Malware Analysis Report

2025-03-15 05:55

Sample ID 240514-je3basfg44
Target a39f688d548b5382f3af3bcfd2c3de50_NeikiAnalytics
SHA256 c5bc92b1ea013a04d5d79d183382a8d71cf3d7740442b4a66ceae55495cb0f53
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c5bc92b1ea013a04d5d79d183382a8d71cf3d7740442b4a66ceae55495cb0f53

Threat Level: Shows suspicious behavior

The file a39f688d548b5382f3af3bcfd2c3de50_NeikiAnalytics was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Loads dropped DLL

VMProtect packed file

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-14 07:35

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 07:35

Reported

2024-05-14 07:38

Platform

win7-20240215-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a39f688d548b5382f3af3bcfd2c3de50_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\asdp\hyaezavhnv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a39f688d548b5382f3af3bcfd2c3de50_NeikiAnalytics.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\asdp\hyaezavhnv.exe C:\Users\Admin\AppData\Local\Temp\a39f688d548b5382f3af3bcfd2c3de50_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a39f688d548b5382f3af3bcfd2c3de50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a39f688d548b5382f3af3bcfd2c3de50_NeikiAnalytics.exe"

C:\Program Files (x86)\asdp\hyaezavhnv.exe

"C:\Program Files (x86)\asdp\hyaezavhnv.exe"

Network

N/A

Files

memory/2396-0-0x0000000000400000-0x00000000008CE000-memory.dmp

\Program Files (x86)\asdp\hyaezavhnv.exe

MD5 b072e91728a1edf992236e2bfa442c42
SHA1 277efe69975ece71b2d209a3b7457e8b52ba26ae
SHA256 0ddd627b887d6250d0bfb3ef798761d2f6418b3efdb7c87fa89dec5e5e6dece7
SHA512 2cf5af96f0331437f31b7ded7f488eafd7d70ab82dc4e8f26694f106dac0d2a41dad427ad49997979010cdcb1d035de80c96565ae31df499324960956557993d

memory/2224-7-0x0000000000400000-0x00000000008CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 07:35

Reported

2024-05-14 07:38

Platform

win10v2004-20240426-en

Max time kernel

131s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a39f688d548b5382f3af3bcfd2c3de50_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\msjl\ncvlk.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\msjl\ncvlk.exe C:\Users\Admin\AppData\Local\Temp\a39f688d548b5382f3af3bcfd2c3de50_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a39f688d548b5382f3af3bcfd2c3de50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a39f688d548b5382f3af3bcfd2c3de50_NeikiAnalytics.exe"

C:\Program Files (x86)\msjl\ncvlk.exe

"C:\Program Files (x86)\msjl\ncvlk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
NL 23.62.61.184:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
NL 23.62.61.184:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2220-0-0x0000000000400000-0x00000000008CE000-memory.dmp

C:\Program Files (x86)\msjl\ncvlk.exe

MD5 ef3e4158cffafccf24e5baf645c382bf
SHA1 6e6169a6ac6616e0cb6f0860e7f32eaf2c43180c
SHA256 c647ed2206cbffdc561b2c043e2198542ff010d66befc011e8849a0455a719f8
SHA512 386177b5cb16a706881520677ad6019cb1637d9b22d943741f4f3ceb13ec718d0be920d7f33f41e6ece647acccd24310a44b3de36f26e59ac6e4344d95f7214e

memory/2116-6-0x0000000000400000-0x00000000008CE000-memory.dmp