Malware Analysis Report

2025-01-06 07:34

Sample ID 240613-f5kbmawaqf
Target 620ea918f02f6153185e4556ea439af0_NeikiAnalytics.exe
SHA256 b1be34e61f92e6db8fa44d2e0714dae1bb1ec42347fdd9d2fb28ebb82f341f1a
Tags
evasion
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b1be34e61f92e6db8fa44d2e0714dae1bb1ec42347fdd9d2fb28ebb82f341f1a

Threat Level: Likely malicious

The file 620ea918f02f6153185e4556ea439af0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

evasion

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:27

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:27

Reported

2024-06-13 05:29

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\620ea918f02f6153185e4556ea439af0_NeikiAnalytics.dll

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\ = "CyberLink Audio Digital Transcoder" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\620ea918f02f6153185e4556ea439af0_NeikiAnalytics.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DAB2B36-9F8F-4499-8AF3-8E1C2F2ACECD}\ = "CyberLink Audio Digital Transcoder Property Page" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\CLSID = "{46E044D0-A3C4-4CFE-81D2-7891E1860C52}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\FilterData = 0200000000002000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000700000006175647300001000800000aa00389b710100000000001000800000aa00389b71 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DAB2B36-9F8F-4499-8AF3-8E1C2F2ACECD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\620ea918f02f6153185e4556ea439af0_NeikiAnalytics.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{46E044D0-A3C4-4CFE-81D2-7891E1860C52} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46E044D0-A3C4-4CFE-81D2-7891E1860C52} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DAB2B36-9F8F-4499-8AF3-8E1C2F2ACECD}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DAB2B36-9F8F-4499-8AF3-8E1C2F2ACECD}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\FriendlyName = "CyberLink Audio Digital Transcoder" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DAB2B36-9F8F-4499-8AF3-8E1C2F2ACECD} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 1400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1360 wrote to memory of 1400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1360 wrote to memory of 1400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\620ea918f02f6153185e4556ea439af0_NeikiAnalytics.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\620ea918f02f6153185e4556ea439af0_NeikiAnalytics.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1400-0-0x0000000010000000-0x000000001047F000-memory.dmp

memory/1400-1-0x0000000077224000-0x0000000077226000-memory.dmp

memory/1400-2-0x0000000010000000-0x000000001047F000-memory.dmp

memory/1400-3-0x0000000010000000-0x000000001047F000-memory.dmp

memory/1400-5-0x0000000002950000-0x0000000002951000-memory.dmp

memory/1400-4-0x0000000002940000-0x0000000002941000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:27

Reported

2024-06-13 05:29

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\620ea918f02f6153185e4556ea439af0_NeikiAnalytics.dll

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\SysWOW64\regsvr32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\SysWOW64\regsvr32.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\620ea918f02f6153185e4556ea439af0_NeikiAnalytics.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DAB2B36-9F8F-4499-8AF3-8E1C2F2ACECD}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\620ea918f02f6153185e4556ea439af0_NeikiAnalytics.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46E044D0-A3C4-4CFE-81D2-7891E1860C52} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DAB2B36-9F8F-4499-8AF3-8E1C2F2ACECD}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\FilterData = 0200000000002000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000700000006175647300001000800000aa00389b710100000000001000800000aa00389b71 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DAB2B36-9F8F-4499-8AF3-8E1C2F2ACECD}\ = "CyberLink Audio Digital Transcoder Property Page" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DAB2B36-9F8F-4499-8AF3-8E1C2F2ACECD}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DAB2B36-9F8F-4499-8AF3-8E1C2F2ACECD} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{46E044D0-A3C4-4CFE-81D2-7891E1860C52} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\FriendlyName = "CyberLink Audio Digital Transcoder" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\CLSID = "{46E044D0-A3C4-4CFE-81D2-7891E1860C52}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46E044D0-A3C4-4CFE-81D2-7891E1860C52}\ = "CyberLink Audio Digital Transcoder" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\620ea918f02f6153185e4556ea439af0_NeikiAnalytics.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\620ea918f02f6153185e4556ea439af0_NeikiAnalytics.dll

Network

N/A

Files

memory/2436-0-0x0000000010000000-0x000000001047F000-memory.dmp

memory/2436-1-0x0000000010000000-0x000000001047F000-memory.dmp

memory/2436-2-0x0000000010000000-0x000000001047F000-memory.dmp