Malware Analysis Report

2024-08-06 15:22

Sample ID 240520-d7zg8ahh94
Target a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe
SHA256 69dc235134576a87c5be9e764d7a128f2f6dd803ad4d587f3ea835f3573fa11f
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69dc235134576a87c5be9e764d7a128f2f6dd803ad4d587f3ea835f3573fa11f

Threat Level: Known bad

The file a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-20 03:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 03:39

Reported

2024-05-20 03:42

Platform

win7-20240508-en

Max time kernel

146s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2712 set thread context of 2556 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2232 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2712 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sysupdate24.ddns.net udp

Files

memory/2232-0-0x0000000074051000-0x0000000074052000-memory.dmp

memory/2232-1-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/2232-2-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/2232-3-0x0000000074050000-0x00000000745FB000-memory.dmp

\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

MD5 f967d3551427ff3b86b98fff5acdddcf
SHA1 ada53a8851109484c124fe03476815fd26c5ac49
SHA256 c3d646529aa74984072f6bb8cd231fd75682aa96984c631deb2d1deadebf7af3
SHA512 96f251f0477ec44947554eef10cd34aa711b6122ae819eacaeb4865edd4ea6f05e6b6e646d60f88281a8bb63fbbb4dc4069f9e81e835aed8ef404c0d2b5d3f78

memory/2712-13-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/2712-14-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/2712-15-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/2232-12-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/2556-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2556-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2556-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2556-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2556-30-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2556-29-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2556-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2556-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2712-32-0x0000000074050000-0x00000000745FB000-memory.dmp

memory/2712-33-0x0000000074050000-0x00000000745FB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 03:39

Reported

2024-05-20 03:42

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 372 set thread context of 1704 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3772 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 3772 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 3772 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 372 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 372 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 372 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 372 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 372 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 372 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 372 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 372 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a2c64477b35e5310c65c8aa604a8d950_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 sysupdate24.ddns.net udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3772-0-0x0000000074FE2000-0x0000000074FE3000-memory.dmp

memory/3772-1-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/3772-2-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/3772-3-0x0000000074FE0000-0x0000000075591000-memory.dmp

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

MD5 0d04849024b159adf808fc8a53700fd3
SHA1 6f13597ca565dc78efcaf940961a29e694a5b0a2
SHA256 cdf7fee7d0543798b217d5987bdf2f6134005ed37205efb59fb4e00e18c1193b
SHA512 0c0eb3f96f4ead46f59dc2a4882a100b4af2a52b2e3e29b599a3e6ad746b834d804c9fe742babaa68309f924c204b9d681fa7e774603ac5028a66c31b6f535a0

memory/372-18-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/3772-17-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/372-19-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/1704-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1704-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1704-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1704-25-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/1704-26-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/1704-27-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/1704-29-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/372-30-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/372-32-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/1704-33-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/1704-34-0x0000000074FE0000-0x0000000075591000-memory.dmp