Malware Analysis Report

2025-03-14 23:45

Sample ID 240603-gptqssea4s
Target 9de237e2d6e9ec2ee92195b6cfff5930_NeikiAnalytics.exe
SHA256 09087a8bdae10a7e889dec92c8b6f4e3b5286052bcc62580e7a2df370ef75d77
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

09087a8bdae10a7e889dec92c8b6f4e3b5286052bcc62580e7a2df370ef75d77

Threat Level: Likely malicious

The file 9de237e2d6e9ec2ee92195b6cfff5930_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies AppInit DLL entries

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:59

Reported

2024-06-03 06:01

Platform

win7-20240508-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9de237e2d6e9ec2ee92195b6cfff5930_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\gugcane.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\gugcane.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\gugcane.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\gugcane.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\gugcane.exe C:\Users\Admin\AppData\Local\Temp\9de237e2d6e9ec2ee92195b6cfff5930_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\zynbtfl.dll C:\PROGRA~3\Mozilla\gugcane.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9de237e2d6e9ec2ee92195b6cfff5930_NeikiAnalytics.exe N/A
N/A N/A C:\PROGRA~3\Mozilla\gugcane.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1320 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gugcane.exe
PID 2192 wrote to memory of 1320 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gugcane.exe
PID 2192 wrote to memory of 1320 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gugcane.exe
PID 2192 wrote to memory of 1320 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gugcane.exe
PID 2192 wrote to memory of 1320 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gugcane.exe
PID 2192 wrote to memory of 1320 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gugcane.exe
PID 2192 wrote to memory of 1320 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gugcane.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9de237e2d6e9ec2ee92195b6cfff5930_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9de237e2d6e9ec2ee92195b6cfff5930_NeikiAnalytics.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8D904D44-71C2-4DEC-90CE-56C0B0AE467A} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\gugcane.exe

C:\PROGRA~3\Mozilla\gugcane.exe -eoikpie

Network

N/A

Files

memory/2984-0-0x0000000000660000-0x00000000006BB000-memory.dmp

memory/2984-1-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2984-3-0x0000000000400000-0x000000000045B000-memory.dmp

C:\PROGRA~3\Mozilla\gugcane.exe

MD5 57ff6697dd4f23e22ebdad4d737ee155
SHA1 4991556fa4257103b984d8eb83c52f5ac71433b0
SHA256 8bda39b9c740bb8185ed8a7ddc0981a7655d4f14dd578bc6f887d3c2eed7ef37
SHA512 55561b203e72e8e81cd42191e3dc71b5fa8d21280828a9fa37e7dfb89e1a3ca8bce1a7feae873dfae6a5e619189f386ae7c4427571dda5f6cbb07970b97d7da1

memory/1320-9-0x0000000000370000-0x00000000003CB000-memory.dmp

memory/1320-10-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1320-12-0x0000000000400000-0x000000000045B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:59

Reported

2024-06-03 06:01

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9de237e2d6e9ec2ee92195b6cfff5930_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\ywswmda.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\ywswmda.exe C:\Users\Admin\AppData\Local\Temp\9de237e2d6e9ec2ee92195b6cfff5930_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\dzldqrl.dll C:\PROGRA~3\Mozilla\ywswmda.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9de237e2d6e9ec2ee92195b6cfff5930_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9de237e2d6e9ec2ee92195b6cfff5930_NeikiAnalytics.exe"

C:\PROGRA~3\Mozilla\ywswmda.exe

C:\PROGRA~3\Mozilla\ywswmda.exe -zhzkoil

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/216-1-0x0000000000400000-0x000000000045B000-memory.dmp

memory/216-0-0x00000000020C0000-0x000000000211B000-memory.dmp

C:\ProgramData\Mozilla\ywswmda.exe

MD5 c4aa7b511bed4611592fcff3b7465fc3
SHA1 03682e00be02e3ca4cc8904ac34575e6e2981bc7
SHA256 f9d54eb903546492e43c1bed5d2d91a31acf1ca979a0307cacfe2062b829747f
SHA512 c11144b132029766daaae651e20c4f08d5f99f230dad531ffd810b9e3fe130add932b0e846ecc173d12d6b35fe54f4df7390b19d4abc626d2f29b6cb1d4130b9

memory/2736-6-0x0000000000400000-0x000000000045B000-memory.dmp

memory/216-5-0x0000000000400000-0x000000000045B000-memory.dmp

memory/216-8-0x00000000020C0000-0x000000000211B000-memory.dmp

memory/2736-10-0x0000000000400000-0x000000000045B000-memory.dmp