Malware Analysis Report

2025-03-15 06:00

Sample ID 240512-qxbdvsgh2w
Target 1680e6d541b9a78ae369888478a76420_NeikiAnalytics
SHA256 36ab349fe80c0bbe713bff252ea90b2222a4a5de9d03045e9356dfb3bf2f3fce
Tags
persistence vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

36ab349fe80c0bbe713bff252ea90b2222a4a5de9d03045e9356dfb3bf2f3fce

Threat Level: Likely malicious

The file 1680e6d541b9a78ae369888478a76420_NeikiAnalytics was found to be: Likely malicious.

Malicious Activity Summary

persistence vmprotect

Modifies AppInit DLL entries

Executes dropped EXE

VMProtect packed file

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-12 13:37

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-12 13:37

Reported

2024-05-12 13:40

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1680e6d541b9a78ae369888478a76420_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\wrvdfyg.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\wrvdfyg.exe C:\Users\Admin\AppData\Local\Temp\1680e6d541b9a78ae369888478a76420_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\klztrnd.dll C:\PROGRA~3\Mozilla\wrvdfyg.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1680e6d541b9a78ae369888478a76420_NeikiAnalytics.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\wrvdfyg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\wrvdfyg.exe
PID 2568 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\wrvdfyg.exe
PID 2568 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\wrvdfyg.exe
PID 2568 wrote to memory of 2968 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\wrvdfyg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1680e6d541b9a78ae369888478a76420_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1680e6d541b9a78ae369888478a76420_NeikiAnalytics.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {DFE44B84-FA10-419F-AEDE-3EBEEE27E252} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\wrvdfyg.exe

C:\PROGRA~3\Mozilla\wrvdfyg.exe -hzyjzia

Network

N/A

Files

memory/2924-0-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2924-3-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2924-2-0x0000000000260000-0x00000000002BB000-memory.dmp

memory/2924-1-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2924-5-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\wrvdfyg.exe

MD5 d69fde86d851795e9cf60aab6e1c0d25
SHA1 adad838170a73c065680191208b814d98a7da0c2
SHA256 4204226b3ad5ad09dc1c44c31a336aef1fa1f7f9127b0e0489b300f970e65f29
SHA512 a965b58c39ff603da1fcc47943d24081cf82d10aa6684d0fbd788565f43b74a8974159be5bf3580b37ef84d7f7866c2413a004431d3fcbbb9524207ac5877c8b

memory/2968-8-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2968-10-0x0000000000A70000-0x0000000000ACB000-memory.dmp

memory/2968-11-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2968-9-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2968-13-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-12 13:37

Reported

2024-05-12 13:40

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1680e6d541b9a78ae369888478a76420_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\yvkllbe.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\yvkllbe.exe C:\Users\Admin\AppData\Local\Temp\1680e6d541b9a78ae369888478a76420_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\iavzpea.dll C:\PROGRA~3\Mozilla\yvkllbe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1680e6d541b9a78ae369888478a76420_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1680e6d541b9a78ae369888478a76420_NeikiAnalytics.exe"

C:\PROGRA~3\Mozilla\yvkllbe.exe

C:\PROGRA~3\Mozilla\yvkllbe.exe -delffli

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2192-0-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2192-1-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2192-3-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2192-2-0x00000000025F0000-0x000000000264B000-memory.dmp

C:\ProgramData\Mozilla\yvkllbe.exe

MD5 300fa8e7a2ec86c8149d6ff34276d1e9
SHA1 8a85eb54f7447d04c0ef8f03e5c5a2a9228f2903
SHA256 8a8ddf308214f2376ba51da08a378149c763ccfede57b33b05bfb199441f2dbe
SHA512 f113a15c9b22aea9b6de8ac3aab329c2701af86e3b101ec602caadfdc59569b404c6b1a38d64daf701a18d92d2c1475dd46070ea2e1589d09fc249d9cccf7693

memory/2192-8-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3952-9-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/3952-10-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/3952-11-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/3952-12-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/3952-15-0x0000000000400000-0x000000000045B000-memory.dmp