Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 19:36
Behavioral task
behavioral1
Sample
a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe
-
Size
592KB
-
MD5
caf13619e85c7ef3cea9571699eb1960
-
SHA1
b930f261d0aabfa5752396b835550b59549f5a7f
-
SHA256
a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91
-
SHA512
c1d48391b610f02eb83ec23113c98fe5a062919999290bd1e1272264a5603a311454abcf3ef1953781080eba814c1de227d595b6ba96241f843f980d103b8013
-
SSDEEP
12288:wcWRJxhIUKofd9S88itJsL6s8GwUF81yn0FI/6IC0XoS+:TW/xhIUKofSytJsL6HUP0OHC3
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Soundcrd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Soundcrd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe -
Executes dropped EXE 3 IoCs
Processes:
Soundcrd.exeSoundcrd.exeSoundcrd.exepid process 3232 Soundcrd.exe 208 Soundcrd.exe 4320 Soundcrd.exe -
Processes:
resource yara_rule behavioral2/memory/372-0-0x0000000000400000-0x00000000007EB000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Soundcrd.txt upx behavioral2/memory/3232-28-0x0000000000400000-0x00000000007EB000-memory.dmp upx behavioral2/memory/372-30-0x0000000000400000-0x00000000007EB000-memory.dmp upx behavioral2/memory/208-33-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/208-35-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4320-37-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4320-42-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/208-44-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/208-46-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/208-49-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/208-51-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/208-50-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3232-45-0x0000000000400000-0x00000000007EB000-memory.dmp upx behavioral2/memory/4320-40-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/208-36-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/208-52-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/4320-53-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/208-56-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/208-60-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/208-64-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/208-68-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/208-72-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/208-76-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mcrosoftt = "C:\\Users\\Admin\\AppData\\Roaming\\Soundcrd.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Soundcrd.exedescription pid process target process PID 3232 set thread context of 208 3232 Soundcrd.exe Soundcrd.exe PID 3232 set thread context of 4320 3232 Soundcrd.exe Soundcrd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Soundcrd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Soundcrd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Soundcrd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
Soundcrd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Soundcrd.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Soundcrd.exeSoundcrd.exedescription pid process Token: SeDebugPrivilege 4320 Soundcrd.exe Token: SeIncreaseQuotaPrivilege 208 Soundcrd.exe Token: SeSecurityPrivilege 208 Soundcrd.exe Token: SeTakeOwnershipPrivilege 208 Soundcrd.exe Token: SeLoadDriverPrivilege 208 Soundcrd.exe Token: SeSystemProfilePrivilege 208 Soundcrd.exe Token: SeSystemtimePrivilege 208 Soundcrd.exe Token: SeProfSingleProcessPrivilege 208 Soundcrd.exe Token: SeIncBasePriorityPrivilege 208 Soundcrd.exe Token: SeCreatePagefilePrivilege 208 Soundcrd.exe Token: SeBackupPrivilege 208 Soundcrd.exe Token: SeRestorePrivilege 208 Soundcrd.exe Token: SeShutdownPrivilege 208 Soundcrd.exe Token: SeDebugPrivilege 208 Soundcrd.exe Token: SeSystemEnvironmentPrivilege 208 Soundcrd.exe Token: SeChangeNotifyPrivilege 208 Soundcrd.exe Token: SeRemoteShutdownPrivilege 208 Soundcrd.exe Token: SeUndockPrivilege 208 Soundcrd.exe Token: SeManageVolumePrivilege 208 Soundcrd.exe Token: SeImpersonatePrivilege 208 Soundcrd.exe Token: SeCreateGlobalPrivilege 208 Soundcrd.exe Token: 33 208 Soundcrd.exe Token: 34 208 Soundcrd.exe Token: 35 208 Soundcrd.exe Token: 36 208 Soundcrd.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exeSoundcrd.exeSoundcrd.exepid process 372 a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe 3232 Soundcrd.exe 4320 Soundcrd.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.execmd.exeSoundcrd.exedescription pid process target process PID 372 wrote to memory of 2652 372 a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe cmd.exe PID 372 wrote to memory of 2652 372 a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe cmd.exe PID 372 wrote to memory of 2652 372 a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe cmd.exe PID 2652 wrote to memory of 2260 2652 cmd.exe reg.exe PID 2652 wrote to memory of 2260 2652 cmd.exe reg.exe PID 2652 wrote to memory of 2260 2652 cmd.exe reg.exe PID 372 wrote to memory of 3232 372 a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe Soundcrd.exe PID 372 wrote to memory of 3232 372 a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe Soundcrd.exe PID 372 wrote to memory of 3232 372 a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe Soundcrd.exe PID 3232 wrote to memory of 208 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 208 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 208 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 208 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 208 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 208 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 208 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 208 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 4320 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 4320 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 4320 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 4320 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 4320 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 4320 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 4320 3232 Soundcrd.exe Soundcrd.exe PID 3232 wrote to memory of 4320 3232 Soundcrd.exe Soundcrd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a8175b854418e996d399ff48b7bfd6fb4582af75c9a5f018b2f7a068a02d2a91_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgpor.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exe"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\qgpor.txtFilesize
139B
MD5173bcce4810d4901872d0ef4f0bfea4e
SHA1561b03fdfe68b6419fddf57f32e1aab9a6126a2f
SHA25610ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d
SHA5122401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e
-
C:\Users\Admin\AppData\Roaming\Soundcrd.txtFilesize
592KB
MD50e7f6a5ec41a635b8a231189d605206e
SHA1c6229f8b5b5a09ac7d95660dcc37044c4c0c04b7
SHA256321db5c4d090bf2434d0aa562731562ca82a17590330fc0b1ba69f4124d79c5a
SHA512830eb309173b87006d01e07a3bcc2ca5abd168675203ecafe998305cf14de7941c62e4789b219012d4c4d3da02857b05fda1761e71a7b0af15157f6e392b23fc
-
memory/208-51-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-72-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-60-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-33-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-35-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-50-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-56-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-44-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-46-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-68-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-52-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-76-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-49-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-64-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/208-36-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/372-30-0x0000000000400000-0x00000000007EB000-memory.dmpFilesize
3.9MB
-
memory/372-0-0x0000000000400000-0x00000000007EB000-memory.dmpFilesize
3.9MB
-
memory/3232-45-0x0000000000400000-0x00000000007EB000-memory.dmpFilesize
3.9MB
-
memory/3232-28-0x0000000000400000-0x00000000007EB000-memory.dmpFilesize
3.9MB
-
memory/4320-42-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4320-53-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4320-40-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4320-37-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB