Malware Analysis Report

2024-10-18 22:07

Sample ID 240611-rvavzszfqh
Target 3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe
SHA256 b19ce3cafe89be353067a9392da901a195ad3e7fe297a4ea10f0a91a2dd65843
Tags
upx bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b19ce3cafe89be353067a9392da901a195ad3e7fe297a4ea10f0a91a2dd65843

Threat Level: Shows suspicious behavior

The file 3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx bootkit persistence

UPX packed file

Checks BIOS information in registry

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 14:30

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 14:30

Reported

2024-06-11 14:32

Platform

win7-20240508-en

Max time kernel

140s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\checkwritepermissions.exe C:\Users\Admin\AppData\Local\Temp\3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 content.mql5.com udp
HK 47.52.161.165:443 tcp
NL 78.140.180.43:443 tcp
NL 78.140.180.43:443 tcp
US 142.0.194.252:443 tcp
RU 88.212.244.84:443 tcp
US 206.221.189.58:443 tcp
HK 103.70.3.108:443 tcp
ZA 160.119.248.158:443 tcp
CN 47.95.9.170:443 tcp
HK 47.52.161.165:443 tcp
JP 47.74.14.49:443 tcp
US 142.0.194.252:443 tcp
BR 104.41.54.220:443 tcp
ID 119.235.249.82:443 tcp
NL 188.42.188.236:443 tcp
AU 139.99.161.172:443 tcp
CN 47.100.195.238:443 tcp
CN 120.79.203.118:443 tcp
NL 188.42.188.236:443 tcp
CN 47.100.195.238:443 tcp
CN 120.79.203.118:443 tcp
AU 139.99.161.172:443 tcp
US 142.0.194.252:443 tcp
BR 104.41.54.220:443 tcp
HK 47.52.161.165:443 tcp
JP 47.74.14.49:443 tcp
CN 47.95.9.170:443 tcp
ZA 160.119.248.158:443 tcp
HK 103.70.3.108:443 tcp
RU 88.212.244.84:443 tcp
US 206.221.189.58:443 tcp
NL 78.140.180.43:443 tcp
RU 88.212.244.84:443 tcp
NL 78.140.180.43:443 tcp
CN 120.79.203.118:443 tcp
ZA 160.119.248.158:443 tcp
HK 103.70.3.108:443 tcp
US 206.221.189.58:443 tcp
CN 47.95.9.170:443 tcp
HK 47.52.161.165:443 tcp
BR 104.41.54.220:443 tcp
US 142.0.194.252:443 tcp
JP 47.74.14.49:443 tcp
CN 47.100.195.238:443 tcp
NL 188.42.188.236:443 tcp
AU 139.99.161.172:443 tcp
US 8.8.8.8:53 content.mql5.com udp
US 8.8.8.8:53 content.mql5.com udp
US 8.8.8.8:53 content.mql5.com udp

Files

memory/2932-0-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2932-1-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2932-2-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2932-3-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2932-4-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2932-5-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2932-6-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2932-7-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2932-8-0x0000000000400000-0x0000000000736000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 14:30

Reported

2024-06-11 14:32

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\checkwritepermissions.exe C:\Users\Admin\AppData\Local\Temp\3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3806d309cc0e9e004faf6a22ab8a0b50_NeikiAnalytics.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4012,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=2856 /prefetch:8

Network

Country Destination Domain Proto
US 142.0.194.252:443 tcp
NL 78.140.180.43:443 tcp
CN 47.100.195.238:443 tcp
CN 120.79.203.118:443 tcp
NL 188.42.188.236:443 tcp
AU 139.99.161.172:443 tcp
ID 119.235.249.82:443 tcp
US 142.0.194.252:443 tcp
BR 104.41.54.220:443 tcp
HK 47.52.161.165:443 tcp
CN 47.95.9.170:443 tcp
JP 47.74.14.49:443 tcp
ZA 160.119.248.158:443 tcp
RU 88.212.244.84:443 tcp
US 206.221.189.58:443 tcp
HK 103.70.3.108:443 tcp
HK 47.52.161.165:443 tcp
NL 78.140.180.43:443 tcp
US 8.8.8.8:53 content.mql5.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
HK 103.70.3.108:443 tcp
US 206.221.189.58:443 tcp
RU 88.212.244.84:443 tcp
ZA 160.119.248.158:443 tcp
JP 47.74.14.49:443 tcp
HK 47.52.161.165:443 tcp
CN 47.95.9.170:443 tcp
BR 104.41.54.220:443 tcp
US 142.0.194.252:443 tcp
AU 139.99.161.172:443 tcp
CN 120.79.203.118:443 tcp
NL 188.42.188.236:443 tcp
CN 47.100.195.238:443 tcp
NL 78.140.180.43:443 tcp
ZA 160.119.248.158:443 tcp
US 206.221.189.58:443 tcp
RU 88.212.244.84:443 tcp
JP 47.74.14.49:443 tcp
HK 103.70.3.108:443 tcp
HK 47.52.161.165:443 tcp
CN 47.95.9.170:443 tcp
US 142.0.194.252:443 tcp
BR 104.41.54.220:443 tcp
AU 139.99.161.172:443 tcp
NL 78.140.180.43:443 tcp
CN 120.79.203.118:443 tcp
NL 188.42.188.236:443 tcp
CN 47.100.195.238:443 tcp
US 8.8.8.8:53 content.mql5.com udp
US 8.8.8.8:53 content.mql5.com udp
US 8.8.8.8:53 content.mql5.com udp

Files

memory/2168-0-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2168-1-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2168-2-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2168-3-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2168-4-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2168-5-0x0000000000400000-0x0000000000736000-memory.dmp