Malware Analysis Report

2025-01-03 09:27

Sample ID 240604-22egvsfc52
Target 142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe
SHA256 c019dbb818f4bd755a12ad6156bc5110c63bff5c2bb4c43a5f98f431173a577a
Tags
bootkit persistence spyware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c019dbb818f4bd755a12ad6156bc5110c63bff5c2bb4c43a5f98f431173a577a

Threat Level: Likely malicious

The file 142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer upx

Blocklisted process makes network request

ACProtect 1.3x - 1.4x DLL software

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Adds Run key to start application

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 23:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 23:04

Reported

2024-06-04 23:06

Platform

win7-20240221-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\atlxy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\atlxy.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\yqlcr\\ohjjoilh.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe N/A
N/A N/A \??\c:\atlxy.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3052 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3052 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3052 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3052 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\atlxy.exe
PID 3052 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\atlxy.exe
PID 3052 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\atlxy.exe
PID 3052 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\atlxy.exe
PID 2568 wrote to memory of 2680 N/A \??\c:\atlxy.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2680 N/A \??\c:\atlxy.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2680 N/A \??\c:\atlxy.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2680 N/A \??\c:\atlxy.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2680 N/A \??\c:\atlxy.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2680 N/A \??\c:\atlxy.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2568 wrote to memory of 2680 N/A \??\c:\atlxy.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\atlxy.exe "C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\atlxy.exe

c:\atlxy.exe "C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\yqlcr\ohjjoilh.dll",init c:\atlxy.exe

Network

Country Destination Domain Proto
US 67.198.215.212:803 tcp
US 67.198.215.212:803 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.213:3204 tcp

Files

memory/2784-0-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2784-1-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2784-3-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\atlxy.exe

MD5 506e9a0a6341f172c3d18d48fce66ceb
SHA1 420ce38d55d44757f18c309dad54587c936bbc86
SHA256 92d70a795a87c80b898fbd115da181c5802cfbfe31c3bd67af4c38bb2ec3376d
SHA512 785ce5c6e60b3214f37b70d655778ab9c07d123258dd00ec6d7a5a8c7d63277028b5bec666789dffd3a3e4a586dd3b1b6898e01d72459c7401d7a5304313cb8e

memory/3052-7-0x0000000000260000-0x0000000000277000-memory.dmp

memory/3052-6-0x0000000000260000-0x0000000000277000-memory.dmp

memory/2568-8-0x0000000000270000-0x0000000000272000-memory.dmp

memory/2568-11-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\yqlcr\ohjjoilh.dll

MD5 42fe886bcb6460f7c2a46e21ecac5da6
SHA1 7d9a1c9fe17121cf61444da965f29e974a95ede2
SHA256 b6bc7902da0250f6ca920b35b222f6a0fe62102caf05d2a1722c4d3b225a0a9e
SHA512 3d1a7dc1d9ca8a4376302ba20df584ad59b98e0d3b18b06b22d7f5a455833ce124e412fc1922a3b704dcbafa31987cda3115c9a71dd6299683502cebae33567c

memory/2680-17-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2680-18-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2680-22-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2680-23-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2680-24-0x0000000010000000-0x0000000010024000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 23:04

Reported

2024-06-04 23:06

Platform

win10v2004-20240426-en

Max time kernel

143s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\kbniqmwwy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\kbniqmwwy.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\yqamp\\oszvsedol.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe N/A
N/A N/A \??\c:\kbniqmwwy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\kbniqmwwy.exe "C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\kbniqmwwy.exe

c:\kbniqmwwy.exe "C:\Users\Admin\AppData\Local\Temp\142692dfbfb2f491e8721ab899ab1550_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\yqamp\oszvsedol.dll",init c:\kbniqmwwy.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 67.198.215.212:803 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 67.198.215.213:3204 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 67.198.215.214:805 tcp
US 67.198.215.213:3204 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 67.198.215.213:3204 tcp
US 67.198.215.213:3204 tcp

Files

memory/4252-0-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4252-1-0x0000000002210000-0x0000000002212000-memory.dmp

memory/4252-4-0x0000000000400000-0x0000000000417000-memory.dmp

C:\kbniqmwwy.exe

MD5 82a35219fd3891af1bac99e1db97f767
SHA1 7f3ce4a41a59247262b83e56c0c21c418cdf876a
SHA256 1bfd4105eecc6b8a74306220125df93c0a5ccdefa61c6c1f54b9520ca36f193e
SHA512 c6b1b662ef78cdafe5a9b7969f2912e24bb98b02f695326ce8e38c66373da12507000a9353bd066e9d8b319d669a7c5da0215dc919c4fccf9df3c9c3b2bc3a0d

memory/4920-8-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4920-11-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\yqamp\oszvsedol.dll

MD5 42fe886bcb6460f7c2a46e21ecac5da6
SHA1 7d9a1c9fe17121cf61444da965f29e974a95ede2
SHA256 b6bc7902da0250f6ca920b35b222f6a0fe62102caf05d2a1722c4d3b225a0a9e
SHA512 3d1a7dc1d9ca8a4376302ba20df584ad59b98e0d3b18b06b22d7f5a455833ce124e412fc1922a3b704dcbafa31987cda3115c9a71dd6299683502cebae33567c

memory/1208-14-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1208-15-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1208-17-0x0000000010000000-0x0000000010024000-memory.dmp

memory/1208-19-0x0000000010000000-0x0000000010024000-memory.dmp