Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 12:40
Static task
static1
Behavioral task
behavioral1
Sample
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe
-
Size
3.9MB
-
MD5
f27d249fcd2da61d8cc70487604d8fd0
-
SHA1
fb2e59f60a39c49feb4e7c4e6f2c7a82695cf037
-
SHA256
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db
-
SHA512
d9c1d9319081cf33900e456cf0975f9ab356b3d2fbe1d43113d4e184342ca5b02472c439f2edd5272ad27f3a57a955dde7e3f05e487e3acfdd043d4e1d554b39
-
SSDEEP
98304:8lX3KMj7yBNUVPhd5G0Z5DxdM3hZpmBAlB6D4tyX6kuT4IkQApCgvms0Cv05J5Cz:8lX3KMj7yBNUVPhd5G0Z5DxdM3hZpmBz
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Soundcrd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Soundcrd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe -
Executes dropped EXE 3 IoCs
Processes:
Soundcrd.exeSoundcrd.exeSoundcrd.exepid process 3780 Soundcrd.exe 5116 Soundcrd.exe 2096 Soundcrd.exe -
Processes:
resource yara_rule behavioral2/memory/5116-31-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-33-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-34-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-35-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-36-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-38-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-37-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-41-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2096-45-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/2096-44-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/2096-43-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/5116-48-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2096-49-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/5116-50-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-53-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-55-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-57-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-59-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-61-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-63-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-65-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-67-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-69-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-71-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-73-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5116-75-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mcrosoftt = "C:\\Users\\Admin\\AppData\\Roaming\\Soundcrd.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Soundcrd.exedescription pid process target process PID 3780 set thread context of 5116 3780 Soundcrd.exe Soundcrd.exe PID 3780 set thread context of 2096 3780 Soundcrd.exe Soundcrd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Soundcrd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Soundcrd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Soundcrd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
Soundcrd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Soundcrd.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
Soundcrd.exeSoundcrd.exedescription pid process Token: SeIncreaseQuotaPrivilege 5116 Soundcrd.exe Token: SeSecurityPrivilege 5116 Soundcrd.exe Token: SeTakeOwnershipPrivilege 5116 Soundcrd.exe Token: SeLoadDriverPrivilege 5116 Soundcrd.exe Token: SeSystemProfilePrivilege 5116 Soundcrd.exe Token: SeSystemtimePrivilege 5116 Soundcrd.exe Token: SeProfSingleProcessPrivilege 5116 Soundcrd.exe Token: SeIncBasePriorityPrivilege 5116 Soundcrd.exe Token: SeCreatePagefilePrivilege 5116 Soundcrd.exe Token: SeBackupPrivilege 5116 Soundcrd.exe Token: SeRestorePrivilege 5116 Soundcrd.exe Token: SeShutdownPrivilege 5116 Soundcrd.exe Token: SeDebugPrivilege 5116 Soundcrd.exe Token: SeSystemEnvironmentPrivilege 5116 Soundcrd.exe Token: SeChangeNotifyPrivilege 5116 Soundcrd.exe Token: SeRemoteShutdownPrivilege 5116 Soundcrd.exe Token: SeUndockPrivilege 5116 Soundcrd.exe Token: SeManageVolumePrivilege 5116 Soundcrd.exe Token: SeImpersonatePrivilege 5116 Soundcrd.exe Token: SeCreateGlobalPrivilege 5116 Soundcrd.exe Token: 33 5116 Soundcrd.exe Token: 34 5116 Soundcrd.exe Token: 35 5116 Soundcrd.exe Token: 36 5116 Soundcrd.exe Token: SeDebugPrivilege 2096 Soundcrd.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exeSoundcrd.exeSoundcrd.exepid process 4108 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe 3780 Soundcrd.exe 2096 Soundcrd.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.execmd.exeSoundcrd.exedescription pid process target process PID 4108 wrote to memory of 624 4108 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe cmd.exe PID 4108 wrote to memory of 624 4108 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe cmd.exe PID 4108 wrote to memory of 624 4108 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe cmd.exe PID 624 wrote to memory of 3068 624 cmd.exe reg.exe PID 624 wrote to memory of 3068 624 cmd.exe reg.exe PID 624 wrote to memory of 3068 624 cmd.exe reg.exe PID 4108 wrote to memory of 3780 4108 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe Soundcrd.exe PID 4108 wrote to memory of 3780 4108 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe Soundcrd.exe PID 4108 wrote to memory of 3780 4108 abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe Soundcrd.exe PID 3780 wrote to memory of 5116 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 5116 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 5116 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 5116 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 5116 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 5116 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 5116 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 5116 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 2096 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 2096 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 2096 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 2096 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 2096 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 2096 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 2096 3780 Soundcrd.exe Soundcrd.exe PID 3780 wrote to memory of 2096 3780 Soundcrd.exe Soundcrd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\abe15508c788b87c459d40b5591b2ae5f34c987612bf055d22d8edaff805e2db_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DoNle.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoftt" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Soundcrd.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exe"C:\Users\Admin\AppData\Roaming\Soundcrd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Soundcrd.exeC:\Users\Admin\AppData\Roaming\Soundcrd.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DoNle.txtFilesize
139B
MD5173bcce4810d4901872d0ef4f0bfea4e
SHA1561b03fdfe68b6419fddf57f32e1aab9a6126a2f
SHA25610ea37eceabbe80fe9814280b66b957636951dbeeed18a9b4d50a1d24a6f1d1d
SHA5122401e0a5e3f7bf590a0767449da2249d09717e8c1cb71a7475e81d9615580001cfc38705cd1a5b4edc33f7df043bf195e28e4a5442a32bc879dffc6473bd545e
-
C:\Users\Admin\AppData\Roaming\Soundcrd.txtFilesize
3.9MB
MD56011d9a65795ee49a33c13f938cb5ce2
SHA16af478cdb452fcfd23dcc0c0116bd25e40b8d75e
SHA2565b97efa636e3b79e120c2812c3af211e6c2f9b2bfc11ba12632a3b3ea8ad02f6
SHA5121d3170c6fd2211ca4e62f65b72480da3748c9b035a071f56220d9c13d55b4717e930e86e12bf2100d29b6e723d956581611961762ab330b6ff6f2e32c91a1b7a
-
memory/2096-45-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2096-49-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2096-43-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2096-44-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4108-0-0x0000000000400000-0x00000000007E8000-memory.dmpFilesize
3.9MB
-
memory/5116-48-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-55-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-37-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-41-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-36-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-35-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-34-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-33-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-31-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-50-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-53-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-38-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-57-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-59-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-61-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-63-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-65-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-67-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-69-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-71-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-73-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5116-75-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB