Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 12:40
Static task
static1
Behavioral task
behavioral1
Sample
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
-
Size
3.9MB
-
MD5
f27d249fcd2da61d8cc70487604d8fd0
-
SHA1
fb2e59f60a39c49feb4e7c4e6f2c7a82695cf037
-
SHA256
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db
-
SHA512
d9c1d9319081cf33900e456cf0975f9ab356b3d2fbe1d43113d4e184342ca5b02472c439f2edd5272ad27f3a57a955dde7e3f05e487e3acfdd043d4e1d554b39
-
SSDEEP
98304:8lX3KMj7yBNUVPhd5G0Z5DxdM3hZpmBAlB6D4tyX6kuT4IkQApCgvms0Cv05J5Cz:8lX3KMj7yBNUVPhd5G0Z5DxdM3hZpmBz
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Soundcrd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Soundcrd.exe -
Executes dropped EXE 3 IoCs
Processes:
Soundcrd.exeSoundcrd.exeSoundcrd.exepid process 2680 Soundcrd.exe 2712 Soundcrd.exe 2788 Soundcrd.exe -
Loads dropped DLL 7 IoCs
Processes:
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exeSoundcrd.exepid process 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe 2680 Soundcrd.exe 2680 Soundcrd.exe -
Processes:
resource yara_rule behavioral1/memory/2712-48-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-50-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2788-56-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2788-55-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2788-59-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2788-53-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2712-52-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-60-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-62-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-61-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-63-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-65-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-64-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2788-67-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2712-66-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-68-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-71-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-75-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-77-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-81-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-83-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-87-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-89-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2712-93-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoftt = "C:\\Users\\Admin\\AppData\\Roaming\\Soundcrd.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Soundcrd.exedescription pid process target process PID 2680 set thread context of 2712 2680 Soundcrd.exe Soundcrd.exe PID 2680 set thread context of 2788 2680 Soundcrd.exe Soundcrd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Soundcrd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Soundcrd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
Soundcrd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Soundcrd.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Soundcrd.exeSoundcrd.exedescription pid process Token: SeDebugPrivilege 2788 Soundcrd.exe Token: SeIncreaseQuotaPrivilege 2712 Soundcrd.exe Token: SeSecurityPrivilege 2712 Soundcrd.exe Token: SeTakeOwnershipPrivilege 2712 Soundcrd.exe Token: SeLoadDriverPrivilege 2712 Soundcrd.exe Token: SeSystemProfilePrivilege 2712 Soundcrd.exe Token: SeSystemtimePrivilege 2712 Soundcrd.exe Token: SeProfSingleProcessPrivilege 2712 Soundcrd.exe Token: SeIncBasePriorityPrivilege 2712 Soundcrd.exe Token: SeCreatePagefilePrivilege 2712 Soundcrd.exe Token: SeBackupPrivilege 2712 Soundcrd.exe Token: SeRestorePrivilege 2712 Soundcrd.exe Token: SeShutdownPrivilege 2712 Soundcrd.exe Token: SeDebugPrivilege 2712 Soundcrd.exe Token: SeSystemEnvironmentPrivilege 2712 Soundcrd.exe Token: SeChangeNotifyPrivilege 2712 Soundcrd.exe Token: SeRemoteShutdownPrivilege 2712 Soundcrd.exe Token: SeUndockPrivilege 2712 Soundcrd.exe Token: SeManageVolumePrivilege 2712 Soundcrd.exe Token: SeImpersonatePrivilege 2712 Soundcrd.exe Token: SeCreateGlobalPrivilege 2712 Soundcrd.exe Token: 33 2712 Soundcrd.exe Token: 34 2712 Soundcrd.exe Token: 35 2712 Soundcrd.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exeSoundcrd.exeSoundcrd.exepid process 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe 2680 Soundcrd.exe 2788 Soundcrd.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.execmd.exeSoundcrd.exedescription pid process target process PID 2136 wrote to memory of 2656 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe cmd.exe PID 2136 wrote to memory of 2656 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe cmd.exe PID 2136 wrote to memory of 2656 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe cmd.exe PID 2136 wrote to memory of 2656 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe cmd.exe PID 2656 wrote to memory of 2596 2656 cmd.exe reg.exe PID 2656 wrote to memory of 2596 2656 cmd.exe reg.exe PID 2656 wrote to memory of 2596 2656 cmd.exe reg.exe PID 2656 wrote to memory of 2596 2656 cmd.exe reg.exe PID 2136 wrote to memory of 2680 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe Soundcrd.exe PID 2136 wrote to memory of 2680 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe Soundcrd.exe PID 2136 wrote to memory of 2680 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe Soundcrd.exe PID 2136 wrote to memory of 2680 2136 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe Soundcrd.exe PID 2680 wrote to memory of 2712 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2712 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2712 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2712 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2712 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2712 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2712 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2712 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2712 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2788 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2788 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2788 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2788 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2788 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2788 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2788 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2788 2680 Soundcrd.exe Soundcrd.exe PID 2680 wrote to memory of 2788 2680 Soundcrd.exe Soundcrd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zMelH.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exe"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\zMelH.batFilesize
139B
MD5173bcce4810d4901872d0ef4f0bfea4e
SHA1561b03fdfe68b6419fddf57f32e1aab9a6126a2f
SHA25610ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d
SHA5122401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e
-
\Users\Admin\AppData\Roaming\Soundcrd.exeFilesize
3.9MB
MD54e238d4d9a0828f9f64e73afa3efecc2
SHA1159e224228bb04844d1b8ba6f6a7a14b71cd81bd
SHA256190d03c555b435115850d24576dca6a984457e317eb4ab3e551181fcfd7373a8
SHA512649a5fd3a6a54e087eee4ae51443a15229ccdaf83826403e6719cdc4790b9b16d27162f7e5c3285100413bcb4b8518ac7387a3fca6d50792e59b6cded57b0645
-
memory/2136-0-0x0000000000400000-0x00000000007E8000-memory.dmpFilesize
3.9MB
-
memory/2712-68-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-65-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-93-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-89-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-87-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-83-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-52-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-60-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-62-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-61-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-63-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-50-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-64-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-81-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-66-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-48-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-71-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-75-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2712-77-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2788-67-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2788-53-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2788-59-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2788-55-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2788-56-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB