Malware Analysis Report

2025-01-06 11:35

Sample ID 240603-ewtm9sba7y
Target 9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe
SHA256 b1732e9daf87b96d9bb6bca957e8004bd6be4f118711b170e17a3822a88a2106
Tags
evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b1732e9daf87b96d9bb6bca957e8004bd6be4f118711b170e17a3822a88a2106

Threat Level: Likely malicious

The file 9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion

Sets file to hidden

Deletes itself

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:17

Reported

2024-06-03 04:20

Platform

win7-20240221-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\jaohost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\jaohost.exe C:\Users\Admin\AppData\Local\Temp\9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\jaohost.exe C:\Users\Admin\AppData\Local\Temp\9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\jaohost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\jaohost.exe

C:\Windows\Debug\jaohost.exe

C:\Windows\Debug\jaohost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9B46EF~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
CN 183.240.99.24:80 www.baidu.com tcp
US 8.8.8.8:53 dUamp5TiFZ.nnnn.eu.org udp
US 8.8.8.8:53 DHy63TKzn.nnnn.eu.org udp
US 8.8.8.8:53 nqS9rXwSjV.nnnn.eu.org udp
US 8.8.8.8:53 N29K8VQaTj.nnnn.eu.org udp
US 8.8.8.8:53 0ZT7Gn6y0n.nnnn.eu.org udp

Files

memory/2776-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\Debug\jaohost.exe

MD5 b3b40f8e6b4c84bfb42a77e2eea55358
SHA1 73ce13626ab9c89f31778c6b13d92fedf73e0f5c
SHA256 0bf2f062116a35042ced131600c91ca842e10532e63e27680cbbdbc0acac2b98
SHA512 428fdd270fc3bfa1e43687f3cbec427b61f01a2c382dc8751fede27da6030a8afdb9b90d0d458474e4ac06114448c245be037d97a9dc0e14c161183b41e6ad50

memory/2000-5-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2776-6-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2000-7-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:17

Reported

2024-06-03 04:20

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\aiyhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\aiyhost.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\Debug\aiyhost.exe C:\Users\Admin\AppData\Local\Temp\9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\aiyhost.exe C:\Users\Admin\AppData\Local\Temp\9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9b46ef30e6b0757d06e41b7624a3f110_NeikiAnalytics.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\aiyhost.exe

C:\Windows\Debug\aiyhost.exe

C:\Windows\Debug\aiyhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9B46EF~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 www.baidu.com udp
CN 183.240.99.24:80 www.baidu.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 TvDyF5Oqp3.nnnn.eu.org udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 6xXltN4lsb.nnnn.eu.org udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 gdiwerXscp.nnnn.eu.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 GJP8vp1UL3.nnnn.eu.org udp
US 8.8.8.8:53 q06JhJUcZl.nnnn.eu.org udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/876-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\Debug\aiyhost.exe

MD5 2a73084cc95bbc1a7ce3f152a600f5a8
SHA1 80952dd564734204fc63f7fb9518bc4a791507a6
SHA256 4f23a498377d82c8abed2d3d41e38a65a6ed97e7e4570433399f3ca7f042222c
SHA512 99548a7e40ad0f8f44236a9e3e3883661e2764750121939e68b6b0010f44bba0512194a8613ab4e8091e556ccf2c273bd95d9f6efff41f3f049b06c36c44a937

memory/4456-5-0x0000000000400000-0x0000000000411000-memory.dmp

memory/876-6-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4456-7-0x0000000000400000-0x0000000000411000-memory.dmp