Malware Analysis Report

2025-01-17 22:51

Sample ID 240603-p7qe4afb8w
Target a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe
SHA256 f425c0e4f5fc046e276dfb8bae7b7e471652764168f070607496eed884e37952
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f425c0e4f5fc046e276dfb8bae7b7e471652764168f070607496eed884e37952

Threat Level: Shows suspicious behavior

The file a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 12:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 12:58

Reported

2024-06-03 13:01

Platform

win7-20240508-en

Max time kernel

132s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\codecupdater.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\codecupdater.exe

"C:\Users\Admin\AppData\Local\Temp\codecupdater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pakmailbarrie.com udp
CA 65.39.133.140:80 pakmailbarrie.com tcp
CA 65.39.133.140:80 pakmailbarrie.com tcp
US 8.8.8.8:53 amy-escort.com udp
US 104.21.93.8:80 amy-escort.com tcp
US 104.21.93.8:443 amy-escort.com tcp
US 8.8.8.8:53 www.amy-escort.com udp
US 188.114.96.2:80 www.amy-escort.com tcp
US 188.114.96.2:443 www.amy-escort.com tcp
CA 65.39.133.140:80 pakmailbarrie.com tcp
CA 65.39.133.140:80 pakmailbarrie.com tcp
US 188.114.96.2:443 www.amy-escort.com tcp
CA 65.39.133.140:80 pakmailbarrie.com tcp
CA 65.39.133.140:80 pakmailbarrie.com tcp

Files

memory/2424-1-0x0000000000401000-0x0000000000402000-memory.dmp

\Users\Admin\AppData\Local\Temp\codecupdater.exe

MD5 f51db72f9bdab50ce46872171934662e
SHA1 6efbb51326cdb3e23424f823e6757d24f7aa39e0
SHA256 dba8adc1854432c0176f009c002c1ceb998671368335beed6a4f7d3b580da336
SHA512 0350c1e68b519e85577607b21fc59a20e9a8daeb755aa9bbccbf8af6b6f3bd4dfdf96b66fc5c2265709219d0d388c27ee97547a9277076780e7b78c5d0d33c01

memory/2936-8-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\pdf[1].htm

MD5 0104c301c5e02bd6148b8703d19b3a73
SHA1 7436e0b4b1f8c222c38069890b75fa2baf9ca620
SHA256 446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f
SHA512 84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 12:58

Reported

2024-06-03 13:01

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\codecupdater.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\codecupdater.exe

"C:\Users\Admin\AppData\Local\Temp\codecupdater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 pakmailbarrie.com udp
CA 65.39.133.140:80 pakmailbarrie.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
CA 65.39.133.140:80 pakmailbarrie.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 amy-escort.com udp
US 104.21.93.8:80 amy-escort.com tcp
US 104.21.93.8:443 amy-escort.com tcp
US 8.8.8.8:53 www.amy-escort.com udp
US 104.21.93.8:80 www.amy-escort.com tcp
US 8.8.8.8:53 8.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 104.21.93.8:443 www.amy-escort.com tcp
CA 65.39.133.140:80 pakmailbarrie.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
CA 65.39.133.140:80 pakmailbarrie.com tcp
US 104.21.93.8:443 www.amy-escort.com tcp
CA 65.39.133.140:80 pakmailbarrie.com tcp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
CA 65.39.133.140:80 pakmailbarrie.com tcp

Files

memory/3012-1-0x0000000000401000-0x0000000000402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\codecupdater.exe

MD5 f51db72f9bdab50ce46872171934662e
SHA1 6efbb51326cdb3e23424f823e6757d24f7aa39e0
SHA256 dba8adc1854432c0176f009c002c1ceb998671368335beed6a4f7d3b580da336
SHA512 0350c1e68b519e85577607b21fc59a20e9a8daeb755aa9bbccbf8af6b6f3bd4dfdf96b66fc5c2265709219d0d388c27ee97547a9277076780e7b78c5d0d33c01

memory/3596-9-0x0000000000400000-0x0000000000407000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\pdf[1].htm

MD5 0104c301c5e02bd6148b8703d19b3a73
SHA1 7436e0b4b1f8c222c38069890b75fa2baf9ca620
SHA256 446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f
SHA512 84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf