Malware Analysis Report

2025-01-03 09:34

Sample ID 240604-gqwa1sga83
Target 355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe
SHA256 9e8a28186a68b2f4684bae625ae8ff631efbfcc541872ccd850dce23cd021002
Tags
bootkit discovery persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

9e8a28186a68b2f4684bae625ae8ff631efbfcc541872ccd850dce23cd021002

Threat Level: Shows suspicious behavior

The file 355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Drops file in Windows directory

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 06:01

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 06:01

Reported

2024-06-04 06:03

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe"

Signatures

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe = "1" C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe = "1" C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe = "1" C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe = "11000" C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ss.dolphinpaper.com udp
US 8.8.8.8:53 dolphincdn-wp.dolphinpaper.com udp
CN 114.116.201.85:80 ss.dolphinpaper.com tcp
US 8.8.8.8:53 cdn-ali-file-bizhi.shanhutech.cn udp
US 163.181.154.237:80 cdn-ali-file-bizhi.shanhutech.cn tcp
US 163.181.154.234:80 cdn-ali-file-bizhi.shanhutech.cn tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 234.154.181.163.in-addr.arpa udp
US 8.8.8.8:53 cdn-hw-dida2.didapaper.com udp
GB 223.121.13.28:80 cdn-hw-dida2.didapaper.com tcp
GB 223.121.13.28:80 cdn-hw-dida2.didapaper.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.13.121.223.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
CN 114.116.201.85:80 ss.dolphinpaper.com tcp
US 8.8.8.8:53 www.dolphinpaper.com udp
CN 114.116.198.56:80 www.dolphinpaper.com tcp
CN 114.116.198.56:80 www.dolphinpaper.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
CN 114.116.201.85:80 ss.dolphinpaper.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/2132-0-0x0000000000400000-0x00000000007BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\config.set

MD5 8131961a1f7a02a497c929e1b7cc2f01
SHA1 fb65adc101e377ddaec6537e752e30c016472ed5
SHA256 1734772ad6f465d3ce00e39818e92d5e06e893821021ef343311ff0998486fee
SHA512 40d09b945105f1dbce32b6049f09c117bc74d19db94b1b9e5f18df8c7409b9264e578247b8ecda2a7595795190e821af0ecdbfcac3b8dcdf4f9c58b8d274c91d

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 06:01

Reported

2024-06-04 06:03

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe"

Signatures

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe = "1" C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe = "1" C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe = "1" C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe = "11000" C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\355e4e8d818785e2e7c6bebe150e5340_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ss.dolphinpaper.com udp
US 8.8.8.8:53 dolphincdn-wp.dolphinpaper.com udp
US 8.8.8.8:53 cdn-ali-file-bizhi.shanhutech.cn udp
US 163.181.154.236:80 cdn-ali-file-bizhi.shanhutech.cn tcp
CN 114.116.201.85:80 ss.dolphinpaper.com tcp
US 163.181.154.234:80 cdn-ali-file-bizhi.shanhutech.cn tcp
US 8.8.8.8:53 cdn-hw-dida2.didapaper.com udp
GB 169.197.114.137:80 cdn-hw-dida2.didapaper.com tcp
GB 169.197.114.137:80 cdn-hw-dida2.didapaper.com tcp
US 8.8.8.8:53 www.dolphinpaper.com udp
CN 114.116.201.85:80 ss.dolphinpaper.com tcp
CN 114.116.198.56:80 www.dolphinpaper.com tcp
CN 114.116.198.56:80 www.dolphinpaper.com tcp
CN 114.116.201.85:80 ss.dolphinpaper.com tcp

Files

memory/2240-1-0x0000000002190000-0x0000000002191000-memory.dmp

memory/2240-0-0x0000000000400000-0x00000000007BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\config.set

MD5 8131961a1f7a02a497c929e1b7cc2f01
SHA1 fb65adc101e377ddaec6537e752e30c016472ed5
SHA256 1734772ad6f465d3ce00e39818e92d5e06e893821021ef343311ff0998486fee
SHA512 40d09b945105f1dbce32b6049f09c117bc74d19db94b1b9e5f18df8c7409b9264e578247b8ecda2a7595795190e821af0ecdbfcac3b8dcdf4f9c58b8d274c91d

memory/2240-27-0x0000000002190000-0x0000000002191000-memory.dmp