Malware Analysis Report

2024-11-30 07:44

Sample ID 240603-hawsaaga34
Target 9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe
SHA256 d1a63c4c34eed5c28c5a3d9059c7c9ac0de190bf38a2fd8b81f71fa61d8332f3
Tags
bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d1a63c4c34eed5c28c5a3d9059c7c9ac0de190bf38a2fd8b81f71fa61d8332f3

Threat Level: Likely malicious

The file 9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer

Blocklisted process makes network request

Loads dropped DLL

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Unsigned PE

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:32

Reported

2024-06-03 06:35

Platform

win7-20231129-en

Max time kernel

144s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\cyjuur.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\cyjuur.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\rllcd\\hfjan.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe N/A
N/A N/A \??\c:\cyjuur.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2384 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2384 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2384 wrote to memory of 2948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2384 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\cyjuur.exe
PID 2384 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\cyjuur.exe
PID 2384 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\cyjuur.exe
PID 2384 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\cyjuur.exe
PID 2152 wrote to memory of 2584 N/A \??\c:\cyjuur.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 2584 N/A \??\c:\cyjuur.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 2584 N/A \??\c:\cyjuur.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 2584 N/A \??\c:\cyjuur.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 2584 N/A \??\c:\cyjuur.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 2584 N/A \??\c:\cyjuur.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 2584 N/A \??\c:\cyjuur.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\cyjuur.exe "C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\cyjuur.exe

c:\cyjuur.exe "C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\rllcd\hfjan.dll",init c:\cyjuur.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp

Files

memory/2896-0-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2896-1-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2896-3-0x0000000000400000-0x0000000000425000-memory.dmp

\??\c:\cyjuur.exe

MD5 d6185cb22fff27ceb888282093b8faae
SHA1 1f78b9515c5840e1899b0b5018787bebb360af3c
SHA256 809740a45a2ba79cdabc8a6cd8f47d1c8a810ac4ff1163e74a4c70b8adfb0115
SHA512 2c101f455dbb84d3140fa694d27fcdd5f88107281e4680daecd0e58e06b24171e20cbc6b22f0764bbae2556f38e73ba18f84f3d087b24280be98ba9fe6f8110d

memory/2384-7-0x0000000000260000-0x0000000000285000-memory.dmp

memory/2384-6-0x0000000000260000-0x0000000000285000-memory.dmp

memory/2152-8-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2152-10-0x0000000000400000-0x0000000000425000-memory.dmp

\??\c:\rllcd\hfjan.dll

MD5 36e3fb5964d663272cf1169e1e1ca478
SHA1 58115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256 c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512 daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442

memory/2584-16-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2584-17-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2584-18-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2584-20-0x0000000010021000-0x0000000010022000-memory.dmp

memory/2584-19-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2584-21-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2584-22-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2584-23-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2584-24-0x0000000010021000-0x0000000010022000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:32

Reported

2024-06-03 06:35

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\bkfkw.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\bkfkw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\vnynt\\fhuqy.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe N/A
N/A N/A \??\c:\bkfkw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\bkfkw.exe "C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\bkfkw.exe

c:\bkfkw.exe "C:\Users\Admin\AppData\Local\Temp\9ec81615510e5ea3b68231c44b086d00_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\vnynt\fhuqy.dll",init c:\bkfkw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp

Files

memory/652-0-0x0000000000400000-0x0000000000425000-memory.dmp

memory/652-1-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/652-3-0x0000000000400000-0x0000000000425000-memory.dmp

C:\bkfkw.exe

MD5 6ad006a1b713b98560e24d4c3656d889
SHA1 8019a04bef9afb0465c36c926c30bf7f7d88d700
SHA256 3d9ffdd0b3ffe8ba98ff36c4cdab235428ce3327097ea8ecb2f2979eab9b4903
SHA512 943cfcaf06d082cd672bbca3363bb186f6b9bb4cd75214292a4f7fb4a37c78b5f60fd3e8d7e6970a05ab5228a341cbbea78a142c78ae93db238d42a2f2dba20a

memory/1608-7-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1608-8-0x0000000000830000-0x0000000000831000-memory.dmp

memory/1608-10-0x0000000000400000-0x0000000000425000-memory.dmp

C:\vnynt\fhuqy.dll

MD5 36e3fb5964d663272cf1169e1e1ca478
SHA1 58115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256 c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512 daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442

memory/1588-15-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

memory/1588-14-0x0000000010000000-0x000000001002E000-memory.dmp

memory/1588-13-0x0000000010000000-0x000000001002E000-memory.dmp

memory/1588-16-0x0000000010000000-0x000000001002E000-memory.dmp

memory/1588-17-0x0000000000BE0000-0x0000000000BE1000-memory.dmp