Malware Analysis Report

2025-01-17 23:31

Sample ID 240603-qmk6bahb93
Target a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe
SHA256 7588a5b4ccf4e454aa50a1d764481465cfca04690a6ea700bcecda6caa327348
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7588a5b4ccf4e454aa50a1d764481465cfca04690a6ea700bcecda6caa327348

Threat Level: Shows suspicious behavior

The file a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Uses the VBS compiler for execution

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 13:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 13:22

Reported

2024-06-03 13:25

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7254.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp7254.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1736 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1736 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1736 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2056 wrote to memory of 2700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2056 wrote to memory of 2700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2056 wrote to memory of 2700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2056 wrote to memory of 2700 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1736 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp7254.tmp.exe
PID 1736 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp7254.tmp.exe
PID 1736 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp7254.tmp.exe
PID 1736 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp7254.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wtesqxee\wtesqxee.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C1658149CA4481A761F2254671D8C8.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp7254.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp7254.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe

Network

N/A

Files

memory/1736-0-0x000000007433E000-0x000000007433F000-memory.dmp

memory/1736-1-0x0000000000160000-0x000000000016A000-memory.dmp

memory/1736-6-0x0000000074330000-0x0000000074A1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wtesqxee\wtesqxee.cmdline

MD5 ef5f796b7be26d384bfbd9d3d21026e7
SHA1 8e241737f5ee63740ca9d9d66fae46d94e963177
SHA256 f6e78963e73084cc14076e2a6865f35f8f68f917eeab4f75d3d468830b96a309
SHA512 f07b1113770398180f73e5ccfa934447d98de93ac0eb21089774dec15a50d270cbe9cdfb92c5940ee3977ddefdfa8b05d5542e44cbceafec2e1b16c2c21cdea9

C:\Users\Admin\AppData\Local\Temp\wtesqxee\wtesqxee.0.vb

MD5 ccd4726eb58d4b7d479c384aa3eb69a1
SHA1 8f95813ec606dca9dbd573bf44e114181c360e98
SHA256 271f0f021141744db49ec0073ebd375b851170c93908939d50ddce7a983000e1
SHA512 bb00fb6ef9b3d82813b3307abca14dafcc4ffd0a39bf56eb2ccc68c54da5f70671ab7ff12574bc488adc9ec0051940433ffbc61dbf39a7eeeff35ca17eec53c1

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 43cb0f3017d066ec7100a45da78cad61
SHA1 3129146fc29e42580707b556930a61700fe6c918
SHA256 4eab416aa14c7c7dc840fb41e14ce67e028ac4a82118c7f537a8fe098aa8e47b
SHA512 c888b6dca519f4eed40d791c7d44f788d7b49d9445ee2ea5fe337d762a3dbc20a7fa6359c319a7ac8580a7085051771561430d602931de96febca3047e749978

C:\Users\Admin\AppData\Local\Temp\vbc8C1658149CA4481A761F2254671D8C8.TMP

MD5 7c4055ba21bc0c60ee5ea549e27156b3
SHA1 5c014b7a712500358fa204852adc66d4aada3f87
SHA256 5cf36b9d4fca277d0bb7da8dbf76d09acfa6788746ed3cc83696e2d93f98f7c8
SHA512 38eec2b850cf603ac16887c3af314c89f25698741134622ab40a8d77f9faa3850c0a98f5ea66f903bfc3401524c5624924ebf1f08194b29ac9819734063a987b

C:\Users\Admin\AppData\Local\Temp\RES76A6.tmp

MD5 21a24d9fef6fa67173f831b8d95c5dc2
SHA1 dd383e8d942353e5daa3b1deee1a1d26cbcf0892
SHA256 0d4213d0fe5377cfc66933918f601f179b943ed0432879be1490eb8992f2fb8e
SHA512 1ddeb44e1fdf5e7ee8f3076d11bbe3f809625f1061097bc8601b1641ff529655fc52a24da5f7e17f433af74781de7c8c62976304498fd6597fd8ded84e5b92b2

C:\Users\Admin\AppData\Local\Temp\tmp7254.tmp.exe

MD5 8fa70e5ebefcc2166bb6f704733ed607
SHA1 fb7fc30cb74edfc6525c98719031c913a520c0b1
SHA256 1dffb7b6da297ccb1515a3f4bb3b4a568df960d6d158445e546532420df500d9
SHA512 dac46c50dbfb15c6b2462cb51dfc430fc49c6610576ac79e3b0861cce194ab4bca05cae104203962816ba9bb77f39bd9d736130fd075586b466f75761ea5472b

memory/2532-23-0x0000000000E50000-0x0000000000E5A000-memory.dmp

memory/1736-24-0x0000000074330000-0x0000000074A1E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 13:22

