Malware Analysis Report

2025-01-17 22:52

Sample ID 240603-p7wbcagf64
Target a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe
SHA256 c235a5577336ade8de1fed549eadbb46533c5c20d9ac627391fe805f106c1a9a
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c235a5577336ade8de1fed549eadbb46533c5c20d9ac627391fe805f106c1a9a

Threat Level: Shows suspicious behavior

The file a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 12:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 12:58

Reported

2024-06-03 13:01

Platform

win7-20240221-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3229.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3229.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1928 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1928 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1928 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2160 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2160 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2160 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2160 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1928 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp3229.tmp.exe
PID 1928 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp3229.tmp.exe
PID 1928 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp3229.tmp.exe
PID 1928 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp3229.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qdddnrzx\qdddnrzx.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES341B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc739313995254E66B6F7CF81F13F1C5.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp3229.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3229.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe

Network

N/A

Files

memory/1928-0-0x000000007479E000-0x000000007479F000-memory.dmp

memory/1928-1-0x00000000013E0000-0x00000000013EA000-memory.dmp

memory/1928-7-0x0000000074790000-0x0000000074E7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qdddnrzx\qdddnrzx.cmdline

MD5 988ae29ca0116210e1a483b2d5e3e5cc
SHA1 bfdc351e8539d62513ebb11e4a2bac671b1e3373
SHA256 61dd7216b7b7d23571a18395a29ea9ed924bade69441ccb4fc21a3cac72b602c
SHA512 60156cb0a43e4722f97c5ed97fc2ba89b52be26668355d39bb121e571d7bcf4c78a50fdc39c45bde3b16164f2e5acf3ca636368025173b2573c331008dd3f500

C:\Users\Admin\AppData\Local\Temp\qdddnrzx\qdddnrzx.0.vb

MD5 021fe420534bbf97e3d780bf9f9f6ab5
SHA1 a9be3d88e95e23e220e62b7bb82dd9839ee3f143
SHA256 ad488028d85d772587054b26f5a0f6ce4d8adf56ab0e194b6b979685e2c8cb53
SHA512 ccd5b06c5fe99c9e91737797f6bc528ef45964936c3b27f683f47c3d8a7c23ca3d14c4d6f565d8691b78505eb2ec42bf75381dc9ec6827a2119fb809e112c862

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 12f93dbf0ba2262acdf828655ae77d94
SHA1 0ae33357bb626d0d8bd016b00a94053b70e108cf
SHA256 871f96772ed2dfb47c814144cb4f9a4308ea17ecfc4e7ad179fbe4f26015fe7e
SHA512 5a08cce813af88a2c36ecc8dd85b0a7adcaa3991d7f021b2ac244fe7b0232c4dbe0f58cda5d6160607e8eba387351609b63ca5cb6a2a04bb41f150ace9bc9359

C:\Users\Admin\AppData\Local\Temp\vbc739313995254E66B6F7CF81F13F1C5.TMP

MD5 6876687a9772a0a3d0675e1ff5b7e16a
SHA1 2529b712a1e2740b3483d3467f265f3efb825283
SHA256 388cd4df6981c7d435c122242277dce4b3ef3467696954f9aecdd4830768c973
SHA512 1c2c4cb2a5e813a100c1676c6053ec22ffedf8bb4f7fc8574834f1f3510b21eb72662e59cbfcc1d9f89c5f5f4c57c0d277de2fe4b4eefab0492001fe8bee1a2f

C:\Users\Admin\AppData\Local\Temp\RES341B.tmp

MD5 945ae69a7a3dda8cd409df73d7044c27
SHA1 fcd3016d3bab5119c8288a563b038171f8aed46c
SHA256 06e21b52aba50711b746d849d3007b1ee144606fa5221780b5b7c6b750b46ac6
SHA512 8169deb0a8e100b6fa327745511ee1840b5b219481123b6790f875512280e87877dc1e207f13bc28d4f5b24d50f28906b172803475688f53f63ce655ffae7b9a

C:\Users\Admin\AppData\Local\Temp\tmp3229.tmp.exe

MD5 77d79b3c7dd4229fd0c84cf2fdfd02c9
SHA1 4245718af9272b507eeb0d900aecb868e81b27d2
SHA256 81cb995d8cb98c64a0585169329d4fd2e1faa7ed5301575e50b302da679dbcec
SHA512 5f53bef7963030f3a737519293ea92273baa4bb9bb4de5c4c009697b5c638850391671a52f3c7ca8ff27488eeaa29505ef5703aaab623b4a18ce5c56fed96950

memory/2548-23-0x0000000001290000-0x000000000129A000-memory.dmp

memory/1928-24-0x0000000074790000-0x0000000074E7E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 12:58

