Malware Analysis Report

2025-01-06 08:11

Sample ID 240604-be2qrsge48
Target 1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe
SHA256 e7c836209cf401a565cec3a4bd85224507cb26607006a7f110be6ea7332c81dd
Tags
evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e7c836209cf401a565cec3a4bd85224507cb26607006a7f110be6ea7332c81dd

Threat Level: Likely malicious

The file 1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion

Sets file to hidden

Deletes itself

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:04

Reported

2024-06-04 01:06

Platform

win7-20231129-en

Max time kernel

144s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\iuyhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\iuyhost.exe C:\Users\Admin\AppData\Local\Temp\1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\iuyhost.exe C:\Users\Admin\AppData\Local\Temp\1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\iuyhost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\iuyhost.exe

C:\Windows\Debug\iuyhost.exe

C:\Windows\Debug\iuyhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1AAA27~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
CN 183.240.99.24:80 www.baidu.com tcp
US 8.8.8.8:53 DLsrKxvEPO.nnnn.eu.org udp
US 8.8.8.8:53 n2Z3bvvM96.nnnn.eu.org udp
US 8.8.8.8:53 NikEMtOysK.nnnn.eu.org udp
US 8.8.8.8:53 xuRQdNs66Y.nnnn.eu.org udp
US 8.8.8.8:53 Xa8bvKLDqG.nnnn.eu.org udp

Files

memory/948-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\Debug\iuyhost.exe

MD5 22d4c30129becbe5ca16e448bfce0701
SHA1 ccecec1e5a165c66c1ae636161145cf8f16bb0ce
SHA256 ba732c95cd40aafbfcd02242dd70b68fb250be9dc6a38b704d4766e119e6393f
SHA512 765e5a81ac372e1bce48f57f0f51de52d15b6333115bda13f3f1e31cf96acba8337ff80a06d4e206ce984f5b8ef4b15aabd72cef559738742cded745e9a69621

memory/2172-5-0x0000000000400000-0x0000000000411000-memory.dmp

memory/948-6-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2172-7-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:04

Reported

2024-06-04 01:06

Platform

win10v2004-20240426-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\smahost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\smahost.exe C:\Users\Admin\AppData\Local\Temp\1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\smahost.exe C:\Users\Admin\AppData\Local\Temp\1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\smahost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1aaa271ce0aeecad141d8f2a79de9990_NeikiAnalytics.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\smahost.exe

C:\Windows\Debug\smahost.exe

C:\Windows\Debug\smahost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1AAA27~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.baidu.com udp
CN 183.240.99.24:80 www.baidu.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 DLsrKxvEPO.nnnn.eu.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 qOxG79ww.nnnn.eu.org udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 Q4sMjDblg.nnnn.eu.org udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0kaX0h4sQO.nnnn.eu.org udp
US 8.8.8.8:53 aRlClfY096.nnnn.eu.org udp

Files

memory/2692-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\debug\smahost.exe

MD5 d7c49aeb437e8cfe355baa17f531d484
SHA1 ac7240367f52c6311407532d198484c381dc42bc
SHA256 8c17d55b03239173e9b25728fee37848cce320c91b15f9614bb5b11f4457152e
SHA512 7c96a7d76a7a5a02ea187435c3e896ba69d4719e6e71d59d4911388715cc93be81c1676889e7754abc265005a36a425bd99d9882defbdf5ffed95a3932de89d0

memory/4420-5-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4420-6-0x0000000000400000-0x0000000000411000-memory.dmp