Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 20:57
Static task
static1
Behavioral task
behavioral1
Sample
190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe
-
Size
1.8MB
-
MD5
cccde21b7aa72f82653f08cd7dc99810
-
SHA1
9404a35d44af2596afa70aa99d77038708f1a590
-
SHA256
190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89
-
SHA512
eada6496281b8d6c1c61e3f1e534767fc5f8b1204d985f191afb65d2829730bedd55117ca871e6aa00ed0afb55fd6182c9cf454d9d9fb955ea490eb5cc1b6ca3
-
SSDEEP
24576:VPMF5WAjrjYtwFHzJAfAH+wR7/tN/RtFIxXx35TvWeaO4K6zYd500RBBB6eGgNbC:C2AjrzdJAYjVtNpIBDmMd5zBBpGS
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation explortu.exe -
Executes dropped EXE 1 IoCs
Processes:
explortu.exepid process 1488 explortu.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine explortu.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.exepid process 4592 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe 1488 explortu.exe -
Drops file in Windows directory 1 IoCs
Processes:
190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exedescription ioc process File created C:\Windows\Tasks\explortu.job 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2784 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2144 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.exepid process 4592 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe 4592 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe 1488 explortu.exe 1488 explortu.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2144 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.execmd.exedescription pid process target process PID 4592 wrote to memory of 1488 4592 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe explortu.exe PID 4592 wrote to memory of 1488 4592 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe explortu.exe PID 4592 wrote to memory of 1488 4592 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe explortu.exe PID 1488 wrote to memory of 2200 1488 explortu.exe cmd.exe PID 1488 wrote to memory of 2200 1488 explortu.exe cmd.exe PID 1488 wrote to memory of 2200 1488 explortu.exe cmd.exe PID 2200 wrote to memory of 2144 2200 cmd.exe taskkill.exe PID 2200 wrote to memory of 2144 2200 cmd.exe taskkill.exe PID 2200 wrote to memory of 2144 2200 cmd.exe taskkill.exe PID 2200 wrote to memory of 2784 2200 cmd.exe timeout.exe PID 2200 wrote to memory of 2784 2200 cmd.exe timeout.exe PID 2200 wrote to memory of 2784 2200 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "explortu.exe" && timeout 1 && del "explortu.exe" && ren 0e6740 explortu.exe && C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe && Exit"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "explortu.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\0e6740Filesize
1.8MB
MD5c28f1b84c0c57d2821a7bd6df00d4bb1
SHA19295f6a3a97abc1e686c2628ff7f8a14dfd5edcc
SHA256757e36fe4f5f8dcaee86b15974bee0e2b45445d679235c5857c349a4ff5f6353
SHA51269ac8f8912f4b269699ac65aedd6dd91c4a32533df64ddbb56af838ae1a16d65808d623aeff444b82c3a2bc6c6e76cbcf9b840f8aab542bfe742b3bc8f2e9787
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeFilesize
1.8MB
MD5cccde21b7aa72f82653f08cd7dc99810
SHA19404a35d44af2596afa70aa99d77038708f1a590
SHA256190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89
SHA512eada6496281b8d6c1c61e3f1e534767fc5f8b1204d985f191afb65d2829730bedd55117ca871e6aa00ed0afb55fd6182c9cf454d9d9fb955ea490eb5cc1b6ca3
-
memory/1488-19-0x0000000000871000-0x000000000089F000-memory.dmpFilesize
184KB
-
memory/1488-18-0x0000000000870000-0x0000000000D1B000-memory.dmpFilesize
4.7MB
-
memory/1488-20-0x0000000000870000-0x0000000000D1B000-memory.dmpFilesize
4.7MB
-
memory/1488-21-0x0000000000870000-0x0000000000D1B000-memory.dmpFilesize
4.7MB
-
memory/1488-30-0x0000000000870000-0x0000000000D1B000-memory.dmpFilesize
4.7MB
-
memory/4592-3-0x00000000007C0000-0x0000000000C6B000-memory.dmpFilesize
4.7MB
-
memory/4592-5-0x00000000007C0000-0x0000000000C6B000-memory.dmpFilesize
4.7MB
-
memory/4592-2-0x00000000007C1000-0x00000000007EF000-memory.dmpFilesize
184KB
-
memory/4592-17-0x00000000007C0000-0x0000000000C6B000-memory.dmpFilesize
4.7MB
-
memory/4592-0-0x00000000007C0000-0x0000000000C6B000-memory.dmpFilesize
4.7MB
-
memory/4592-1-0x00000000775F4000-0x00000000775F6000-memory.dmpFilesize
8KB