Malware Analysis Report

2025-03-15 06:03

Sample ID 240511-d4appaba5x
Target 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics
SHA256 1da94573936cb39e711d0756429bbbc73ac80183632aeebeca54156ad24c6186
Tags
vmprotect blackmoon banker trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1da94573936cb39e711d0756429bbbc73ac80183632aeebeca54156ad24c6186

Threat Level: Known bad

The file 6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

vmprotect blackmoon banker trojan upx

Blackmoon, KrBanker

Detect Blackmoon payload

Deletes itself

UPX packed file

VMProtect packed file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 03:33

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 03:33

Reported

2024-05-11 03:35

Platform

win7-20240508-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe N/A
N/A N/A C:\Windows\system32\MLclRLRrUZ.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe N/A
File created C:\Windows\system32\MLclRLRrUZ.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe N/A
File opened for modification C:\Windows\system32\MLclRLRrUZ.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe N/A
N/A N/A C:\Windows\system32\MLclRLRrUZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe
PID 2208 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe
PID 2208 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe
PID 2208 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe
PID 2208 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe
PID 2208 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe
PID 2208 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe
PID 2208 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2280 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2280 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2280 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2804 wrote to memory of 1240 N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Windows\system32\MLclRLRrUZ.exe
PID 2804 wrote to memory of 1240 N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Windows\system32\MLclRLRrUZ.exe
PID 2804 wrote to memory of 1240 N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Windows\system32\MLclRLRrUZ.exe
PID 2804 wrote to memory of 1240 N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Windows\system32\MLclRLRrUZ.exe
PID 2804 wrote to memory of 1240 N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Windows\system32\MLclRLRrUZ.exe
PID 2804 wrote to memory of 1240 N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Windows\system32\MLclRLRrUZ.exe
PID 2804 wrote to memory of 1240 N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Windows\system32\MLclRLRrUZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe"

C:\Windows\SysWOW64\MLclRLRrUZ.exe

-auto C:\Windows\system32\\MLclRLRrUZ.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\system32\MLclRLRrUZ.exe

-troj

Network

Country Destination Domain Proto
US 8.8.8.8:53 ts98.cc udp
HK 206.238.115.36:9999 ts98.cc tcp
HK 206.238.115.36:9999 ts98.cc tcp
HK 206.238.115.36:9999 ts98.cc tcp
HK 206.238.115.36:9999 ts98.cc tcp
US 8.8.8.8:53 ts98.cc udp
HK 206.238.115.36:9999 ts98.cc tcp
HK 206.238.115.36:9999 ts98.cc tcp
HK 206.238.115.36:9999 ts98.cc tcp
HK 206.238.115.36:9999 ts98.cc tcp
US 8.8.8.8:53 ts98.cc udp
HK 206.238.115.36:9999 ts98.cc tcp

Files

memory/2208-0-0x0000000000400000-0x0000000000706000-memory.dmp

memory/2208-1-0x0000000077C50000-0x0000000077C51000-memory.dmp

memory/2208-3-0x0000000077C50000-0x0000000077C51000-memory.dmp

memory/2208-7-0x0000000075C80000-0x0000000075C81000-memory.dmp

memory/2208-9-0x0000000000400000-0x0000000000706000-memory.dmp

memory/2208-10-0x00000000003C0000-0x00000000003EE000-memory.dmp

\Windows\SysWOW64\MLclRLRrUZ.exe

MD5 6ea40c2d02ba5d8f0eec8c3776160050
SHA1 773b915271faec00d48d469130dd25bc305b5a80
SHA256 1da94573936cb39e711d0756429bbbc73ac80183632aeebeca54156ad24c6186
SHA512 46166ae388de55a0623aa347eb9443d8d569043a06dc520b8f1f4b1a9dcc9a39536e0ed555fde71021a55d312c43c30c65fb1fd6a56187e85b4e558a61770395

memory/2208-13-0x0000000002DB0000-0x00000000030B6000-memory.dmp

memory/2804-18-0x0000000000400000-0x0000000000706000-memory.dmp

memory/2208-19-0x0000000002EB0000-0x0000000003074000-memory.dmp

memory/2208-23-0x00000000003C0000-0x00000000003EE000-memory.dmp

memory/2208-22-0x0000000000400000-0x0000000000706000-memory.dmp

memory/2804-32-0x0000000000400000-0x0000000000706000-memory.dmp

memory/2804-38-0x0000000000400000-0x0000000000706000-memory.dmp

memory/1240-39-0x0000000000400000-0x0000000000706000-memory.dmp

memory/1240-48-0x0000000000400000-0x0000000000706000-memory.dmp

memory/1240-49-0x0000000000720000-0x000000000072B000-memory.dmp

memory/1240-50-0x0000000000400000-0x0000000000706000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 03:33

