Malware Analysis Report

2025-03-15 05:57

Sample ID 240512-hfkxzadb31
Target 789a341575972fe95dfccf2308a221d0_NeikiAnalytics
SHA256 5cfc8d4f7d983092569ef845401d0a7920d86f387b02d1d9c8ebdadaab2a5582
Tags
vmprotect persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5cfc8d4f7d983092569ef845401d0a7920d86f387b02d1d9c8ebdadaab2a5582

Threat Level: Likely malicious

The file 789a341575972fe95dfccf2308a221d0_NeikiAnalytics was found to be: Likely malicious.

Malicious Activity Summary

vmprotect persistence

Modifies AppInit DLL entries

Executes dropped EXE

VMProtect packed file

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-12 06:40

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-12 06:40

Reported

2024-05-12 06:43

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\789a341575972fe95dfccf2308a221d0_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\racmzae.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\racmzae.exe C:\Users\Admin\AppData\Local\Temp\789a341575972fe95dfccf2308a221d0_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\ttbtowf.dll C:\PROGRA~3\Mozilla\racmzae.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\789a341575972fe95dfccf2308a221d0_NeikiAnalytics.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\racmzae.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 2596 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe
PID 2652 wrote to memory of 2596 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe
PID 2652 wrote to memory of 2596 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe
PID 2652 wrote to memory of 2596 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\racmzae.exe

Processes

C:\Users\Admin\AppData\Local\Temp\789a341575972fe95dfccf2308a221d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\789a341575972fe95dfccf2308a221d0_NeikiAnalytics.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {9D1EE57F-530E-45DA-BE78-14560FADE3C9} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\racmzae.exe

C:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc

Network

N/A

Files

memory/2984-0-0x0000000000400000-0x0000000000994000-memory.dmp

memory/2984-2-0x0000000000A10000-0x0000000000A6B000-memory.dmp

memory/2984-3-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2984-6-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\racmzae.exe

MD5 3333082ae53c9a6a212193ee7bee198e
SHA1 c36eca117cd245559d5d07a395e11ac807c25efe
SHA256 6cdc271c99209333c5b3a27aa282b8144119289075f13090909a10978a10b5d0
SHA512 becafb95a727f4b998afe823ffe259e59df4cd5b9a494e57bd49d19de54b6f8dc25bea12edee3e658906945ef72e7afa3176d69f564deb2c3fef1e921bbcb30b

memory/2596-9-0x0000000000400000-0x0000000000994000-memory.dmp

memory/2596-12-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2596-11-0x00000000009A0000-0x00000000009FB000-memory.dmp

memory/2596-14-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-12 06:40

Reported

2024-05-12 06:43

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\789a341575972fe95dfccf2308a221d0_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\lrjbnqc.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\lrjbnqc.exe C:\Users\Admin\AppData\Local\Temp\789a341575972fe95dfccf2308a221d0_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\vbwqqmn.dll C:\PROGRA~3\Mozilla\lrjbnqc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\789a341575972fe95dfccf2308a221d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\789a341575972fe95dfccf2308a221d0_NeikiAnalytics.exe"

C:\PROGRA~3\Mozilla\lrjbnqc.exe

C:\PROGRA~3\Mozilla\lrjbnqc.exe -lihtnse

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4148-0-0x0000000000400000-0x0000000000994000-memory.dmp

memory/4148-3-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4148-2-0x0000000002640000-0x000000000269B000-memory.dmp

C:\ProgramData\Mozilla\lrjbnqc.exe

MD5 eb7a45495c7b8aef7c02024cd10a9bae
SHA1 4f871ad0ebc1186b6f973226ab11d153ddbbe784
SHA256 1a24e4f16202afc938dca0f615374b86941433970344482a77ca17a8d11b64a9
SHA512 8cf73495b623ff3dde46d2f55dd3737e66cbd5a6b06e69479d1ccf30f676fbe8556017694c76168dcf87a6de140cc4b6fb3c6a84c8996e1f0888747c8aacbf53

memory/4148-8-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4064-9-0x0000000000400000-0x0000000000994000-memory.dmp

memory/4064-11-0x0000000000400000-0x0000000000994000-memory.dmp

memory/4064-12-0x0000000000400000-0x0000000000994000-memory.dmp

memory/4064-15-0x0000000000400000-0x000000000045B000-memory.dmp