Malware Analysis Report

2025-01-03 09:34

Sample ID 240604-h84wjshd61
Target 3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe
SHA256 5260eeae00d826052e72a68feff66bc155fe8a13aa8c151f1a8f79311374c8ed
Tags
bootkit persistence spyware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5260eeae00d826052e72a68feff66bc155fe8a13aa8c151f1a8f79311374c8ed

Threat Level: Likely malicious

The file 3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer upx

Blocklisted process makes network request

UPX packed file

Deletes itself

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Unsigned PE

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 07:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 07:25

Reported

2024-06-04 07:28

Platform

win7-20240221-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\bppvemf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\bppvemf.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\yciwc\\uyishdeag.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\bppvemf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2100 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2100 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2100 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2100 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\bppvemf.exe
PID 2100 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\bppvemf.exe
PID 2100 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\bppvemf.exe
PID 2100 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\bppvemf.exe
PID 2508 wrote to memory of 2668 N/A \??\c:\bppvemf.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2668 N/A \??\c:\bppvemf.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2668 N/A \??\c:\bppvemf.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2668 N/A \??\c:\bppvemf.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2668 N/A \??\c:\bppvemf.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2668 N/A \??\c:\bppvemf.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2508 wrote to memory of 2668 N/A \??\c:\bppvemf.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\bppvemf.exe "C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\bppvemf.exe

c:\bppvemf.exe "C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\yciwc\uyishdeag.dll",init c:\bppvemf.exe

Network

Country Destination Domain Proto
US 67.198.215.212:803 tcp
US 67.198.215.212:803 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.213:3204 tcp

Files

memory/2888-0-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2888-1-0x0000000000240000-0x0000000000242000-memory.dmp

memory/2888-3-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\bppvemf.exe

MD5 920f81dfe6951b694dc0ea10f663502c
SHA1 e157c0a0bf8748525e4fe083b732a69c5a471469
SHA256 4a862ff55686f9d3d5ee1a4806c285d8a8ca2837254b248df065ffe59821b34a
SHA512 6b3947371981363edf9dcb21ed4718ea39703cb825db9e2831a6451456d2f4f53b9b95070160a722f7af607cc74d174d6b349281a7b64edc2e13dee994598ae4

memory/2100-5-0x00000000001E0000-0x00000000001F7000-memory.dmp

memory/2100-7-0x00000000001E0000-0x00000000001F7000-memory.dmp

memory/2508-8-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2508-9-0x0000000000390000-0x0000000000392000-memory.dmp

memory/2508-12-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\yciwc\uyishdeag.dll

MD5 42fe886bcb6460f7c2a46e21ecac5da6
SHA1 7d9a1c9fe17121cf61444da965f29e974a95ede2
SHA256 b6bc7902da0250f6ca920b35b222f6a0fe62102caf05d2a1722c4d3b225a0a9e
SHA512 3d1a7dc1d9ca8a4376302ba20df584ad59b98e0d3b18b06b22d7f5a455833ce124e412fc1922a3b704dcbafa31987cda3115c9a71dd6299683502cebae33567c

memory/2668-19-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2668-20-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2668-18-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2668-21-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2668-25-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2668-26-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2668-27-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2668-29-0x0000000010000000-0x0000000010024000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 07:25

Reported

2024-06-04 07:27

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\naqvodecj.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\naqvodecj.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\ditvvarh\\utwbg.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe N/A
N/A N/A \??\c:\naqvodecj.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\naqvodecj.exe "C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\naqvodecj.exe

c:\naqvodecj.exe "C:\Users\Admin\AppData\Local\Temp\3d79b66483faf17f20c572f805b3ead0_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\ditvvarh\utwbg.dll",init c:\naqvodecj.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 67.198.215.212:803 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 67.198.215.213:3204 tcp
US 67.198.215.213:3204 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 67.198.215.213:3204 tcp
US 67.198.215.213:3204 tcp

Files

memory/3040-0-0x0000000000400000-0x0000000000417000-memory.dmp

memory/3040-1-0x00000000006A0000-0x00000000006A2000-memory.dmp

memory/3040-4-0x0000000000400000-0x0000000000417000-memory.dmp

C:\naqvodecj.exe

MD5 1572be7026539f15ab8c85fee5a89dbb
SHA1 45a96864303f9e8d1982aab84576be2abd175b24
SHA256 94e468ca423512da0f9f7bca1f0d5e2949b6956e56eb9b8b7542a6d1aa259522
SHA512 d9d2d5f4d7c251df097b4464e7701333c77eb38563a01f4a12d361dcbdbd9f5c9a28a6210ca897dc17153cfbc61dc260ee64c7e7f01b1f1eaa6014f5821de02f

memory/4512-8-0x0000000000590000-0x0000000000592000-memory.dmp

memory/4512-11-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\ditvvarh\utwbg.dll

MD5 42fe886bcb6460f7c2a46e21ecac5da6
SHA1 7d9a1c9fe17121cf61444da965f29e974a95ede2
SHA256 b6bc7902da0250f6ca920b35b222f6a0fe62102caf05d2a1722c4d3b225a0a9e
SHA512 3d1a7dc1d9ca8a4376302ba20df584ad59b98e0d3b18b06b22d7f5a455833ce124e412fc1922a3b704dcbafa31987cda3115c9a71dd6299683502cebae33567c

memory/4488-14-0x0000000010000000-0x0000000010024000-memory.dmp

memory/4488-15-0x0000000010000000-0x0000000010024000-memory.dmp

memory/4488-17-0x0000000010000000-0x0000000010024000-memory.dmp

memory/4488-20-0x0000000010000000-0x0000000010024000-memory.dmp