Malware Analysis Report

2024-10-16 06:59

Sample ID 240610-dh2ahsbh24
Target 07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe
SHA256 bbe7174626532570a717109aaf00a0c30087633cd37afe6f990addf9d3adb917
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbe7174626532570a717109aaf00a0c30087633cd37afe6f990addf9d3adb917

Threat Level: Known bad

The file 07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 03:03

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 03:01

Reported

2024-06-10 03:24

Platform

win7-20231129-en

Max time kernel

43s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2912 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2912 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2912 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2992 wrote to memory of 2296 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2992 wrote to memory of 2296 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2992 wrote to memory of 2296 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2992 wrote to memory of 2296 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2296 wrote to memory of 2940 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2296 wrote to memory of 2940 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2296 wrote to memory of 2940 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2296 wrote to memory of 2940 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2940 wrote to memory of 2788 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2940 wrote to memory of 2788 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2940 wrote to memory of 2788 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2940 wrote to memory of 2788 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2992 wrote to memory of 2780 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2992 wrote to memory of 2780 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2992 wrote to memory of 2780 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2992 wrote to memory of 2780 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2940 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 2524 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:24 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:25 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:26 /f

Network

N/A

Files

memory/2912-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2912-1-0x0000000077B30000-0x0000000077B32000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 915f41c679ece3834ca7cfd71a0b81cf
SHA1 f8ef2dd9a4969b8e568df12e8ea41569364c3aab
SHA256 86bde0cdd12a51f65cd67c8d85a1ac4daf4f4be5c7d7af416fae32ded5223cfa
SHA512 bbef50850ed7a2273cf4ae1ff75b4730e69286167659b0e400ae6560be83a28da639a5de955deeccf7637409c84252f1864a5d3e9b8c7e50f27ddf477cb388b2

memory/2992-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2912-11-0x00000000036C0000-0x0000000003CCE000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 1093e52a2e9dce66d9b1845d3c15ac1a
SHA1 84e99932dbd7ffc9b58a2d9ae4f7f1a8de8e0f01
SHA256 eb0679ce5380e40e1881f5860cd80e27eb307c2e8f851089d5a164c7aad5dbae
SHA512 1240b16018d5cb996a6ac36c0451dee5c521d9c48c124818ff4c2ed83f76933d7e03283c0a0312e90a84ecccde51e8e5d6948e2b791a4b52f115088bffa4abfd

memory/2992-23-0x00000000037D0000-0x0000000003DDE000-memory.dmp

memory/2296-24-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 02dd6f3ffaef1bb2a1bf47d07818c65d
SHA1 e68034579e59810fcced20ab45261cce6b5fa3a5
SHA256 8cc5cb9b0d8e903aca736428e1bf27e6643ecdc22d119ec68cd43147279c509a
SHA512 cec6b99d443db6649a658dede5a59b23c53d3cf7b294998ed824a22ee45e13d2e468d1c51cdc2d79e5c44ee645b86b0383060ea274aad7e5ceefb30df51b97d9

memory/2940-36-0x0000000000400000-0x0000000000A0E000-memory.dmp

\??\c:\windows\resources\svchost.exe

MD5 90c475e0914a1bbda6a297087f798018
SHA1 e981b3776370e0f2ecd1ecc0d4442f459aa0d6a2
SHA256 7d7d042cf539683209f7e7d0d41073104f3e286f2f0f1e2df024e03137a6abdd
SHA512 1b4f7c02f23d5dce6bc0b2e261e5ba6949b6b6dca699ce16247e8ba4df45816aa65e38326f2d4de63c0bc1cf26b4ce51099bd24b044831efe894f682110a9e0b

memory/2788-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2912-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2788-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2296-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2912-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2296-35-0x0000000003840000-0x0000000003E4E000-memory.dmp

memory/2992-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2992-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2992-56-0x00000000037D0000-0x0000000003DDE000-memory.dmp

memory/2940-57-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2992-66-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2992-74-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 03:01

Reported

2024-06-10 03:34

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4884 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4884 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4884 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4240 wrote to memory of 1252 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4240 wrote to memory of 1252 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4240 wrote to memory of 1252 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1252 wrote to memory of 2636 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1252 wrote to memory of 2636 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1252 wrote to memory of 2636 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2636 wrote to memory of 2992 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2636 wrote to memory of 2992 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2636 wrote to memory of 2992 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\07cfa8495d63d0a50c3a13702f5c2460_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp

Files

memory/4884-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4884-1-0x0000000077DB4000-0x0000000077DB6000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 a95af6127a69a4e9cc96e93bbe9f1ee7
SHA1 45e972f47776e05f147392beb22d6fb93ccf8ed6
SHA256 1ea36518c54036a1a356084ca8db8fca0c1f8908577fbfb239359c1b3b736a63
SHA512 e1796222a0dc7f88ecdbc91f8d251e1e06dcdc9f819ed887360c6bf2920594accba626e9d9887d72f9acb90cf45ae706a06b9ed51644126b94f173022722c2cb

memory/4240-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 9f07e0b670d4908a45f72211a6993cf1
SHA1 a830f7df2be7ae10b0156146a59e3b917e541d99
SHA256 396fc5b3e571dfa3e16d7b2ed9934537c498d361a3a95512e8233a2513a97c1e
SHA512 a33f9db71257cecd375b3f3309eadb3dc535c7ce05dfc03971ed2d02a596d3f6ff23c711c00e499edf4e15c8159c7ef7bdd0369bfb602e33d368675eafae2963

memory/1252-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 7e41613abb2a9c7935e31819631b6fea
SHA1 dce49d9e1d708dc8cf3c268496485792f52da45a
SHA256 41f1d41080edae38dd5776da224ebdde496f0b22fec3e3107c56f2adc9bac9d7
SHA512 16e13cf7eec5ea3aa22ea1b0a4d55825b9f8b1a32fad64b1bf549451e367d8132ce688b2cd9cc904c5abbd9f0607204d9177a36f4c9b6ceba568de17303b19b3

memory/2636-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2992-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2992-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4884-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1252-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4240-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2636-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2636-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2636-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4240-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4240-60-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4240-62-0x0000000000400000-0x0000000000A0E000-memory.dmp