Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 00:26
Behavioral task
behavioral1
Sample
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe
-
Size
2.5MB
-
MD5
24f9aa630a05c0ffc68dd523d0a81200
-
SHA1
bd2533b3f5be3d96b2baf6435292b4113251e002
-
SHA256
67b50bdc8c1b29c62de47ca0f0256aaa12dd8aaa91d7b1ecd3ca8990bed75726
-
SHA512
65d15229719385242bc6a48fcc4f9f11676399480b859360e62e7fe698b5cd1314acb8bfde3e632b34fd461dca70ef18128f2a5828857e83b3bbf8f59fb58e7d
-
SSDEEP
49152:gxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxs:gxx9NUFkQx753uWuCyyxs
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
spoolsv.exesvchost.exespoolsv.exe24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2096 explorer.exe 1668 spoolsv.exe 2636 svchost.exe 2688 spoolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exepid process 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2096 explorer.exe 1668 spoolsv.exe 2636 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/2208-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\Themes\explorer.exe themida behavioral1/memory/2096-11-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral1/memory/1668-23-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\svchost.exe themida behavioral1/memory/2636-35-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2636-41-0x0000000003300000-0x000000000390E000-memory.dmp themida behavioral1/memory/2688-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2208-43-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2688-49-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1668-51-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2208-53-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2096-54-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2636-57-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2096-56-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2096-62-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2096-68-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2636-77-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exe24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2096 explorer.exe 1668 spoolsv.exe 2636 svchost.exe 2688 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
spoolsv.exeexplorer.exe24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exedescription ioc process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2936 schtasks.exe 852 schtasks.exe 1788 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exesvchost.exepid process 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2096 explorer.exe 2636 svchost.exe 2636 svchost.exe 2636 svchost.exe 2096 explorer.exe 2636 svchost.exe 2096 explorer.exe 2636 svchost.exe 2096 explorer.exe 2096 explorer.exe 2636 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2096 explorer.exe 2636 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2096 explorer.exe 2096 explorer.exe 1668 spoolsv.exe 1668 spoolsv.exe 2636 svchost.exe 2636 svchost.exe 2688 spoolsv.exe 2688 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2208 wrote to memory of 2096 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe explorer.exe PID 2208 wrote to memory of 2096 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe explorer.exe PID 2208 wrote to memory of 2096 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe explorer.exe PID 2208 wrote to memory of 2096 2208 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe explorer.exe PID 2096 wrote to memory of 1668 2096 explorer.exe spoolsv.exe PID 2096 wrote to memory of 1668 2096 explorer.exe spoolsv.exe PID 2096 wrote to memory of 1668 2096 explorer.exe spoolsv.exe PID 2096 wrote to memory of 1668 2096 explorer.exe spoolsv.exe PID 1668 wrote to memory of 2636 1668 spoolsv.exe svchost.exe PID 1668 wrote to memory of 2636 1668 spoolsv.exe svchost.exe PID 1668 wrote to memory of 2636 1668 spoolsv.exe svchost.exe PID 1668 wrote to memory of 2636 1668 spoolsv.exe svchost.exe PID 2636 wrote to memory of 2688 2636 svchost.exe spoolsv.exe PID 2636 wrote to memory of 2688 2636 svchost.exe spoolsv.exe PID 2636 wrote to memory of 2688 2636 svchost.exe spoolsv.exe PID 2636 wrote to memory of 2688 2636 svchost.exe spoolsv.exe PID 2096 wrote to memory of 2844 2096 explorer.exe Explorer.exe PID 2096 wrote to memory of 2844 2096 explorer.exe Explorer.exe PID 2096 wrote to memory of 2844 2096 explorer.exe Explorer.exe PID 2096 wrote to memory of 2844 2096 explorer.exe Explorer.exe PID 2636 wrote to memory of 2936 2636 svchost.exe schtasks.exe PID 2636 wrote to memory of 2936 2636 svchost.exe schtasks.exe PID 2636 wrote to memory of 2936 2636 svchost.exe schtasks.exe PID 2636 wrote to memory of 2936 2636 svchost.exe schtasks.exe PID 2636 wrote to memory of 852 2636 svchost.exe schtasks.exe PID 2636 wrote to memory of 852 2636 svchost.exe schtasks.exe PID 2636 wrote to memory of 852 2636 svchost.exe schtasks.exe PID 2636 wrote to memory of 852 2636 svchost.exe schtasks.exe PID 2636 wrote to memory of 1788 2636 svchost.exe schtasks.exe PID 2636 wrote to memory of 1788 2636 svchost.exe schtasks.exe PID 2636 wrote to memory of 1788 2636 svchost.exe schtasks.exe PID 2636 wrote to memory of 1788 2636 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2688 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:29 /f5⤵
- Creates scheduled task(s)
PID:2936 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:30 /f5⤵
- Creates scheduled task(s)
PID:852 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:31 /f5⤵
- Creates scheduled task(s)
PID:1788 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2844
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5e7b712a0ee19e642e71a4b892b13fe8e
SHA1c47400632e4b0692f087f609e6f128e0b28b7f0b
SHA2569c6ce2d2356af2a0f227d7ce384f6eb5d9db5b78e2c626ab1c97046969784c3b
SHA51265f35b1d8afb53f615858db893d9dd30c2347db9bda822c3f699297e1b251b239ac13f0c1789ca0520f67da00f3d44ef12e888e8131755fe817a4f1193e27c60
-
Filesize
2.5MB
MD54a7c9826de789b879e8d9373821f664f
SHA149c2d949e7727d8215975505b91d985baf1f8cca
SHA2565b083cf9a8205473d196636e705cdaa7db24dba2ce19dfd1ac7105bd98b8d0e9
SHA51239906c11c5078b15f966672c221de26c48e4cf2fac83d2689f8095e5198130ee4b62d4a3b292eb15f15d09756920630727eede14aad79766a2c12dafd0113003
-
Filesize
2.5MB
MD57fad83ade5c8d2490d11c7eca861cce0
SHA1ad18358241be338dd5017caf371acf0619d7ad48
SHA2566fa8dc2a36081f5403c5141c7435d85b22d694dd9f701f97a65fe37b2eb04ffa
SHA5120b8f0a185dcd449a5aaa6c74949c69667067540ec769f157b83ff364e7125366cda67423b63b0dc7763afad7ca2d1255c959a3b8490f068bd9b34f0f01ed26b2