Malware Analysis Report

2025-03-15 06:03

Sample ID 240511-g9ahnadb74
Target 933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics
SHA256 b73a5ad53c0537e2c2b1ffdd3378c553dbdee4d3cdabc4cfa779646af59307d9
Tags
vmprotect persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b73a5ad53c0537e2c2b1ffdd3378c553dbdee4d3cdabc4cfa779646af59307d9

Threat Level: Likely malicious

The file 933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics was found to be: Likely malicious.

Malicious Activity Summary

vmprotect persistence

Modifies AppInit DLL entries

VMProtect packed file

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 06:29

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 06:29

Reported

2024-05-11 06:32

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\gjsfhjk.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\gjsfhjk.exe C:\Users\Admin\AppData\Local\Temp\933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\eurgebe.dll C:\PROGRA~3\Mozilla\gjsfhjk.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\gjsfhjk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 1376 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe
PID 2908 wrote to memory of 1376 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe
PID 2908 wrote to memory of 1376 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe
PID 2908 wrote to memory of 1376 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {5A427E5C-F009-4146-9259-2346746A8C52} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\gjsfhjk.exe

C:\PROGRA~3\Mozilla\gjsfhjk.exe -tuxiydl

Network

N/A

Files

memory/2192-0-0x0000000000400000-0x0000000000994000-memory.dmp

memory/2192-3-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2192-2-0x00000000002F0000-0x000000000034B000-memory.dmp

memory/2192-6-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\gjsfhjk.exe

MD5 bd70530cc8a2e963f19871a5c9003fe4
SHA1 f5aefff6e5cc092639520b4e5981a470c4767bd1
SHA256 660b7a2c18ecfdac826ed9a2f6294b473a339297ac5f0b890c82088a38d012cc
SHA512 e646d2094051c5c154d353d132ca5b23759b329d283feb2dcf03612521913d3a359c336e18b11f68c94223b660db06fb8ce4c77790d76b7fea3a4cca9d7618a4

memory/1376-9-0x0000000000400000-0x0000000000994000-memory.dmp

memory/1376-12-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1376-11-0x0000000000DD0000-0x0000000000E2B000-memory.dmp

memory/1376-14-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 06:29

Reported

2024-05-11 06:32

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\crdkdxb.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\crdkdxb.exe C:\Users\Admin\AppData\Local\Temp\933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\xczzoaa.dll C:\PROGRA~3\Mozilla\crdkdxb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\933b539f4cc44ebca85d33788b168fa0_NeikiAnalytics.exe"

C:\PROGRA~3\Mozilla\crdkdxb.exe

C:\PROGRA~3\Mozilla\crdkdxb.exe -ofessij

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/4752-0-0x0000000000400000-0x0000000000994000-memory.dmp

memory/4752-2-0x0000000002760000-0x00000000027BB000-memory.dmp

memory/4752-3-0x0000000000400000-0x000000000045B000-memory.dmp

C:\ProgramData\Mozilla\crdkdxb.exe

MD5 01d60101b6deab2da5e9d4a459532daa
SHA1 f903d3055e9dd07a9e3755b515c1be4f2e1abce9
SHA256 ec7ef68431424c347127b63a5413efd132f836a3564c62a54598abd44bca4e81
SHA512 cfc38f783a5dbe805bc6cfb12e006a17d4bbefff63118e6ec1a2c59b9441d99a5a6af11d41c0e4c234ce132b670e38f6943284a253873c82acaefec423bfe6ca

memory/4752-9-0x0000000002760000-0x00000000027BB000-memory.dmp

memory/4752-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4048-11-0x0000000000400000-0x0000000000994000-memory.dmp

memory/4048-13-0x0000000000400000-0x0000000000994000-memory.dmp

memory/4048-14-0x0000000000400000-0x0000000000994000-memory.dmp

memory/4048-17-0x0000000000400000-0x000000000045B000-memory.dmp