Malware Analysis Report

2025-04-14 03:40

Sample ID 240613-d8xd9ashqf
Target 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe
SHA256 556b8d92546fa667f592c958ec2575e2d4a9702faa7e480effe433fe92d06b53
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

556b8d92546fa667f592c958ec2575e2d4a9702faa7e480effe433fe92d06b53

Threat Level: Shows suspicious behavior

The file 5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Deletes itself

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:41

Reported

2024-06-13 03:43

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2176 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2176 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2176 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2296 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2296 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2296 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2296 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2176 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe
PID 2176 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe
PID 2176 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe
PID 2176 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jus1lxfg\jus1lxfg.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc76F0052D22784AB5B4D9EE5D3577110.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe

Network

N/A

Files

memory/2176-0-0x00000000741CE000-0x00000000741CF000-memory.dmp

memory/2176-1-0x00000000000B0000-0x00000000000BA000-memory.dmp

memory/2176-7-0x00000000741C0000-0x00000000748AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jus1lxfg\jus1lxfg.cmdline

MD5 25e72d4a2faf375db8f11e0c67a0ce39
SHA1 8b2dfcc42cffdbc9ab274b91e325bbf5c7e8ca42
SHA256 21dff971bcd2e9da3998bb965d6324c3ecbef6bb9e861b93ed941fa812911d66
SHA512 f7effcb5009a600e338062c17e4b79181e311796a90e6d4b9040965514113fdb0d0536a7f8b95dbd0aab35f0f269d0b3dd22aace86bf783902259e5959dce578

C:\Users\Admin\AppData\Local\Temp\jus1lxfg\jus1lxfg.0.vb

MD5 f821b7ca619fee37cbc116055abcebcb
SHA1 8448e4196effb57a6fa810bcb419c6583fd0b104
SHA256 f10a7e38e43e6e8b572428e42208ddb552489ac1bdcac1c74ed22ffa406b142b
SHA512 1ff90c3d515031b6670e2d00373065fbd086bf040358b6a633846ff2cac28670c5d17a2cc6fab3fe39d1e85ef82b3d6c48903964841fa32f5db3e19aeffa40a2

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 1b6736e61cd284bd9ed369317ddf2816
SHA1 c5d90259f796ef5f5273d8bc2e33e56b75718a44
SHA256 c1c4d1cad7150ae8e4cc8673387428e5ea02656e1ac169225d717be1d17e9eca
SHA512 b4a6b37e4e8bd630bc93bd77b5b8c9c43e76d41e4aa61d61062e34fc7bf60ca38e86ec55d7d8777df958da28d52040fa5be656323ebb412837863506d8e72e18

C:\Users\Admin\AppData\Local\Temp\vbc76F0052D22784AB5B4D9EE5D3577110.TMP

MD5 71f791b532227a4760c9ce341c608a3f
SHA1 b45defc005268a4e48b8218254e83c29568aae83
SHA256 426dafda13629bb50668cf84fbf767fd91ce6f7abe9b291c09631a7909c04d72
SHA512 fac752982d241d29cad46279a53f6651144147f667499f625bf72d5cb3222092f736fbf28fb60693fb44e95922bd9bd575581788a1465baf04e04494f45a1cb3

C:\Users\Admin\AppData\Local\Temp\RESD59.tmp

MD5 8ffa307646f918f6218506cbbf3ea70e
SHA1 38f3744f7cd4523598c311e60e6dc48a14da101f
SHA256 95c28ff73388b1f853a70a59dcfb1ff35357aa3f101f7e0ee184b255bb10a235
SHA512 7a8cc8b52108a22f230931dd2bd0188b73b14acc620e612f19288673abc847fca8bf35e32d722e5259859a7a584c147f2ab9e888c584e1e3eb43b104baeec9fc

C:\Users\Admin\AppData\Local\Temp\tmpBF3.tmp.exe

MD5 0d3ee78f91418a90c48b3441a7275497
SHA1 0309a4ccab2bfa037e734ba5539c87e3294d28bb
SHA256 43a30032b95d02405dcdb0a2483b88ae161eca7e3f15098f7b889f9f454da117
SHA512 116dc2d3919822b41cfbdc0d40a7f108e70aeb9b9828c608e9fb03eadc8c72d5ccc194d1fa8e54c25d85b6c027ee1b34e13a9913091217527481b2b5e8399d89

memory/2780-23-0x0000000000E40000-0x0000000000E4A000-memory.dmp

memory/2176-24-0x00000000741C0000-0x00000000748AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:41

