Malware Analysis Report

2025-01-06 11:51

Sample ID 240603-eg92psad61
Target 9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe
SHA256 968f8af87654c5613001ae3ffaccfcd9f03842e451090374ccd30a886a405226
Tags
evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

968f8af87654c5613001ae3ffaccfcd9f03842e451090374ccd30a886a405226

Threat Level: Known bad

The file 9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion trojan

UAC bypass

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Deletes itself

Checks whether UAC is enabled

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 03:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 03:55

Reported

2024-06-03 03:58

Platform

win7-20240221-en

Max time kernel

117s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\rr.exe N/A
N/A N/A C:\ProgramData\playtomenu.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\playtomenu.exe N/A
N/A N/A C:\ProgramData\playtomenu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe C:\ProgramData\rr.exe
PID 2600 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe C:\ProgramData\rr.exe
PID 2600 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe C:\ProgramData\rr.exe
PID 2600 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe C:\ProgramData\rr.exe
PID 2600 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe C:\ProgramData\playtomenu.exe
PID 2600 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe C:\ProgramData\playtomenu.exe
PID 2600 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe C:\ProgramData\playtomenu.exe
PID 2600 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe C:\ProgramData\playtomenu.exe
PID 2600 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe"

C:\ProgramData\rr.exe

C:\ProgramData\rr.exe -y x -pFASJKLVFDAJKLCDSA434JKLFDS "C:\ProgramData\playtomenu.jpg" "C:\ProgramData\"

C:\ProgramData\playtomenu.exe

C:\ProgramData\playtomenu.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c delself.cmd

Network

Country Destination Domain Proto
US 8.8.8.8:53 d_1.largesder.com udp
SG 8.222.228.10:8888 d_1.largesder.com tcp
US 8.8.8.8:53 r.largesder.com udp
SG 8.222.228.10:8888 r.largesder.com tcp
US 8.8.8.8:53 playtomenu.largesder.com udp
SG 8.222.228.10:8888 playtomenu.largesder.com tcp
US 8.8.8.8:53 d3.largesder.com udp
SG 8.222.228.10:8888 d3.largesder.com tcp
SG 8.222.228.10:8888 d3.largesder.com tcp

Files

\ProgramData\rr.exe

MD5 f2ae502d448cfb81a5f40a9368d99b1a
SHA1 f849be86e9e7ced0acd51a68f92992b8090d08a5
SHA256 07ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56
SHA512 9f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be

C:\ProgramData\playtomenu.jpg

MD5 c2348c7e8ac7e2812f7967c126918b90
SHA1 626bb46101ccf131d6981f338cd4b4edcf76ca31
SHA256 40eeb9683bfd6ce4bf7e3bd836ff9beb2838a6afbd1ab9a149d9ec9c5f5d9a8f
SHA512 74270cda47170f3f92fc1688c3fbc2c8f6ecc1b2b2c45016f00e56989d0f256eab6b354fea253e2045b56952ef665805ab51611d54a53e3bd61ac8d558eede11

C:\ProgramData\playtomenu.exe

MD5 684fdaae316e5f59baa6f69f5bc2526a
SHA1 958061cff425622da5bf931f7ffdd22a1f784763
SHA256 17f875b64eedb6ed608cca84e3d9804c947e7200c294b3ff5f91568e35a0d2e8
SHA512 7eca3352b7d4195c3f793db86ad9a98cdcbd2aff55e94cc1dccc754a8e84bf2eb9d13e991c672d08a162dbc01f9a9d7bcb873f1446147e77dbbdcecafcbd51c1

C:\Users\Admin\AppData\Local\Temp\delself.cmd

MD5 cf766626a5051d9485061fa254b45c76
SHA1 7b854c5e4ce890e7b403056bee9ac2dc017b076f
SHA256 a45dc47c56a943836dc828d40a14fb136cbc7883fd92da7f183c0b7ac06139d7
SHA512 ddee1ecb11819d76dd1bd263493ab954988b5e7e082607eb66086c0651817a1acfb99b7016a31db4094da55b6a40d3860808bfd47edb5bbca97295b899414547

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 03:55

Reported

2024-06-03 03:58

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\rr.exe N/A
N/A N/A C:\ProgramData\playtomenu.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A
N/A N/A C:\ProgramData\playtomenu.exe N/A
N/A N/A C:\ProgramData\playtomenu.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe"

C:\ProgramData\rr.exe

C:\ProgramData\rr.exe -y x -pFASJKLVFDAJKLCDSA434JKLFDS "C:\ProgramData\playtomenu.jpg" "C:\ProgramData\"

C:\ProgramData\playtomenu.exe

C:\ProgramData\playtomenu.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c delself.cmd

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 d_1.largesder.com udp
SG 8.222.228.10:8888 d_1.largesder.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 r.largesder.com udp
SG 8.222.228.10:8888 r.largesder.com tcp
US 8.8.8.8:53 10.228.222.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 playtomenu.largesder.com udp
SG 8.222.228.10:8888 playtomenu.largesder.com tcp
US 8.8.8.8:53 d3.largesder.com udp
SG 8.222.228.10:8888 d3.largesder.com tcp
SG 8.222.228.10:8888 d3.largesder.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

C:\ProgramData\rr.exe

MD5 f2ae502d448cfb81a5f40a9368d99b1a
SHA1 f849be86e9e7ced0acd51a68f92992b8090d08a5
SHA256 07ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56
SHA512 9f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be

C:\ProgramData\playtomenu.jpg

MD5 c2348c7e8ac7e2812f7967c126918b90
SHA1 626bb46101ccf131d6981f338cd4b4edcf76ca31
SHA256 40eeb9683bfd6ce4bf7e3bd836ff9beb2838a6afbd1ab9a149d9ec9c5f5d9a8f
SHA512 74270cda47170f3f92fc1688c3fbc2c8f6ecc1b2b2c45016f00e56989d0f256eab6b354fea253e2045b56952ef665805ab51611d54a53e3bd61ac8d558eede11

C:\ProgramData\playtomenu.exe

MD5 684fdaae316e5f59baa6f69f5bc2526a
SHA1 958061cff425622da5bf931f7ffdd22a1f784763
SHA256 17f875b64eedb6ed608cca84e3d9804c947e7200c294b3ff5f91568e35a0d2e8
SHA512 7eca3352b7d4195c3f793db86ad9a98cdcbd2aff55e94cc1dccc754a8e84bf2eb9d13e991c672d08a162dbc01f9a9d7bcb873f1446147e77dbbdcecafcbd51c1

C:\Users\Admin\AppData\Local\Temp\delself.cmd

MD5 cf766626a5051d9485061fa254b45c76
SHA1 7b854c5e4ce890e7b403056bee9ac2dc017b076f
SHA256 a45dc47c56a943836dc828d40a14fb136cbc7883fd92da7f183c0b7ac06139d7
SHA512 ddee1ecb11819d76dd1bd263493ab954988b5e7e082607eb66086c0651817a1acfb99b7016a31db4094da55b6a40d3860808bfd47edb5bbca97295b899414547