Malware Analysis Report

2025-03-15 06:05

Sample ID 240511-yzne7sab29
Target 342530de153b0bb48252ceb4080c4f50_NeikiAnalytics
SHA256 a41005c97631a5fee3f1a7285ebe0bad18a2765a4aa676c1893d04e3fe9e3535
Tags
vmprotect persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a41005c97631a5fee3f1a7285ebe0bad18a2765a4aa676c1893d04e3fe9e3535

Threat Level: Likely malicious

The file 342530de153b0bb48252ceb4080c4f50_NeikiAnalytics was found to be: Likely malicious.

Malicious Activity Summary

vmprotect persistence

Modifies AppInit DLL entries

VMProtect packed file

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 20:13

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 20:13

Reported

2024-05-11 20:16

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\342530de153b0bb48252ceb4080c4f50_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\dbilzqh.exe C:\Users\Admin\AppData\Local\Temp\342530de153b0bb48252ceb4080c4f50_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\zxoabnc.dll C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\342530de153b0bb48252ceb4080c4f50_NeikiAnalytics.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\dbilzqh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 3040 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 2348 wrote to memory of 3040 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 2348 wrote to memory of 3040 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe
PID 2348 wrote to memory of 3040 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\dbilzqh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\342530de153b0bb48252ceb4080c4f50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\342530de153b0bb48252ceb4080c4f50_NeikiAnalytics.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {ACCA006A-5D4E-48B3-8652-3DB78080FC04} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\dbilzqh.exe

C:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg

Network

N/A

Files

memory/1668-0-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/1668-1-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/1668-2-0x0000000000260000-0x00000000002BB000-memory.dmp

memory/1668-3-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1668-5-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\dbilzqh.exe

MD5 fddd1806ffa694181bb6f3f7909c2c69
SHA1 3577871005c95c7c13ff02290522dd95ba754e13
SHA256 8bee66374dadde7b9b582288001a1085143ca207bbf8e417c1d636c6f9db6de8
SHA512 32320fa229535650a3a00eacff63cb768766c4fa858738f4aa55d81344281c612729283f63eed102c00ce662a3b711c55d28eaaf627ea783a65435efd43c2fd1

memory/3040-8-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/3040-9-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/3040-11-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3040-10-0x0000000000AE0000-0x0000000000B3B000-memory.dmp

memory/3040-13-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 20:13

Reported

2024-05-11 20:16

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\342530de153b0bb48252ceb4080c4f50_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\wwtjpvj.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\wwtjpvj.exe C:\Users\Admin\AppData\Local\Temp\342530de153b0bb48252ceb4080c4f50_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\yfjivib.dll C:\PROGRA~3\Mozilla\wwtjpvj.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\342530de153b0bb48252ceb4080c4f50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\342530de153b0bb48252ceb4080c4f50_NeikiAnalytics.exe"

C:\PROGRA~3\Mozilla\wwtjpvj.exe

C:\PROGRA~3\Mozilla\wwtjpvj.exe -fyephuk

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 121.61.62.23.in-addr.arpa udp
NL 23.62.61.121:443 www.bing.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/2016-0-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2016-1-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2016-3-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2016-2-0x0000000002610000-0x000000000266B000-memory.dmp

C:\ProgramData\Mozilla\wwtjpvj.exe

MD5 4e5ddf859eaf8ddcd46bac2c0d7edd6b
SHA1 f9ee16f4c2331f917a91cbd6b775af4c79485c2b
SHA256 050bd355eb29c5c9ef9ba0adc0628aa3738234a1fdb1b4f9fd92ebd5d93feb88
SHA512 e6727836c00fe7013596751b4030f5e6c2af7d3dc61c7f172fac9451e8b1167623d1ca718b8f4e0d5155d44c36335ffd1f9c82496541ecb5944de733abf90d85

memory/4648-7-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2016-9-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4648-10-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/4648-11-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/4648-12-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/4648-15-0x0000000000400000-0x000000000045B000-memory.dmp