Reported

2024-05-11 03:35

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe N/A
N/A N/A C:\Windows\system32\MLclRLRrUZ.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe N/A
File created C:\Windows\system32\MLclRLRrUZ.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe N/A
File opened for modification C:\Windows\system32\MLclRLRrUZ.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe N/A
N/A N/A C:\Windows\system32\MLclRLRrUZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe
PID 2072 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe
PID 2072 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\MLclRLRrUZ.exe
PID 2072 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1628 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1628 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3612 wrote to memory of 5192 N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Windows\system32\MLclRLRrUZ.exe
PID 3612 wrote to memory of 5192 N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Windows\system32\MLclRLRrUZ.exe
PID 3612 wrote to memory of 5192 N/A C:\Windows\SysWOW64\MLclRLRrUZ.exe C:\Windows\system32\MLclRLRrUZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6ea40c2d02ba5d8f0eec8c3776160050_NeikiAnalytics.exe"

C:\Windows\SysWOW64\MLclRLRrUZ.exe

-auto C:\Windows\system32\\MLclRLRrUZ.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" cmd/c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\[email protected] > nul && exit

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\system32\MLclRLRrUZ.exe

-troj

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ts98.cc udp
HK 206.238.115.36:9999 ts98.cc tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
HK 206.238.115.36:9999 ts98.cc tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
HK 206.238.115.36:9999 ts98.cc tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
HK 206.238.115.36:9999 ts98.cc tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 ts98.cc udp
HK 206.238.115.36:9999 ts98.cc tcp
HK 206.238.115.36:9999 ts98.cc tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 177.196.17.2.in-addr.arpa udp
HK 206.238.115.36:9999 ts98.cc tcp
HK 206.238.115.36:9999 ts98.cc tcp
US 8.8.8.8:53 ts98.cc udp
HK 206.238.115.36:9999 ts98.cc tcp

Files

memory/2072-0-0x0000000000400000-0x0000000000706000-memory.dmp

memory/2072-1-0x0000000000400000-0x0000000000706000-memory.dmp

memory/2072-3-0x0000000002540000-0x000000000256E000-memory.dmp

C:\Windows\SysWOW64\MLclRLRrUZ.exe

MD5 6ea40c2d02ba5d8f0eec8c3776160050
SHA1 773b915271faec00d48d469130dd25bc305b5a80
SHA256 1da94573936cb39e711d0756429bbbc73ac80183632aeebeca54156ad24c6186
SHA512 46166ae388de55a0623aa347eb9443d8d569043a06dc520b8f1f4b1a9dcc9a39536e0ed555fde71021a55d312c43c30c65fb1fd6a56187e85b4e558a61770395

memory/2072-8-0x0000000075E70000-0x0000000075E71000-memory.dmp

memory/3612-7-0x0000000000400000-0x0000000000706000-memory.dmp

memory/2072-12-0x0000000002540000-0x000000000256E000-memory.dmp

memory/2072-11-0x0000000000400000-0x0000000000706000-memory.dmp

memory/2072-10-0x0000000002C30000-0x0000000002CAE000-memory.dmp

memory/3612-13-0x0000000000400000-0x0000000000706000-memory.dmp

memory/3612-15-0x00000000025A0000-0x00000000025CE000-memory.dmp

memory/3612-18-0x0000000000400000-0x0000000000706000-memory.dmp

memory/5192-19-0x0000000000400000-0x0000000000706000-memory.dmp

memory/5192-20-0x0000000000AC0000-0x0000000000AEE000-memory.dmp

memory/5192-21-0x0000000002540000-0x000000000254B000-memory.dmp

memory/5192-22-0x0000000002540000-0x000000000254B000-memory.dmp

memory/5192-23-0x0000000000400000-0x0000000000706000-memory.dmp

memory/5192-24-0x0000000000AC0000-0x0000000000AEE000-memory.dmp

memory/5192-25-0x0000000002540000-0x000000000254B000-memory.dmp