Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 00:26
Behavioral task
behavioral1
Sample
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe
-
Size
2.5MB
-
MD5
24f9aa630a05c0ffc68dd523d0a81200
-
SHA1
bd2533b3f5be3d96b2baf6435292b4113251e002
-
SHA256
67b50bdc8c1b29c62de47ca0f0256aaa12dd8aaa91d7b1ecd3ca8990bed75726
-
SHA512
65d15229719385242bc6a48fcc4f9f11676399480b859360e62e7fe698b5cd1314acb8bfde3e632b34fd461dca70ef18128f2a5828857e83b3bbf8f59fb58e7d
-
SSDEEP
49152:gxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxs:gxx9NUFkQx753uWuCyyxs
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
spoolsv.exe24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exespoolsv.exesvchost.exespoolsv.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 5104 explorer.exe 3088 spoolsv.exe 1060 svchost.exe 4324 spoolsv.exe -
Processes:
resource yara_rule behavioral2/memory/2164-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\Themes\explorer.exe themida behavioral2/memory/5104-10-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral2/memory/3088-19-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\svchost.exe themida behavioral2/memory/1060-28-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4324-33-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4324-38-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3088-42-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/2164-41-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/5104-43-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1060-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/5104-45-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1060-55-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/5104-56-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/5104-66-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Processes:
spoolsv.exe24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 5104 explorer.exe 3088 spoolsv.exe 1060 svchost.exe 4324 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\resources\themes\explorer.exe 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exepid process 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe 5104 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 5104 explorer.exe 1060 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe 5104 explorer.exe 5104 explorer.exe 3088 spoolsv.exe 3088 spoolsv.exe 1060 svchost.exe 1060 svchost.exe 4324 spoolsv.exe 4324 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2164 wrote to memory of 5104 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe explorer.exe PID 2164 wrote to memory of 5104 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe explorer.exe PID 2164 wrote to memory of 5104 2164 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe explorer.exe PID 5104 wrote to memory of 3088 5104 explorer.exe spoolsv.exe PID 5104 wrote to memory of 3088 5104 explorer.exe spoolsv.exe PID 5104 wrote to memory of 3088 5104 explorer.exe spoolsv.exe PID 3088 wrote to memory of 1060 3088 spoolsv.exe svchost.exe PID 3088 wrote to memory of 1060 3088 spoolsv.exe svchost.exe PID 3088 wrote to memory of 1060 3088 spoolsv.exe svchost.exe PID 1060 wrote to memory of 4324 1060 svchost.exe spoolsv.exe PID 1060 wrote to memory of 4324 1060 svchost.exe spoolsv.exe PID 1060 wrote to memory of 4324 1060 svchost.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4324
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5e9cb58ccbb2f8bc999b1af8b2e7e022a
SHA1f94c956e3fa85e8a1824b5d91d332240402bab2f
SHA2566187cc97a3e2d3ac3a3f306d947fb935e9cbea8f96fccd527363859f7c03d1ae
SHA512d8b7553663424173781b47b36fd388b8eb07b6b8b6929258a00ab04ea628f6f99fc40e659d7a49009cf5f8eb84427c5aac3ba5a43f84f650d82afbee39566686
-
Filesize
2.5MB
MD577dfdb9564ee0a7b6b171b0e76d8d34c
SHA1a4a3a2123afe53dd9b9d522a55e70b5481fe11f3
SHA256d5f618a0e7e3bb28be46736c252a98b77cec37ca30d2f2a93fcff75f8225c078
SHA5123278bbc9b1c93bab5fa725a39e196560ebd4c3d0b111ade52c928b99273ab2b7688b625b52fd9b68e56bf3f7e8883f0619c7935993f67a079ad83c120375bade
-
Filesize
2.5MB
MD510a1c8b029ed9e756400e6c76f1edd81
SHA16555b9b3104a097581ab64f06aa513b7268a51e4
SHA256ddef40992e5ff18e73cb2b5ff8b0ed343c97368e104998041436d36cd9856565
SHA5121f2229cf2a8379b1e7d5432ed906cb3fb4d0f171218501498fa2884a21c716802c43fcca73bf5e96cb89cdc0ed82fb90d6154afcb0b30c26e0bbae649cc0296e