Malware Analysis Report

2025-03-15 05:55

Sample ID 240515-avgj4agc4w
Target 4eff3d280a44e8dd6bb332c87a485e00_NeikiAnalytics
SHA256 5e5a20098506cd3795c69084e074537cd3382e1ff19fc9fbdc9e6b03554a7429
Tags
vmprotect persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5e5a20098506cd3795c69084e074537cd3382e1ff19fc9fbdc9e6b03554a7429

Threat Level: Likely malicious

The file 4eff3d280a44e8dd6bb332c87a485e00_NeikiAnalytics was found to be: Likely malicious.

Malicious Activity Summary

vmprotect persistence

Modifies AppInit DLL entries

Executes dropped EXE

VMProtect packed file

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 00:31

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 00:31

Reported

2024-05-15 00:34

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4eff3d280a44e8dd6bb332c87a485e00_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\anhxrcb.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\fqurfhn.dll C:\PROGRA~3\Mozilla\anhxrcb.exe N/A
File created C:\PROGRA~3\Mozilla\anhxrcb.exe C:\Users\Admin\AppData\Local\Temp\4eff3d280a44e8dd6bb332c87a485e00_NeikiAnalytics.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4eff3d280a44e8dd6bb332c87a485e00_NeikiAnalytics.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\anhxrcb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 2348 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\anhxrcb.exe
PID 1844 wrote to memory of 2348 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\anhxrcb.exe
PID 1844 wrote to memory of 2348 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\anhxrcb.exe
PID 1844 wrote to memory of 2348 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\anhxrcb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4eff3d280a44e8dd6bb332c87a485e00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4eff3d280a44e8dd6bb332c87a485e00_NeikiAnalytics.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A7C10CC4-19BE-4423-90D2-3A35D13EC20D} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\anhxrcb.exe

C:\PROGRA~3\Mozilla\anhxrcb.exe -wxojhrj

Network

N/A

Files

memory/2468-0-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2468-1-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2468-3-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2468-2-0x0000000000260000-0x00000000002BB000-memory.dmp

memory/2468-5-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\anhxrcb.exe

MD5 a820b74f44e0ab0df8e810ee741786ac
SHA1 b174d04d91c6ac965a39c526e73c9a07c0d6cade
SHA256 9e58e6a4d7de5f4d7641f5d3fd4515b8289ed8a2fcd239f0651a582066554c33
SHA512 f6e66dd837aff93640f4b3c51c055332f7a2553bc0532cdfcad6cf01060ef68a6ca03730ee9f40cc79bfa682826186f75a9346e8b97477b4dc84ba92c1599751

memory/2348-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2348-9-0x00000000002B0000-0x000000000030B000-memory.dmp

memory/2348-8-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/2348-12-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 00:31

Reported

2024-05-15 00:34

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4eff3d280a44e8dd6bb332c87a485e00_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\onvmijj.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\onvmijj.exe C:\Users\Admin\AppData\Local\Temp\4eff3d280a44e8dd6bb332c87a485e00_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\gmzywaj.dll C:\PROGRA~3\Mozilla\onvmijj.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4eff3d280a44e8dd6bb332c87a485e00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4eff3d280a44e8dd6bb332c87a485e00_NeikiAnalytics.exe"

C:\PROGRA~3\Mozilla\onvmijj.exe

C:\PROGRA~3\Mozilla\onvmijj.exe -ibpmpgd

Network

Country Destination Domain Proto
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 177.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3576-0-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/3576-3-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3576-1-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/3576-2-0x0000000002500000-0x000000000255B000-memory.dmp

C:\ProgramData\Mozilla\onvmijj.exe

MD5 7dcc97e113e166d4f05ddfc62da70b1e
SHA1 fcc53d88ea44052ab528e89d63c2112f720b100c
SHA256 1cd278fb1b0233e1029fbf8d4cef70ad437c41ec7111d0bdffd17b8a1e34195d
SHA512 e2accf20c0f335fd9788c7779e66fe1ed752930b60d62ad95594348ff36f46718a3c906dbe8a8c5f653eb32404e019c4f1d17a4d731876aa47d1018087f400cd

memory/4588-7-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/3576-9-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4588-10-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/4588-12-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/4588-11-0x0000000000400000-0x00000000009A3000-memory.dmp

memory/4588-15-0x0000000000400000-0x000000000045B000-memory.dmp