Malware Analysis Report

2025-01-06 11:35

Sample ID 240603-e9asbabf6w
Target 9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe
SHA256 1d2689dfd8e731944895a3ab96d7f22f9b281af02e5193ab0fb3a2914b3ae001
Tags
evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1d2689dfd8e731944895a3ab96d7f22f9b281af02e5193ab0fb3a2914b3ae001

Threat Level: Likely malicious

The file 9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion

Sets file to hidden

Executes dropped EXE

Deletes itself

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:37

Reported

2024-06-03 04:40

Platform

win7-20240419-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\zskhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\zskhost.exe C:\Users\Admin\AppData\Local\Temp\9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\zskhost.exe C:\Users\Admin\AppData\Local\Temp\9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\zskhost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\zskhost.exe

C:\Windows\Debug\zskhost.exe

C:\Windows\Debug\zskhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9BD1A4~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 jp6PcVRTC.nnnn.eu.org udp
US 8.8.8.8:53 MrPCko7OkF.nnnn.eu.org udp
US 8.8.8.8:53 wY7N1m60TT.nnnn.eu.org udp
US 8.8.8.8:53 WkoZIGa7D.nnnn.eu.org udp
US 8.8.8.8:53 6Qzk3E3FxP.nnnn.eu.org udp

Files

C:\Windows\Debug\zskhost.exe

MD5 4158e9e09d2ed82e126b7bac4ebd95b4
SHA1 9aea5d855f8ef10a64b45802ee7a947b8b91015b
SHA256 9eef46badf37869df423bd22a17f1492289e6bc1be8f2bc223984578a31d58ac
SHA512 41d3f4ffa358d78dbc64557813296c201716ed63d0a9a48bb2e21ed64088e873a9f6b825f8206836e6a527042de669f37acb757a8982f71f2054557ff2833da3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:37

Reported

2024-06-03 04:40

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\uauhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\uauhost.exe C:\Users\Admin\AppData\Local\Temp\9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\uauhost.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\Debug\uauhost.exe C:\Users\Admin\AppData\Local\Temp\9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9bd1a4281392cf3123cdf7d13d1cd460_NeikiAnalytics.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\uauhost.exe

C:\Windows\Debug\uauhost.exe

C:\Windows\Debug\uauhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9BD1A4~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 mE0zKdG01.nnnn.eu.org udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 MrPCko7OkF.nnnn.eu.org udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 zujzO7JmnJ.nnnn.eu.org udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 ZaQ9bmu1X.nnnn.eu.org udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9G7LQZG2kF.nnnn.eu.org udp

Files

C:\Windows\debug\uauhost.exe

MD5 bd6d65ca0955e3213a56ae1af7002ce0
SHA1 671312d201261b380b2d27e447c0ce88a20af5ee
SHA256 8eff6f904f87b2728334fd436b5c25a008b104c47926524a594721a622f40e8b
SHA512 bf93603c98d4358105b775c7008268fd08d0bc9b1277fc10be94b144f839209fd10000ccef59585014906c111e5855b64300c46f4ae144473da066400d933abf