Malware Analysis Report

2025-03-14 23:46

Sample ID 240603-gap43aee63
Target 9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe
SHA256 d68796d07542a1557857fc528f63754241225db49d1197c5a5bf32ff649525e2
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

d68796d07542a1557857fc528f63754241225db49d1197c5a5bf32ff649525e2

Threat Level: Shows suspicious behavior

The file 9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:36

Reported

2024-06-03 05:38

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GGAAAG_LOADER = "C:\\Windows\\system32\\GAAG.exe" C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FifefoxUpdater = "C:\\Windows\\system32\\FifefoxUpdater.scr" C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinSevenUpdater = "C:\\Windows\\system32\\AVSCANNER.EXE" C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\AVSCANNER.EXE C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\GAAG.exe C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\GAAG.exe C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\FifefoxUpdater.scr C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\FifefoxUpdater.scr C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\AVSCANNER.EXE C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe"

Network

N/A

Files

memory/2292-0-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Windows\SysWOW64\AVSCANNER.EXE

MD5 892caf6af305b40b051ed82ed28dccb6
SHA1 d9179d5accea45fd1bb58fec0e90e4a1be220f7b
SHA256 88af08bb6aa15e598b4108f3e73629215dbf353c90dd5e7ecb6b87a0768c88ce
SHA512 2310cae0cecf7b83c286e68465c5c9bc5ba9908b6db4c94d87a83499eed01497a9158a8d80c5ef67e4bd96e40ceaf6c57646a6a68702dc47f476ab5cbb1c0d10

memory/2292-7-0x0000000000400000-0x000000000044C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:36

Reported

2024-06-03 05:38

Platform

win10v2004-20240508-en

Max time kernel

130s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FifefoxUpdater = "C:\\Windows\\system32\\FifefoxUpdater.scr" C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinSevenUpdater = "C:\\Windows\\system32\\AVSCANNER.EXE" C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GGAAAG_LOADER = "C:\\Windows\\system32\\GAAG.exe" C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\GAAG.exe C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\FifefoxUpdater.scr C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\FifefoxUpdater.scr C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\AVSCANNER.EXE C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\AVSCANNER.EXE C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\GAAG.exe C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp

Files

memory/1908-0-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Windows\SysWOW64\AVSCANNER.EXE

MD5 13920c618f161ebb63df9d145b8dedda
SHA1 61c38853ef0fed4bf50464a8f185748f8de8c24d
SHA256 b4cb47e89d4bbf70efdc7864e0fa2ac73955dd13fc992e9a5282049fa37a50b2
SHA512 54a5ad8f2538bc7bb1168e1bb075a8d7db8091beee1786876a8da79c533c6c36dcbc4b7c8b6952904a95eca6ecc2cfb99894eaad239ea2bf9b70536e7114ce26

memory/1908-7-0x0000000000400000-0x000000000044C000-memory.dmp