Reported

2024-06-03 13:25

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4344.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4344.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 528 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 528 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 528 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2204 wrote to memory of 4396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2204 wrote to memory of 4396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2204 wrote to memory of 4396 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 528 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp4344.tmp.exe
PID 528 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp4344.tmp.exe
PID 528 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp4344.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ja3pm4t4\ja3pm4t4.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4508.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF83B0BD96F14588BD185946401DB70.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp4344.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4344.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a4d0eda23c7b6acc7fcf8ba979165830_NeikiAnalytics.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp

Files

memory/528-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

memory/528-1-0x0000000000570000-0x000000000057A000-memory.dmp

memory/528-2-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

memory/528-8-0x0000000074CB0000-0x0000000075460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ja3pm4t4\ja3pm4t4.cmdline

MD5 3742c4d3ec090fb4f782aa67b1fb8ab7
SHA1 c486ccdff8180ce95c11c8a3d603865de1e13d7b
SHA256 a2a96902dd9d72fc6ac47651c0bfe592c91029148ac8e0fec6f677412d46deb4
SHA512 7e221e89f97aa1b6bb7bbfacf1c87b05dc12c25bb0d1c614dcd1ca0764dfe8cd374e7789e4ac1254bb079f943f5343ecd6836463d29adc7d5348b5f6f8dc7fe1

C:\Users\Admin\AppData\Local\Temp\ja3pm4t4\ja3pm4t4.0.vb

MD5 0c342e38ac5b9df8920b1d9d4bfdd7a8
SHA1 8ea47c66ba47ad4f5a8b787c8c9a972b766e6021
SHA256 a555e8c60b19651623efefa9ac52c27ef08fb092c27490e650e19591af17f218
SHA512 ce01e3f0321363ab214e0c6b3550cdf2e5756067eec70b8076999104f8b97b6edb8d191a3dad608cc0bec1899c6b0f4749da196443856a9f2f87c5fb0a79c2c8

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 fd46913293621f950d3cfdbe600a2e33
SHA1 7e50324f8ff43407556547824512515a054f3189
SHA256 383864dbb445f14447e11ab39f84f9f0b6e06a83c8228d87b8362d7350a9341f
SHA512 4b56c827eb3ddab922006ca1d3f45373184ad8062be5c4e3dd0c329e24b20bb409d670da115eb26ea138736023a0fc000b7140ea39988d18e4f1756123b73fe5

C:\Users\Admin\AppData\Local\Temp\vbcF83B0BD96F14588BD185946401DB70.TMP

MD5 1be073eaff0340aaac6beed19e303fd8
SHA1 dfb15834400c92b7c3649ffb717ec2dd9d0e3008
SHA256 51a11db8b7eba85bb3930eb659c64534e3af8ef47fa5d8c38bb4bec51c771743
SHA512 819d8f33130ec58c8db57ec03688fc2dfc24b1f8d3b21854f9142bf2bc7c21e9a2bc87039352354cebdc822cdeb5edb00d3ba818de375d5c4aa7bf4921b6a207

C:\Users\Admin\AppData\Local\Temp\RES4508.tmp

MD5 247c0deace0d949635353a9c15132061
SHA1 a61839e56db6242c404e3cc748bbc05a2ae94814
SHA256 20edf85e608e8413d10a0c5f806484fcc3505b1524a9ad5a7b32421e3556cd35
SHA512 c5fa11ae7627a5db90581001ea20bfade3711fe5471692bbdb1576614fca230653be56240b706a258fb6059ee0c9a20785a84fd393baf201a1b6c23634e814b3

C:\Users\Admin\AppData\Local\Temp\tmp4344.tmp.exe

MD5 382efd69971cbd144391646e59da6815
SHA1 7d3104bd27cebfa3925591cb8de1c7f23f22cfcb
SHA256 38ec8ce9f6f291aebd8a905a5b23cf4d5ac9a38bab7083bf309b4c4df9c3bbcb
SHA512 d8e166d49a3b237bf2ec7789effeae5fde72f72abd3b74cc8e5b07dbe79a37a7c7747fddde5a6dee6083cc30174561090800b1efd405f2e64ef1513775ef863f

memory/528-24-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/4040-25-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/4040-26-0x0000000000870000-0x000000000087A000-memory.dmp

memory/4040-27-0x00000000057B0000-0x0000000005D54000-memory.dmp

memory/4040-28-0x0000000005200000-0x0000000005292000-memory.dmp

memory/4040-30-0x0000000074CB0000-0x0000000075460000-memory.dmp