Malware Analysis Report

2024-09-23 11:50

Sample ID 240608-21415aad96
Target 049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe
SHA256 6cb8b68ee6a31233c2bba4bac31cfb382caa4ab65fc83b70a2b84a89e48a62a2
Tags
bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

6cb8b68ee6a31233c2bba4bac31cfb382caa4ab65fc83b70a2b84a89e48a62a2

Threat Level: Shows suspicious behavior

The file 049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Writes to the Master Boot Record (MBR)

Loads dropped DLL

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-08 23:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 23:03

Reported

2024-06-08 23:08

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 c.gj.qq.com udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 c.gj.qq.com udp
HK 43.135.106.184:80 c.gj.qq.com tcp
HK 43.135.106.184:80 c.gj.qq.com tcp
US 8.8.8.8:53 oth.eve.mdt.qq.com udp
US 8.8.8.8:53 oth.eve.mdt.qq.com udp
US 8.8.8.8:53 oth.eve.mdt.qq.com udp
US 8.8.8.8:53 oth.eve.mdt.qq.com udp
SG 101.33.47.206:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.206:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.206:8081 oth.eve.mdt.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp

Files

\Users\Admin\AppData\Local\Temp\TencentDownload\~f767eff\QQPCDownload.dll

MD5 9d44d2a1e8c988979a2f7d77a4f038fa
SHA1 d91d84512e7ce2957f2b4e6fc2d97d04ba7f1557
SHA256 fd1af002dd83bb74d244414df2bd90553050486671410aec2a9dea729114aa2f
SHA512 4d14b1099e5104ee9b853b2201c08fef8fff16953e530b19c18df73e0fb2bb8f018b10c1070c37420f63156fb9b203bbce3f90d1f4c2fee7a9f7a2a7fc33d657

memory/2656-6-0x00000000008B0000-0x00000000008B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\TencentDownload\~f767eff\beacon_sdk.dll

MD5 573ec741ba9393c06292c329ca78e50c
SHA1 8f7956a1f2a40af28f0f470b82a90042bdfd836c
SHA256 0118930d91b51e6e4dfea02c4b81c152cbb848e227c02a1dcdc0909b167fdad0
SHA512 741574fecb16a6581c1a8d5fb412752915dc02a0f8b8a485a8fdf0d71005851c5fa6710fba242234a5a9ef250d3d85aff24af7492a16922351ec783d5b9d19cd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 23:03

Reported

2024-06-08 23:08

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 c.gj.qq.com udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
HK 43.135.106.117:80 c.gj.qq.com tcp
HK 43.135.106.117:80 c.gj.qq.com tcp
US 8.8.8.8:53 oth.eve.mdt.qq.com udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 117.106.135.43.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
SG 101.33.47.206:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.206:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.206:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.206:8081 oth.eve.mdt.qq.com tcp
US 8.8.8.8:53 206.47.33.101.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e572710\QQPCDownload.dll

MD5 9d44d2a1e8c988979a2f7d77a4f038fa
SHA1 d91d84512e7ce2957f2b4e6fc2d97d04ba7f1557
SHA256 fd1af002dd83bb74d244414df2bd90553050486671410aec2a9dea729114aa2f
SHA512 4d14b1099e5104ee9b853b2201c08fef8fff16953e530b19c18df73e0fb2bb8f018b10c1070c37420f63156fb9b203bbce3f90d1f4c2fee7a9f7a2a7fc33d657

C:\ProgramData\Tencent\DeskUpdate\Guid.db

MD5 8ecaf420539b9f96aff88d42f55cb445
SHA1 2bae46284ec361705dbb05a1c1dc2d08a697284a
SHA256 4996eebd89eb68d514669a0b0b2f7e5c6c168844d71477c1b220dafce86beb35
SHA512 695ca720bf64a6a90465b0c0d70db75e09b6e67d31b9492cff9e24fa0dc2a7381e50d9d2740ac7a3ac38398bf1103b5d94bb457c15ab64d22c5e108ad09639b5

C:\ProgramData\Tencent\DeskUpdate\GuidInfo.db

MD5 a143c7b6b8bebc7046677be1a7270aa6
SHA1 72399aafa1eb19734268fcd9909e801d2c8644d4
SHA256 764f954ce734095be720ebdd6cbf6f2d2c8469491214063bfd457605d0a14623
SHA512 c5e646b58d58c14c4eb70def72acf35febd7ebe5ddef19bf2e63357fb4d98eb7f4204d517c7413ec7591e5434683a4ce54f4c8d13144eee0f6795817fc9c992c

C:\ProgramData\Tencent\DeskUpdate\GuidList.db

MD5 61ea8a586825c954d1cc835fc0aac762
SHA1 ce648f55e869b9883fb98160a83f750c0504817c
SHA256 8b4fa3d767e1109f0e9ece1b31f7ede46e38725233f1301e219e93c603668d96
SHA512 0c3754b3257c97f3fa3bf4956308698cb3e1926c5403f1aaf9dfc02a081f651920dc4ac7a073c00f3d85ce90f0e9b382454364084dcd867e98c609ea1abfe043

C:\Users\Admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db

MD5 62f0545df12c80cf7fce69d7b787b329
SHA1 24e28042829e0fbdf9aad7d20d1c4b330757c3d9
SHA256 99ea6f1c593ee0e2bb00027e9e4030d6ba3f435e3eaaa4971e7293a441329aa6
SHA512 8fb411ad151642dfa30f42122bc47cb8368966a7be36c817d945b0a12b9eec34c1e1364aa2b27640efc00d47ef78e3a9d95c4e2cfcd71686c0b8377a79bac258

C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e572710\beacon_sdk.dll

MD5 573ec741ba9393c06292c329ca78e50c
SHA1 8f7956a1f2a40af28f0f470b82a90042bdfd836c
SHA256 0118930d91b51e6e4dfea02c4b81c152cbb848e227c02a1dcdc0909b167fdad0
SHA512 741574fecb16a6581c1a8d5fb412752915dc02a0f8b8a485a8fdf0d71005851c5fa6710fba242234a5a9ef250d3d85aff24af7492a16922351ec783d5b9d19cd