Malware Analysis Report

2024-10-16 02:31

Sample ID 240518-qsqmzsdg83
Target ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe
SHA256 11b601c4a4c13b07fb1783dccee903c98da103a02ff1702b7cd9e9dd7ff4f874
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11b601c4a4c13b07fb1783dccee903c98da103a02ff1702b7cd9e9dd7ff4f874

Threat Level: Known bad

The file ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-18 13:31

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 13:31

Reported

2024-05-18 13:34

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe

Network

N/A

Files

memory/2936-0-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2936-2-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2936-1-0x0000000000030000-0x000000000003E000-memory.dmp

memory/1252-16-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2936-15-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe

MD5 6831d66938c05782c228493aeca2a07c
SHA1 333641eebbd50df221994730473a7c82a46b4350
SHA256 54ccb81ca19c6d8048239f8827c78a0396167e33408d3f6e0949fd0860e5d909
SHA512 d5fb42d23441b1c5350ee18bbc500b811bd0fa61409b2a672a8084590509d48bcf2248c0c7063e89af6d23411dca8e95a2e5ea16ddbcd3aed4f95aaa667f543b

memory/1252-28-0x00000000001F0000-0x000000000020B000-memory.dmp

memory/1252-23-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1252-18-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1252-17-0x0000000000030000-0x000000000003E000-memory.dmp

memory/1252-29-0x0000000000400000-0x000000000043A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 13:31

Reported

2024-05-18 13:34

Platform

win10v2004-20240426-en

Max time kernel

129s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2908-0-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2908-1-0x00000000000E0000-0x00000000000EE000-memory.dmp

memory/2908-2-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2908-12-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ce58f09c1fd2e3d53f16c579f0c7e950_NeikiAnalytics.exe

MD5 502946d61d8e1544c7cd371097b50ba4
SHA1 f08391d2204a24b6b8f18f177e300990f44f6a3d
SHA256 afb3bc2a679362e7e7a2bd6f8047671cf24353c493762ef82e0817d9eb8534b4
SHA512 afcdb924b64d25e8938ac9daafd82761111bd02996bc3d5772abb8125922aaa043b2ab0df107352e20461a41878b174720268b065a94becbaa22d8813d39f33f

memory/2296-13-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2296-14-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2296-19-0x0000000000190000-0x000000000019E000-memory.dmp

memory/2296-20-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2296-25-0x00000000014B0000-0x00000000014CB000-memory.dmp

memory/2296-26-0x0000000000400000-0x000000000043A000-memory.dmp