Malware Analysis Report

2024-10-16 06:53

Sample ID 240617-arnh8svhnb
Target 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe
SHA256 67b50bdc8c1b29c62de47ca0f0256aaa12dd8aaa91d7b1ecd3ca8990bed75726
Tags
evasion persistence themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

67b50bdc8c1b29c62de47ca0f0256aaa12dd8aaa91d7b1ecd3ca8990bed75726

Threat Level: Known bad

The file 24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence themida trojan

Modifies visiblity of hidden/system files in Explorer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 00:26

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 00:26

Reported

2024-06-17 00:29

Platform

win7-20240611-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2208 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2208 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2208 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2096 wrote to memory of 1668 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2096 wrote to memory of 1668 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2096 wrote to memory of 1668 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2096 wrote to memory of 1668 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1668 wrote to memory of 2636 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1668 wrote to memory of 2636 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1668 wrote to memory of 2636 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1668 wrote to memory of 2636 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2636 wrote to memory of 2688 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2636 wrote to memory of 2688 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2636 wrote to memory of 2688 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2636 wrote to memory of 2688 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2096 wrote to memory of 2844 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2096 wrote to memory of 2844 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2096 wrote to memory of 2844 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2096 wrote to memory of 2844 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2636 wrote to memory of 2936 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2936 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2936 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2936 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 852 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 852 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 852 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 852 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 1788 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 1788 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 1788 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 1788 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:29 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:30 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:31 /f

Network

N/A

Files

memory/2208-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2208-1-0x00000000776D0000-0x00000000776D2000-memory.dmp

\Windows\Resources\Themes\explorer.exe

MD5 4a7c9826de789b879e8d9373821f664f
SHA1 49c2d949e7727d8215975505b91d985baf1f8cca
SHA256 5b083cf9a8205473d196636e705cdaa7db24dba2ce19dfd1ac7105bd98b8d0e9
SHA512 39906c11c5078b15f966672c221de26c48e4cf2fac83d2689f8095e5198130ee4b62d4a3b292eb15f15d09756920630727eede14aad79766a2c12dafd0113003

memory/2096-11-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 e7b712a0ee19e642e71a4b892b13fe8e
SHA1 c47400632e4b0692f087f609e6f128e0b28b7f0b
SHA256 9c6ce2d2356af2a0f227d7ce384f6eb5d9db5b78e2c626ab1c97046969784c3b
SHA512 65f35b1d8afb53f615858db893d9dd30c2347db9bda822c3f699297e1b251b239ac13f0c1789ca0520f67da00f3d44ef12e888e8131755fe817a4f1193e27c60

memory/2096-22-0x0000000003710000-0x0000000003D1E000-memory.dmp

memory/1668-23-0x0000000000400000-0x0000000000A0E000-memory.dmp

\Windows\Resources\svchost.exe

MD5 7fad83ade5c8d2490d11c7eca861cce0
SHA1 ad18358241be338dd5017caf371acf0619d7ad48
SHA256 6fa8dc2a36081f5403c5141c7435d85b22d694dd9f701f97a65fe37b2eb04ffa
SHA512 0b8f0a185dcd449a5aaa6c74949c69667067540ec769f157b83ff364e7125366cda67423b63b0dc7763afad7ca2d1255c959a3b8490f068bd9b34f0f01ed26b2

memory/1668-34-0x0000000003630000-0x0000000003C3E000-memory.dmp

memory/2636-35-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2636-41-0x0000000003300000-0x000000000390E000-memory.dmp

memory/2688-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2208-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2688-49-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1668-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2208-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2096-54-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2096-55-0x0000000003710000-0x0000000003D1E000-memory.dmp

memory/2636-57-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2096-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2096-62-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2096-68-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2636-77-0x0000000000400000-0x0000000000A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 00:26

Reported

2024-06-17 00:29

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\windows\resources\svchost.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\windows\resources\svchost.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\themes\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2164 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 2164 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe \??\c:\windows\resources\themes\explorer.exe
PID 5104 wrote to memory of 3088 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 5104 wrote to memory of 3088 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 5104 wrote to memory of 3088 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 3088 wrote to memory of 1060 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3088 wrote to memory of 1060 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 3088 wrote to memory of 1060 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1060 wrote to memory of 4324 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1060 wrote to memory of 4324 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1060 wrote to memory of 4324 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\24f9aa630a05c0ffc68dd523d0a81200_NeikiAnalytics.exe"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 23.41.178.65:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 65.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 109.116.69.13.in-addr.arpa udp

Files

memory/2164-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2164-1-0x00000000776A4000-0x00000000776A6000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 e9cb58ccbb2f8bc999b1af8b2e7e022a
SHA1 f94c956e3fa85e8a1824b5d91d332240402bab2f
SHA256 6187cc97a3e2d3ac3a3f306d947fb935e9cbea8f96fccd527363859f7c03d1ae
SHA512 d8b7553663424173781b47b36fd388b8eb07b6b8b6929258a00ab04ea628f6f99fc40e659d7a49009cf5f8eb84427c5aac3ba5a43f84f650d82afbee39566686

memory/5104-10-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 77dfdb9564ee0a7b6b171b0e76d8d34c
SHA1 a4a3a2123afe53dd9b9d522a55e70b5481fe11f3
SHA256 d5f618a0e7e3bb28be46736c252a98b77cec37ca30d2f2a93fcff75f8225c078
SHA512 3278bbc9b1c93bab5fa725a39e196560ebd4c3d0b111ade52c928b99273ab2b7688b625b52fd9b68e56bf3f7e8883f0619c7935993f67a079ad83c120375bade

memory/3088-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 10a1c8b029ed9e756400e6c76f1edd81
SHA1 6555b9b3104a097581ab64f06aa513b7268a51e4
SHA256 ddef40992e5ff18e73cb2b5ff8b0ed343c97368e104998041436d36cd9856565
SHA512 1f2229cf2a8379b1e7d5432ed906cb3fb4d0f171218501498fa2884a21c716802c43fcca73bf5e96cb89cdc0ed82fb90d6154afcb0b30c26e0bbae649cc0296e

memory/1060-28-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4324-33-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/4324-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/3088-42-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/2164-41-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/5104-43-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1060-44-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/5104-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/1060-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/5104-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

memory/5104-66-0x0000000000400000-0x0000000000A0E000-memory.dmp