Malware Analysis Report

2025-03-15 06:03

Sample ID 240510-w62kasbc4v
Target 42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics
SHA256 e84d44bedee6b09ddb6c1a3866d9a192ea1ab5cc84d1c0a1fe5f8e6d90079fdb
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e84d44bedee6b09ddb6c1a3866d9a192ea1ab5cc84d1c0a1fe5f8e6d90079fdb

Threat Level: Shows suspicious behavior

The file 42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

VMProtect packed file

Loads dropped DLL

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-10 18:32

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 18:32

Reported

2024-05-10 18:35

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wkeo\ybe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wkeo\ybe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\wkeo\ybe.exe

"C:\Users\Admin\AppData\Roaming\wkeo\ybe.exe"

Network

N/A

Files

memory/2216-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2216-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2216-4-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2216-5-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2216-7-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2216-9-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2216-12-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2216-14-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2216-17-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2216-19-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2216-22-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2216-24-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2216-39-0x0000000000400000-0x0000000000AF1000-memory.dmp

C:\Users\Admin\AppData\Roaming\wkeo\ybe.exe

MD5 3da2a1533302272f455435a72e57e05a
SHA1 4440df87134c10f7bccf51facaa2b60e3258da86
SHA256 e1296798dc8ae98c67d13d0275452397383b7595c9245add60bf9edc1f07a60f
SHA512 73b5686eae55b11a2364e0e163818738e88d8213caa06d5b6869f9d1e1a98e9ebb756cc3748737db960a17f2ff56b86cd78ef1d6df68ab2d21b76e1bb52d6c01

memory/2216-45-0x0000000000400000-0x0000000000AF1000-memory.dmp

memory/2216-44-0x000000000044C000-0x00000000006CA000-memory.dmp

memory/2216-35-0x0000000000400000-0x0000000000AF1000-memory.dmp

memory/2216-34-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2216-32-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2216-30-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2216-29-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2216-27-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2216-37-0x000000000044C000-0x00000000006CA000-memory.dmp

memory/2668-83-0x0000000000400000-0x0000000000AF1000-memory.dmp

memory/2668-70-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2668-84-0x0000000000400000-0x0000000000AF1000-memory.dmp

memory/2668-68-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2668-65-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2668-85-0x0000000000400000-0x0000000000AF1000-memory.dmp

memory/2668-63-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2668-60-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2668-58-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2668-55-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2668-53-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2668-86-0x0000000000400000-0x0000000000AF1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 18:32

Reported

2024-05-10 18:35

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\zj\f.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe N/A
N/A N/A C:\Program Files (x86)\zj\f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\zj\f.exe C:\Users\Admin\AppData\Local\Temp\42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\42f7a8eaa7c7f56d1c5e894130788980_NeikiAnalytics.exe"

C:\Program Files (x86)\zj\f.exe

"C:\Program Files (x86)\zj\f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
BE 2.17.196.96:443 www.bing.com tcp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 96.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/2260-8-0x0000000000400000-0x0000000000AF1000-memory.dmp

C:\Program Files (x86)\zj\f.exe

MD5 05b8020b532ee63e87adcd70b3bf4bdb
SHA1 f33cd12d47ec7142a80e608f24cc4a32195a92c7
SHA256 515966fd182086d10aa8f5eded51cc03e6dbd20da41e047165c3fe43a020855b
SHA512 709f12f3baf82b6ca0345ce0a74177e09fd7d822658d8fefce3ab8019b99358253f45993d8291566d2299ce7f8e23b001841d4fa03ea717be6c203d92011555b

memory/2260-16-0x000000000044C000-0x00000000006CA000-memory.dmp

memory/2260-15-0x0000000000400000-0x0000000000AF1000-memory.dmp

memory/1656-27-0x0000000000400000-0x0000000000AF1000-memory.dmp

memory/1656-26-0x0000000000401000-0x0000000000440000-memory.dmp

memory/1656-23-0x00000000028B0000-0x00000000028B1000-memory.dmp

memory/1656-22-0x00000000028A0000-0x00000000028A1000-memory.dmp

memory/1656-21-0x0000000002890000-0x0000000002891000-memory.dmp

memory/1656-20-0x0000000002880000-0x0000000002881000-memory.dmp

memory/1656-18-0x0000000000C80000-0x0000000000C81000-memory.dmp

memory/1656-19-0x0000000002860000-0x0000000002861000-memory.dmp

memory/1656-17-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/2260-10-0x0000000000400000-0x0000000000AF1000-memory.dmp

memory/2260-7-0x0000000001130000-0x0000000001131000-memory.dmp

memory/2260-6-0x0000000001120000-0x0000000001121000-memory.dmp

memory/2260-5-0x0000000001110000-0x0000000001111000-memory.dmp

memory/2260-4-0x0000000001100000-0x0000000001101000-memory.dmp

memory/2260-3-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/2260-2-0x0000000000B20000-0x0000000000B21000-memory.dmp

memory/2260-1-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/2260-0-0x000000000044C000-0x00000000006CA000-memory.dmp

memory/1656-28-0x0000000000400000-0x0000000000AF1000-memory.dmp