Reported

2024-06-13 03:43

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1190.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1190.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 372 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 372 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 372 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3468 wrote to memory of 1380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3468 wrote to memory of 1380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3468 wrote to memory of 1380 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 372 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp1190.tmp.exe
PID 372 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp1190.tmp.exe
PID 372 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp1190.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ayslngl1\ayslngl1.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3DABE817A08B45D5B9FDAFC7F165D595.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp1190.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1190.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5b8124efa3870bf2ca1af51ca7bec250_NeikiAnalytics.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp

Files

memory/372-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

memory/372-1-0x0000000000010000-0x000000000001A000-memory.dmp

memory/372-2-0x0000000004A00000-0x0000000004A9C000-memory.dmp

memory/372-8-0x0000000074DD0000-0x0000000075580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ayslngl1\ayslngl1.cmdline

MD5 a495b5ba7062c1e954a7da069aed6f3b
SHA1 67fe669fc098312f43f76dcb7011d34142dd454d
SHA256 38c1d0f1b925e824bc4730f1d04043654648ec27a9a604e5b84d177f24deafbf
SHA512 f691912b8c5c5476359c29873ddf0061dc7caec108c0ebe05f5ba8aea1d603a43342ad9a772e1faa3e6af2b171c1ff3fe6206f2f56a018fe5e26558a4a46e52b

C:\Users\Admin\AppData\Local\Temp\ayslngl1\ayslngl1.0.vb

MD5 364fab18b0986a8769ac6e83468b7fbd
SHA1 0e508b1cf540c99e855b5c6b460b2f958292833f
SHA256 2f1204ab3bc91884c335a55e2d2fa8e0068d0b54b3c142d550426e32e354e91b
SHA512 2e56ed62c9ff018c52e441f3fa8ac60034d2a33e41b17088f3a662669f7ebd859ed8b107bb3f1256aa8f344979ffe79b38f859fdf5d0b67be703577d435db3cc

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 5e7b2092c047dc49cf4a2216bba40e65
SHA1 c9226dc61e01b2120637a883300b6a7df7fef372
SHA256 e5c07295fbcf3c95f2571b4a0275583052fa34c05af8615ff2430f512536dacb
SHA512 940015fa450737497944903d8495bf01c6f752deb5a4d07376caaabd6e82e3849d4588ed39ed2df4e1aa7aa7f82be0968dc96c0eaf664f576d6c2af27ede654c

C:\Users\Admin\AppData\Local\Temp\vbc3DABE817A08B45D5B9FDAFC7F165D595.TMP

MD5 7fd5996809bce2f7e15fbd8150649ed1
SHA1 99a41231d6413c036122a620a8d7ab4272f8a1b5
SHA256 bc1caee9e9e934b27422593e772ff423c4f007255dea3402e712b8ef4321f17d
SHA512 a4d78a503355f23e883fd2bf9eb706439a32a26e823e79af57d260659620a2b4fe5b3f6d901896ad42f6596837d58ab4e15d59a53af7a360fd2cdaf41f012148

C:\Users\Admin\AppData\Local\Temp\RES17B9.tmp

MD5 5a0ff236e006173b1f823044bb582543
SHA1 3076d375decede90d61eb0cac3f72a42305e7a14
SHA256 e040b597dcc7029c3364014ed56644fce3b3f395bcb614d4a32d20b51e9e7a7f
SHA512 9ab50427659842136c4f55c189ed88026db4ca11559ab0162ddaa5c7017f4e5fe07540c7034edc99da57718427654539bddf747256486581f3f4f111f0710772

C:\Users\Admin\AppData\Local\Temp\tmp1190.tmp.exe

MD5 fd7cc7bb35bb4e7481a76eb94b7bc9de
SHA1 52f56906bc3ab79191905b6503217e044eb99862
SHA256 84317ef067b4049074f9aec2d009730be10b3e8a6846b08e65ed49249c3d73f8
SHA512 7205cb52cdba0a26abc6b3e7262823db7c04d5fc2cc32c1425a4e5355c0af4e924442f435a9101280f51b45fbc8c393d01584b9b9da76442a33a8b04fc5c48f2

memory/4708-24-0x0000000000690000-0x000000000069A000-memory.dmp

memory/4708-25-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/372-26-0x0000000074DD0000-0x0000000075580000-memory.dmp

memory/4708-27-0x0000000005610000-0x0000000005BB4000-memory.dmp

memory/4708-28-0x0000000005060000-0x00000000050F2000-memory.dmp

memory/4708-30-0x0000000074DD0000-0x0000000075580000-memory.dmp