424 wrote to memory of 2756 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2424 wrote to memory of 2756 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2824 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 2548 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 1308 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 1308 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 1308 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 1308 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 1864 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 1864 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 1864 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 1864 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:22 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:23 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:24 /f

Network

N/A

Files

memory/1752-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1752-1-0x0000000077210000-0x0000000077212000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 bc1e1901255e68bb7719a13818099d58
SHA1 571b4a86d9040db04d2aaa34f12402ebd4fccf4e
SHA256 bd619f13564c330721dc8b49c5e844b3502ef4f668eea076e41fbc2c0f1493b5
SHA512 f1a10ba0723771a42c9a8a381005527a164cec840e8f19eec81586909429987d8f428a8f8a34e86edaca2992dae8a8e0d70904146bffd9f8343a4cd5ad8c9023

memory/2424-11-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 7c94076d32d1bceb07e5f96dcb101084
SHA1 d6ec35f4d904c715dd30a7ed683b2d15606237ad
SHA256 28c350e4a3a6852385a54609dc3d7f8cb01680403c830191b5a2cceb8975d946
SHA512 7ff7a212a5ab27c1d0e8571cf76647606e2f0ddc4cd6d6bbb26943899bec82a1b1dd1fc7a1a804f01bf118e275d0c4140c05c7f4e19bd981d5aaf1af65c8d093

memory/2424-22-0x00000000036C0000-0x0000000003CCE000-memory.dmp

memory/2348-23-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 5704d0324e55747198f0522310b7d4ca
SHA1 26646538e84a30c36e3ee2bad88ee0e06dcd16fa
SHA256 671334298110a007a19d74496f2c0f08495988c9c74f78f0ba026d4062a4e9ad
SHA512 ff4654bf909bc5e12d12d98f8f2463522f6fa63b563adcac3a5d3b880eb89390d3bf4a34184566b3f1726c0dcd49c18f722b9431ed8a7c9e9ba570185929ac06

memory/2348-34-0x00000000038A0000-0x0000000003EAE000-memory.dmp

memory/2824-37-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2944-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1752-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2824-41-0x0000000003600000-0x0000000003C0E000-memory.dmp

memory/2944-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2348-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1752-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2424-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2424-55-0x00000000036C0000-0x0000000003CCE000-memory.dmp

memory/2824-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2424-67-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2424-71-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2424-75-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 22:20

Reported

2024-06-10 22:22

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3276 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 3276 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 3276 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4680 wrote to memory of 3932 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4680 wrote to memory of 3932 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4680 wrote to memory of 3932 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3932 wrote to memory of 4424 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3932 wrote to memory of 4424 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3932 wrote to memory of 4424 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4424 wrote to memory of 2476 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4424 wrote to memory of 2476 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4424 wrote to memory of 2476 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1d7c209d3fe49b48f00d22a367a25d20_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3276-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3276-1-0x0000000077B24000-0x0000000077B26000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 63b702604aea9bf8bf5e1b41d4de5076
SHA1 22d63fbb88dab2d3138b54ad771b3a647254b4f2
SHA256 58d2592da74c4ddffbccc25469fffbeccfac8724c7477510ed40e8de5d8109b0
SHA512 94c9d2e1599687355314ae7aeb9ef214e92b306b4a638377c0962960d06f23039b3aeb436a459371225b8eb37002f00f1b612a3a940ae7f391319b78a44d74af

memory/4680-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 9fa74c5aced43054951794a8a6143e7e
SHA1 e10d024ff612298f53e317b1a1c86ccffc616270
SHA256 43eb1de6bc4f1536b877612bd153c3a384f7ce9f5db4bc5002503415408d667f
SHA512 0fd19df956294da518109af49bd9ed97e07b6723c6f0f75988142f65a8ad7b860d55f4429fd8b9d61bb70a03a8f2d9c51f58fec4ba64368d1f2dc4f13bfea2da

memory/3932-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 4d34ea94dac5e5b843f7ed4ab3f077b2
SHA1 a306ba1359695f479d8c88896090911485337015
SHA256 aec95982ba50c8bd2eca8a980ed68cff1f74294b4e90d72d57b07c6b676236ca
SHA512 91ac4500fa5fe37170ad59ee5d94812a032ba162321ea4306353146917340912403eea686daad0e2c902fb02551f11a5c6f2a344336d62fc614f4981b9348398

memory/4424-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2476-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3932-39-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2476-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3276-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4680-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4680-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4424-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4680-50-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4680-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4424-65-0x0000000000400000-0x0000000000A0E000-memory.dmp