Malware Analysis Report

2025-01-03 09:27

Sample ID 240604-wmt14sfc72
Target b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe
SHA256 46baa6f42912382af55e1ba6ed01a54acb191b5279fcd7e7f852c4d7b29ea9f2
Tags
bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

46baa6f42912382af55e1ba6ed01a54acb191b5279fcd7e7f852c4d7b29ea9f2

Threat Level: Likely malicious

The file b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 18:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 18:02

Reported

2024-06-04 18:05

Platform

win7-20240215-en

Max time kernel

144s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\qhehi.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\qhehi.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\dbedvdx\\ugqig.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe N/A
N/A N/A \??\c:\qhehi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2496 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2496 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2496 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2496 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\qhehi.exe
PID 2496 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\qhehi.exe
PID 2496 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\qhehi.exe
PID 2496 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\qhehi.exe
PID 2600 wrote to memory of 2556 N/A \??\c:\qhehi.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2600 wrote to memory of 2556 N/A \??\c:\qhehi.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2600 wrote to memory of 2556 N/A \??\c:\qhehi.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2600 wrote to memory of 2556 N/A \??\c:\qhehi.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2600 wrote to memory of 2556 N/A \??\c:\qhehi.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2600 wrote to memory of 2556 N/A \??\c:\qhehi.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2600 wrote to memory of 2556 N/A \??\c:\qhehi.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\qhehi.exe "C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\qhehi.exe

c:\qhehi.exe "C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\dbedvdx\ugqig.dll",init c:\qhehi.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp

Files

memory/2972-0-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2972-1-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2972-3-0x0000000000400000-0x0000000000425000-memory.dmp

\??\c:\qhehi.exe

MD5 92006b3f249c13df606af0c3d15b8235
SHA1 128fefce7ba171b8fe9fe16a527a1eae42d01027
SHA256 3ddafceffccde170fa09d2744c013ba9b5f5e0d1216142fa44b26c9b43d74a9a
SHA512 e72f28eb5e61144c8202cacc0e4d648f046ce5966130ae701991b07a90cc9ca078f1a8345dd12ccb0fe238a42122eb8c6dfcafd1d284e44e0cbf241e3393158c

memory/2496-7-0x0000000000180000-0x00000000001A5000-memory.dmp

memory/2496-6-0x0000000000180000-0x00000000001A5000-memory.dmp

memory/2600-8-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2600-10-0x0000000000400000-0x0000000000425000-memory.dmp

\??\c:\dbedvdx\ugqig.dll

MD5 36e3fb5964d663272cf1169e1e1ca478
SHA1 58115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256 c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512 daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442

memory/2556-16-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2556-17-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2556-18-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2556-19-0x0000000010021000-0x0000000010022000-memory.dmp

memory/2556-20-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2556-21-0x0000000010000000-0x000000001002E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 18:02

Reported

2024-06-04 18:05

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\shtttiepb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\shtttiepb.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\ohdxr\\xjoiq.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe N/A
N/A N/A \??\c:\shtttiepb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\shtttiepb.exe "C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\shtttiepb.exe

c:\shtttiepb.exe "C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\ohdxr\xjoiq.dll",init c:\shtttiepb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 107.163.241.232:12354 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 114.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp
US 8.8.8.8:53 krnaver.com udp

Files

memory/2988-0-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2988-1-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/2988-3-0x0000000000400000-0x0000000000425000-memory.dmp

C:\shtttiepb.exe

MD5 b8a83adca9bd6feb67aaa5bc681bbcbb
SHA1 8850db35058a34bdacf26b59e6b788610aee7824
SHA256 ce26ffd61dd52dc9ed9f8de4e307387babec59f6f274ad47cd3f380a208b9005
SHA512 f0e59b8bc27934153e6e076619e3a858118180818f3157c1ac5c2bfcbbde997f0caff9c52c5eec027c8a13a8aacd08991cc554cc08734f4243390c236ecce06f

memory/3868-7-0x0000000000930000-0x0000000000931000-memory.dmp

memory/3868-9-0x0000000000400000-0x0000000000425000-memory.dmp

\??\c:\ohdxr\xjoiq.dll

MD5 36e3fb5964d663272cf1169e1e1ca478
SHA1 58115e08b49505bcbbb5c88a28a86222ba18d5d4
SHA256 c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7
SHA512 daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442

memory/2664-12-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2664-14-0x0000000001130000-0x0000000001131000-memory.dmp

memory/2664-13-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2664-15-0x0000000010000000-0x000000001002E000-memory.dmp

memory/2664-16-0x0000000001130000-0x0000000001131000-memory.dmp