Malware Analysis Report

2025-01-18 02:22

Sample ID 240613-bpr93syerf
Target 53276cf69675538d958c1d9794692240_NeikiAnalytics.exe
SHA256 d5b8ff1e2ad6a280c4d0d3fbc90aa16115fa69cac2688f1e7260d1f2dfbb7392
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d5b8ff1e2ad6a280c4d0d3fbc90aa16115fa69cac2688f1e7260d1f2dfbb7392

Threat Level: Shows suspicious behavior

The file 53276cf69675538d958c1d9794692240_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:19

Reported

2024-06-13 01:22

Platform

win7-20240611-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nasap.net udp
US 35.212.119.5:443 nasap.net tcp

Files

memory/2088-8-0x00000000003F0000-0x00000000003F6000-memory.dmp

memory/2088-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2088-0-0x00000000003F0000-0x00000000003F6000-memory.dmp

\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 deb8ba6e0b6141ad68cb88b9cf51bb9b
SHA1 55bc60603da67940ee0888adcef1f2e04439cd4c
SHA256 a4135e56aa1177c2dcb14dc1b47d6d017ac6c4ff2c252bc46159dbb42f1078cc
SHA512 bf6a11bf3a931bcd5c5defaf3d5a6efbbe2fa430dc3924c20126abc0627588c8beb3c252f9ef8865447e341eeaad0171c17df0861d4335622bc31279f9537f74

memory/2992-23-0x0000000000290000-0x0000000000296000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:19

Reported

2024-06-13 01:22

Platform

win10v2004-20240611-en

Max time kernel

91s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gewos.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\gewos.exe

"C:\Users\Admin\AppData\Local\Temp\gewos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nasap.net udp
US 35.212.119.5:443 nasap.net tcp
US 8.8.8.8:53 5.119.212.35.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

memory/3684-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

memory/3684-1-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3684-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewos.exe

MD5 deb8ba6e0b6141ad68cb88b9cf51bb9b
SHA1 55bc60603da67940ee0888adcef1f2e04439cd4c
SHA256 a4135e56aa1177c2dcb14dc1b47d6d017ac6c4ff2c252bc46159dbb42f1078cc
SHA512 bf6a11bf3a931bcd5c5defaf3d5a6efbbe2fa430dc3924c20126abc0627588c8beb3c252f9ef8865447e341eeaad0171c17df0861d4335622bc31279f9537f74

memory/1096-25-0x0000000002120000-0x0000000002126000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gewosik.exe

MD5 ed6c1748047b655738b4e8db542eab8c
SHA1 ea6807dcbc8ab73bba372e24c47caefe416d0037
SHA256 277b5e83e98c7790dec1d2b1f33c20237497bed5ee0e1ef77862c81009129cb5
SHA512 8b2c7352f4c282ef02e9c8e9f3d2f385ee4ee47271b447459b7e14c2230f2ffdccc1c6d2d4282303b30bcf93971b85468f5b25c46c1bc0d7b33ae05337b37b6e