Reported

2024-06-03 13:01

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp50E0.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp50E0.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1720 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1720 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1948 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1948 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1948 wrote to memory of 4460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp50E0.tmp.exe
PID 1720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp50E0.tmp.exe
PID 1720 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp50E0.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\occ5l33x\occ5l33x.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5302.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDFCFAE3FD9A74A62851539F1BAE94054.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp50E0.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp50E0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a43fcd31cc238453e8426e6ba17d5e70_NeikiAnalytics.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/1720-0-0x000000007532E000-0x000000007532F000-memory.dmp

memory/1720-1-0x0000000000E90000-0x0000000000E9A000-memory.dmp

memory/1720-2-0x0000000005790000-0x000000000582C000-memory.dmp

memory/1720-8-0x0000000075320000-0x0000000075AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\occ5l33x\occ5l33x.cmdline

MD5 47094d8fa8311313799a6ed209b319a4
SHA1 af3d838f965c1ee09da45d2e52f9defb5668a2c2
SHA256 3865cf7c8c947dcea0e213d01de46c1cce0fcdbf60167b0cd82d09f59902eb3d
SHA512 e621b7a8df74d760138bc202ba92cf220a51def0cfbe7ec3a7cbf7273389748f9eaf36c479487a2f678c08f796bbf91538db6c6feb03ec46a42cd64c62f3fc69

C:\Users\Admin\AppData\Local\Temp\occ5l33x\occ5l33x.0.vb

MD5 e9e452dac05288a03b4d825bd8358b3b
SHA1 fb02036de7051bb8991541eac6a8a9534f13992a
SHA256 993ecd32dc9ae43011ed16fe6c066aca6460934f4941e176ac7abebefc4de5e8
SHA512 7da9684bfc40da5b367be86fc2de1433b3a3206f6348961686f3d465c67efacc20271a66ae8f3d99909ffedb46623f58b1ac89b65c27d56c4bc97212dac355cb

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 cb9fb49395f8f4153d804005077dc8c5
SHA1 c600f38927ec576a604eb92a79ef1382c5fe4667
SHA256 ece7d7b7aabcfce7b353df45a792d8660c973c36e32b9337b4baecc4ced33784
SHA512 90701c663f54a9e85b3888e7e6a555a70532b177b868175ef20970600d1286a0aa6b7ec1fc8ddb9e453d0a6ca0dca966fa80b4ce0862c6ea758705097f2cbcd6

C:\Users\Admin\AppData\Local\Temp\vbcDFCFAE3FD9A74A62851539F1BAE94054.TMP

MD5 7aaf3125a30b95d7258ed4d159e7cd71
SHA1 9c96a5702973473e313b3a619d6cfd50f165da04
SHA256 93c0e683369da5d7a850848fe2af19c058d4f940cc36f7b1ed2c099ea3ea174d
SHA512 a607cdade50de83846de7928ccb730c977cbd49c09b110ad083a6297110e4fd3baa6f6d10272394e88bb543fdd552f9b9097b65a05c93fc6fa04dd799606e85b

C:\Users\Admin\AppData\Local\Temp\RES5302.tmp

MD5 9050efaf18e4063af3f9cad41069c308
SHA1 c75a623f97021963e38580e840351b2c3273dbb3
SHA256 a84e216d1fd444a81852e547a478498a37f88a52c5ccd3e46645987d37a5d315
SHA512 247ed14a5a12eeb0d3b0821854f9932584dbc88185e337a4ee72b54ad87ef834ac32cb9af965a2ea169c347664dd9c96c5bd09da5c23bab5602ec1b584322f15

C:\Users\Admin\AppData\Local\Temp\tmp50E0.tmp.exe

MD5 cd8296a4fe457e8f3129856a0bb078b3
SHA1 bcdf4eafa38bb01bd712adf3170f959ed4e31632
SHA256 4771ed637b73d93d971bfbce0dadc5ad867ed60f1f22b617ab666e5fee871634
SHA512 3cfa4c7ea097d5166bb34dab1d6f4f13775f87279772115a2eeedbecf4946b7cf63a8440dd10482f7d7b3dc3e00b68e1823ba615ec063feb087f3f3763c25f0a

memory/1720-24-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/2708-25-0x0000000075320000-0x0000000075AD0000-memory.dmp

memory/2708-26-0x00000000004B0000-0x00000000004BA000-memory.dmp

memory/2708-27-0x00000000053D0000-0x0000000005974000-memory.dmp

memory/2708-28-0x0000000004E20000-0x0000000004EB2000-memory.dmp

memory/2708-30-0x0000000075320000-0x0000000075AD0000-memory.dmp