829860a22dbb39405869cae60d267203f6186d54a56acfa2ed40b8f2f27be735

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe
Size

2.5MB
MD5

d4fa9f11d960dc8b969608c704cdf710
SHA1

425fb8863686f7b5f66c4e6001c52f03ecc2a65b
SHA256

829860a22dbb39405869cae60d267203f6186d54a56acfa2ed40b8f2f27be735
SHA512

d7347f5bd45ecce2112e69b7e6f5f1f2071e0b11f10cfcff75f52f991342114f2f440a71433156f573e5a6b11f571b0ab07d49e18f63dd4647764b34e8741a68
SSDEEP

24576:x1jh76VQjf0u8oayBgXnmg9Zac6kWZOdr3ac7BPugfXLIXMvu:x1Aejp5ayuXnmkZac6kWQhKAGCOMW

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Bios	d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2236	d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d4fa9f11d960dc8b969608c704cdf710_NeikiAnalytics.exe"
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2236-0-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2236-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2236-3-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2236-4-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2236-6-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2236-9-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/2236-13-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/2236-8-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/2236-12-0x0000000000401000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/2236-14-0x0000000003310000-0x0000000005191000-memory.dmp

Filesize
30.5MB

Download
memory/2236-7-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/2236-15-0x0000000003310000-0x0000000005191000-memory.dmp

Filesize
30.5MB

Download