Malware Analysis Report

2025-03-15 06:04

Sample ID 240512-z18yzabb24
Target 5d5b6e4d3b0584e6111afa39db4ef9d0_NeikiAnalytics
SHA256 3a1a4ffb894e2673923bec9c1d735de2235b2783f96e1da7c1c02d024dc86a59
Tags
persistence vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3a1a4ffb894e2673923bec9c1d735de2235b2783f96e1da7c1c02d024dc86a59

Threat Level: Likely malicious

The file 5d5b6e4d3b0584e6111afa39db4ef9d0_NeikiAnalytics was found to be: Likely malicious.

Malicious Activity Summary

persistence vmprotect

Modifies AppInit DLL entries

Executes dropped EXE

VMProtect packed file

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-12 21:12

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-12 21:12

Reported

2024-05-12 21:14

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d5b6e4d3b0584e6111afa39db4ef9d0_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\ywswmda.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\ywswmda.exe C:\Users\Admin\AppData\Local\Temp\5d5b6e4d3b0584e6111afa39db4ef9d0_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\dzldqrl.dll C:\PROGRA~3\Mozilla\ywswmda.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d5b6e4d3b0584e6111afa39db4ef9d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5d5b6e4d3b0584e6111afa39db4ef9d0_NeikiAnalytics.exe"

C:\PROGRA~3\Mozilla\ywswmda.exe

C:\PROGRA~3\Mozilla\ywswmda.exe -zhzkoil

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/384-0-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/384-2-0x0000000002610000-0x000000000266B000-memory.dmp

memory/384-3-0x0000000000400000-0x000000000045B000-memory.dmp

memory/384-1-0x0000000000400000-0x00000000009A3000-memory.dmp

C:\ProgramData\Mozilla\ywswmda.exe

MD5 754addf7dd23a1ca4f85eaea209dadbb
SHA1 a1f8213e2daf0d51f23117d2f92335cd37eab76a
SHA256 acb7826c420dc00460657b855cca4fb870a03fb851ea8efb4d74ab1b92140950
SHA512 51e107d5d537f50c56926d38fad93bafae13a746ff4dec4b5c4dd7f02dd3717a7284a638758ad2310abff3c043af584715b1640cac8047b68d04e4525b141c7f

memory/384-8-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2304-9-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2304-10-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2304-11-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2304-14-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-12 21:12

Reported

2024-05-12 21:14

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d5b6e4d3b0584e6111afa39db4ef9d0_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\tbckyxk.exe C:\Users\Admin\AppData\Local\Temp\5d5b6e4d3b0584e6111afa39db4ef9d0_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\newtrln.dll C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d5b6e4d3b0584e6111afa39db4ef9d0_NeikiAnalytics.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\tbckyxk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 1100 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 2064 wrote to memory of 1100 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 2064 wrote to memory of 1100 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe
PID 2064 wrote to memory of 1100 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\tbckyxk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5d5b6e4d3b0584e6111afa39db4ef9d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5d5b6e4d3b0584e6111afa39db4ef9d0_NeikiAnalytics.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3E1F6F6F-93C7-4EC4-88BE-633CE0964488} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\tbckyxk.exe

C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye

Network

N/A

Files

memory/2032-0-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2032-3-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2032-2-0x0000000000340000-0x000000000039B000-memory.dmp

memory/2032-1-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2032-5-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\tbckyxk.exe

MD5 f089b1de335bc213a1f2886a8a634815
SHA1 6301d8f8317bc3875e54285a4015a80a7cb4ee04
SHA256 032613874a3a4be578361f07ffb44c61e3139b20bd11f89cc2457094f093489e
SHA512 faba37b05ad8b46d8ffb2c30c540ad042a6af55d94e10451e4aef508c8c3a9452e7f271ee58e382384f4fc4af3aec5236f708ec9b969eccb281766a8cfd07f65

memory/1100-9-0x00000000009B0000-0x0000000000A0B000-memory.dmp

memory/1100-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1100-8-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/1100-12-0x0000000000400000-0x000000000045B000-memory.dmp