Malware Analysis Report

2024-10-10 08:06

Sample ID 240611-gjh24sxcrr
Target 29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe
SHA256 575c91806e3bf0a97f019976c177fb7da6ed4a62761b52c9236b860f5e2fdf83
Tags
themida evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

575c91806e3bf0a97f019976c177fb7da6ed4a62761b52c9236b860f5e2fdf83

Threat Level: Known bad

The file 29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

themida evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 05:49

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 05:49

Reported

2024-06-11 05:52

Platform

win7-20231129-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2060 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2060 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2060 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2860 wrote to memory of 2144 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2860 wrote to memory of 2144 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2860 wrote to memory of 2144 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2860 wrote to memory of 2144 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2144 wrote to memory of 2648 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2144 wrote to memory of 2648 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2144 wrote to memory of 2648 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2144 wrote to memory of 2648 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2648 wrote to memory of 2700 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2648 wrote to memory of 2700 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2648 wrote to memory of 2700 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2648 wrote to memory of 2700 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2860 wrote to memory of 2696 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2860 wrote to memory of 2696 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2860 wrote to memory of 2696 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2860 wrote to memory of 2696 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2648 wrote to memory of 2616 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 2616 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 2616 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 2616 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 860 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 860 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 860 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 860 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 664 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 664 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 664 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2648 wrote to memory of 664 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:52 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:53 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:54 /f

Network

N/A

Files

memory/2060-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2060-2-0x0000000077260000-0x0000000077262000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 04baab75a00fbba002da810a785d514b
SHA1 fa11751b2c7ea5cf00e7321cb17cfb2f11e5cfff
SHA256 8cff41902c72991cbe2148c967d3de78d35a1dd780b563a2a18c237f00955fba
SHA512 29655bbfbbb19868915b3470139c68da37aa6d520b37b74708175eab538add98eb25cdb2f47c7f3708624cfa5f299d21cd55388ed5707977b125d0918ae026c1

memory/2860-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2060-11-0x0000000003920000-0x0000000003F2E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 22fcc319b897b18613a8595ac2d200b1
SHA1 6b9735825fc455f56fba8aabbb265a75c380fd58
SHA256 31223dcded4292cbc6e9022238f91ad3795992e8d5585ce14bbf1fe20a1831f7
SHA512 6a51be432638958e841c99b62ce9a4a4e265d678643873cfbf480eef38e649e9180c2e85e8a297cc4b9f51f02c45b5b51a94a3564e57e28c4017ba127660f883

memory/2860-23-0x00000000036F0000-0x0000000003CFE000-memory.dmp

memory/2144-24-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 e55f348a76af6901b09cc6a11f152ea0
SHA1 5ef93db4c07fe20e85a3b69f4372a28e7cadbc5a
SHA256 1e00e6f28f58efce09127a950c47925623137a647d61eb21db94880e6c87fd33
SHA512 46231838eacc3060c8f7a3c50a7ca33f8c52524fc479a70a7fb2ca38718a64512ad81b8c9b7c0da032856a2421a4b5031855867f32ff4b52794d40e4c6ee8b7d

memory/2144-35-0x00000000035E0000-0x0000000003BEE000-memory.dmp

memory/2648-36-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2648-42-0x00000000031F0000-0x00000000037FE000-memory.dmp

memory/2060-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2700-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2144-52-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2700-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2060-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2860-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2860-57-0x00000000036F0000-0x0000000003CFE000-memory.dmp

memory/2648-58-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2860-61-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2860-65-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2860-69-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 05:49

Reported

2024-06-11 05:52

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2204 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2204 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 764 wrote to memory of 4072 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 764 wrote to memory of 4072 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 764 wrote to memory of 4072 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4072 wrote to memory of 4628 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4072 wrote to memory of 4628 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4072 wrote to memory of 4628 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4628 wrote to memory of 2640 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4628 wrote to memory of 2640 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4628 wrote to memory of 2640 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\29dda9e6d4a79a124d5af9b4251dd650_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/2204-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2204-1-0x00000000776B4000-0x00000000776B6000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 f746338b1d0ec63fc1ed9c63b4c57feb
SHA1 1fe16f7babebd0173ffda682c93b2962c7aea5f1
SHA256 8590b26d5d92b88bdb4b3c144fc3a456d29123bc0473d55433abddaa9d247c7f
SHA512 4cf1db3f7254f5f3bc12a7d3b3a1f84e6e6816c596ee904803a940f4b36c381c99e4860823578be759b1c1e9a08672d651b60a7ee7eb7e030c15573d7bda0551

memory/764-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 7a4f16fe86494f28af67799863325fb0
SHA1 7ea8307e3ab641f59e31f528ae996f79768d6499
SHA256 18e85472eae1ca59b5219f8134991ad98ccb6d15a11ee41f3e7c2080f43cb2d1
SHA512 92f65428c1717b692ea5846306f86ff5e901e28fa19b6ebe5b5538719d114a8eb5feda0335dccf25931e26356ee8ac02210690a9b83313c78d804daa655e4fb6

memory/4072-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

\??\c:\windows\resources\svchost.exe

MD5 2fde6a0c32364a03e396be551cb2a08d
SHA1 1b34125ae930a16b1d55a61ea8b416b74127abce
SHA256 44fb2dbc66a5a587459b8919c2d168b2f06d7365595b14840080725456391d26
SHA512 4a2742ec7f2b441b5cea8f3c1227e0f297f5bfb33f7bd1c6d3229a1641632ccbff856b2970415971678976983f176e5e14d91a5ffdf80e79629dcef294ab990b

memory/4628-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2640-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2640-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2204-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4072-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/764-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/764-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4628-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4628-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/764-56-0x0000000000400000-0x0000000000A0E000-memory.dmp