Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    17-06-2024 00:26

General

  • Target

    24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe

  • Size

    2.5MB

  • MD5

    24f9aa630a05c0ffc68dd523d0a81200

  • SHA1

    bd2533b3f5be3d96b2baf6435292b4113251e002

  • SHA256

    67b50bdc8c1b29c62de47ca0f0256aaa12dd8aaa91d7b1ecd3ca8990bed75726

  • SHA512

    65d15229719385242bc6a48fcc4f9f11676399480b859360e62e7fe698b5cd1314acb8bfde3e632b34fd461dca70ef18128f2a5828857e83b3bbf8f59fb58e7d

  • SSDEEP

    49152:gxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxs:gxx9NUFkQx753uWuCyyxs

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Themida packer 19 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2208
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2096
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1668
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2636
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:2688
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:29 /f
            5⤵
            • Creates scheduled task(s)
            PID:2936
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:30 /f
            5⤵
            • Creates scheduled task(s)
            PID:852
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:31 /f
            5⤵
            • Creates scheduled task(s)
            PID:1788
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2844

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\spoolsv.exe

      Filesize

      2.5MB

      MD5

      e7b712a0ee19e642e71a4b892b13fe8e

      SHA1

      c47400632e4b0692f087f609e6f128e0b28b7f0b

      SHA256

      9c6ce2d2356af2a0f227d7ce384f6eb5d9db5b78e2c626ab1c97046969784c3b

      SHA512

      65f35b1d8afb53f615858db893d9dd30c2347db9bda822c3f699297e1b251b239ac13f0c1789ca0520f67da00f3d44ef12e888e8131755fe817a4f1193e27c60

    • \Windows\Resources\Themes\explorer.exe

      Filesize

      2.5MB

      MD5

      4a7c9826de789b879e8d9373821f664f

      SHA1

      49c2d949e7727d8215975505b91d985baf1f8cca

      SHA256

      5b083cf9a8205473d196636e705cdaa7db24dba2ce19dfd1ac7105bd98b8d0e9

      SHA512

      39906c11c5078b15f966672c221de26c48e4cf2fac83d2689f8095e5198130ee4b62d4a3b292eb15f15d09756920630727eede14aad79766a2c12dafd0113003

    • \Windows\Resources\svchost.exe

      Filesize

      2.5MB

      MD5

      7fad83ade5c8d2490d11c7eca861cce0

      SHA1

      ad18358241be338dd5017caf371acf0619d7ad48

      SHA256

      6fa8dc2a36081f5403c5141c7435d85b22d694dd9f701f97a65fe37b2eb04ffa

      SHA512

      0b8f0a185dcd449a5aaa6c74949c69667067540ec769f157b83ff364e7125366cda67423b63b0dc7763afad7ca2d1255c959a3b8490f068bd9b34f0f01ed26b2

    • memory/1668-23-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/1668-34-0x0000000003630000-0x0000000003C3E000-memory.dmp

      Filesize

      6.1MB

    • memory/1668-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2096-11-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2096-22-0x0000000003710000-0x0000000003D1E000-memory.dmp

      Filesize

      6.1MB

    • memory/2096-68-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2096-62-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2096-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2096-55-0x0000000003710000-0x0000000003D1E000-memory.dmp

      Filesize

      6.1MB

    • memory/2096-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2208-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2208-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2208-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2208-1-0x00000000776D0000-0x00000000776D2000-memory.dmp

      Filesize

      8KB

    • memory/2636-57-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2636-41-0x0000000003300000-0x000000000390E000-memory.dmp

      Filesize

      6.1MB

    • memory/2636-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2636-77-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2688-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB

    • memory/2688-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

      Filesize

      6.1MB