Malware Analysis Report

2024-10-10 08:09

Sample ID 240611-fsvxlavhlf
Target 28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe
SHA256 a0a2ff1c76bd92bbd57142414f481c18176ec907002703cf940da0b20361fc8e
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0a2ff1c76bd92bbd57142414f481c18176ec907002703cf940da0b20361fc8e

Threat Level: Known bad

The file 28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 05:08

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 05:08

Reported

2024-06-11 05:11

Platform

win7-20240419-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2820 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2820 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2820 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2988 wrote to memory of 2656 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2988 wrote to memory of 2656 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2988 wrote to memory of 2656 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2988 wrote to memory of 2656 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2656 wrote to memory of 2832 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2656 wrote to memory of 2832 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2656 wrote to memory of 2832 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2656 wrote to memory of 2832 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2832 wrote to memory of 2728 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2832 wrote to memory of 2728 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2832 wrote to memory of 2728 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2832 wrote to memory of 2728 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2988 wrote to memory of 2472 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2988 wrote to memory of 2472 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2988 wrote to memory of 2472 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2988 wrote to memory of 2472 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2832 wrote to memory of 2916 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 2916 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 2916 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 2916 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 2280 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 2280 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 2280 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 2280 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 1796 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 1796 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 1796 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2832 wrote to memory of 1796 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:10 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:11 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:12 /f

Network

N/A

Files

memory/2820-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2820-1-0x0000000077820000-0x0000000077822000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 d54c61be3b1e184ff8c495663564934e
SHA1 8faab9aaba40ce01d014f433816684df69314278
SHA256 02f650f5969ac53ac40acb38b8465575b6da9da38e472dabad621e5ff9001960
SHA512 2f5de48f378b75bea95062540698db89aba22ae5188a5d6bc28287b51601d5423437bc663a4906cecc21fb04afd6cb124edbc94718659a6316d2b94a914966a3

memory/2988-11-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 459870793a9ba032a8eb5516071091e8
SHA1 0ce82e616f368a0d4451c2d41d7985a01e5f20e9
SHA256 111b0a5034249ed54f291f1dbb8395da33e3ed2b3b5a44e84e6320667631050c
SHA512 07919682087eeeae743d2786eef1c0bbbeb88f32a73e15b6e8f244738eb5902be9eea11dcdcedeff050e3142953eb38798adc94cb7fbc0655d5da5e557c71ce6

memory/2656-23-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2988-21-0x0000000003780000-0x0000000003D8E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 ef127446cbc51b2c74a3d1cc6f58b703
SHA1 37cac3a489518f9ed4f6fff84f04e0d997a65d01
SHA256 e722b992b8a79bebbf062678667a8e79d7f6d71a8b1e44843318c8315d5edd69
SHA512 dbdc6f3bec492ab2936a464dc9009a0e7218c1f295d8aa927700309ce4832ed2b2779d48b134e973a1176e0395db94dd00ff8e8ea87ea04559c7f332bca77c43

memory/2656-33-0x0000000003870000-0x0000000003E7E000-memory.dmp

memory/2832-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2728-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2832-42-0x00000000032C0000-0x00000000038CE000-memory.dmp

memory/2656-50-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2728-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2820-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2988-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2832-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2988-56-0x0000000003780000-0x0000000003D8E000-memory.dmp

memory/2832-59-0x00000000032C0000-0x00000000038CE000-memory.dmp

memory/2988-68-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2988-74-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 05:08

Reported

2024-06-11 05:11

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4380 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4380 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 4380 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 3744 wrote to memory of 224 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3744 wrote to memory of 224 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3744 wrote to memory of 224 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 224 wrote to memory of 3228 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 224 wrote to memory of 3228 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 224 wrote to memory of 3228 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3228 wrote to memory of 4764 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3228 wrote to memory of 4764 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3228 wrote to memory of 4764 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\28ac907d06f0fd383ccfbba6595615b0_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 10.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4380-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4380-1-0x0000000076F24000-0x0000000076F26000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 a5cecd9747043571f68c6926ccc5d9aa
SHA1 7f40859868d0a62844c414141ebb8ad26ad393de
SHA256 f112550d23c583b99e3dae67be8651709fab5cd775e9f03a70de861a914dc5ab
SHA512 f8a6c606006d944d18398f86f2f277044dba5350b21cd5bf558746b61ceb3bb087c725af2eeb1381908181cb65127c22edd4935d83338c622997533ac4fcd0dc

memory/3744-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 75139b20389be5ee74962ae0da2ad14a
SHA1 17d84548bc072632f8cfb5e426088b840707ed62
SHA256 f563150b6fc6c9f66ec9a958265c99cfdeff5f8cb0c682b82d53fd353638ae47
SHA512 edfa680d6dc381a797ef0f41b7e45d2adeed77dd0768cedd23decd7d20cc59f4f029ba6e2cb011744a96c15614a68191dc238a4c89b1c8f77365106ffdc72672

memory/224-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 7f9be29c9736a211865563760d1f2862
SHA1 3ae971e224ab149adfac85f2bdae59ef608501e8
SHA256 681c611883ac6aa4a72d57a9dff47b4949200f71f21b654a97364fb97fdd5ba6
SHA512 eeb12ab242e85c626d084abe276eefa194574cdb60ab4179d0b954440e5ff476881431901663a60cece3351e8909111bd8bb3901e240b91f5084746ebfe17bee

memory/3228-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4764-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/224-39-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4764-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4380-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3744-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3744-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3228-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3228-48-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3228-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3744-57-0x0000000000400000-0x0000000000A0E000-memory.dmp