Malware Analysis Report

2025-04-14 03:20

Sample ID 240613-fr2nrayfml
Target 60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe
SHA256 ad90736eea120efefa04cb406bd4ec115cd82fa3df4069754db280d7d7714e87
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

ad90736eea120efefa04cb406bd4ec115cd82fa3df4069754db280d7d7714e87

Threat Level: Likely benign

The file 60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe was found to be: Likely benign.

Malicious Activity Summary


Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:07

Reported

2024-06-13 05:09

Platform

win7-20240419-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lmf4xdhj\lmf4xdhj.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES362D.tmp" "c:\Users\Admin\AppData\Local\Temp\lmf4xdhj\CSC7246D83EFB04449293A5591839A692.TMP"

Network

N/A

Files

memory/2844-0-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2844-9-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2844-10-0x000007FEF5343000-0x000007FEF5344000-memory.dmp

memory/2844-11-0x0000000001EE0000-0x0000000001EFA000-memory.dmp

memory/2844-12-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

memory/2844-13-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

memory/2844-16-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\lmf4xdhj\lmf4xdhj.cmdline

MD5 49e55b24a9ec01b6184ee586134b59e7
SHA1 b216465f491ec25694bb988094397fdfe065ec7a
SHA256 2ef8381d29dc5570b834711d6c426b90e92b3390f94b77a700b8d7bc1727c0db
SHA512 813c3a49722e9b4522617fff7268825fdb5605a0396e0927eeafad4909b26b5a0b79e8bca322fb2ea2245329fca1ef14dd04412bf7c6473c2054180e1a5033e5

\??\c:\Users\Admin\AppData\Local\Temp\lmf4xdhj\lmf4xdhj.0.cs

MD5 f420ebb3150f0764331a33377a7451b8
SHA1 8ed9b9d610e8ab76aea82a3830ad31059517630b
SHA256 dfb6ab38744b3a4e17cf7fa75b3126e88cbeabc907008f3921ff41c523a99a27
SHA512 b92767736261cb7c10f58576c44e62cd0d105e90e139b376d52ccb5cb7ca189205a1f7d7a5fec5d739f8763eded8b5c55b9057217fe9a55b1e151dc700760cbd

\??\c:\Users\Admin\AppData\Local\Temp\lmf4xdhj\CSC7246D83EFB04449293A5591839A692.TMP

MD5 a4a09bcd01de34331b1ba7d079e3bfc9
SHA1 a9cc4b4dec111d5c0b9471ee25bb8b7adc825b0d
SHA256 fdddfa95f89a2b6cc75e84d0842849a46a9782ab8e56ab7992b6b5f2d28151a2
SHA512 defb2556b0cdeff9915581f1ae0cedd719b0b70c79fbc81b2b0dba76c6d4a7825bee5cf2586775825bc99ea05e8d2ac9e649c909696e6f1fbcbc3205369269f4

C:\Users\Admin\AppData\Local\Temp\RES362D.tmp

MD5 166767e26e73aecb2f3433bd3107d1c3
SHA1 e9c5e275ba6b6b43c00dbcde8b20d94aa9d7ac5c
SHA256 ad6c77a461ec6bf78b23444c7b592a38f29c0e83d0fb8d713e85f5bfca8a6f55
SHA512 a549be3a6aca24955d4b71829a4e83efad72d7580db7495b93a3d75419a158d9e4e9943eab18deab31dad5238fd6b24261deaf0fff341bbb7f4dd397beba4222

C:\Users\Admin\AppData\Local\Temp\lmf4xdhj\lmf4xdhj.dll

MD5 6a4a1e65b4f7677261a2ac919c083e3c
SHA1 cf6fa0cbb250b3dbecc51b3949daa7cda408985a
SHA256 8e1a15fde0a411775eee6f8245fb08097cd4a2aa88a44534b39d0840c544af50
SHA512 07d1d82b16fbaf436a296190b5d1b4ced9e3473d9736e2011dcd7fdd3a11d725a550f0390fb156c5b23708140971b924c8af42f2aa69517111bdaeda8ba9b80d

memory/2844-27-0x0000000001F20000-0x0000000001F28000-memory.dmp

memory/2844-29-0x000000013FFC0000-0x0000000140019000-memory.dmp

memory/2844-30-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:07

Reported

2024-06-13 05:09

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h1nmufib\h1nmufib.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55FF.tmp" "c:\Users\Admin\AppData\Local\Temp\h1nmufib\CSCAD75CB55BBBB45DB945D976598DD419F.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

memory/3880-0-0x0000020DE9F70000-0x0000020DE9F71000-memory.dmp

memory/3880-9-0x0000020DE9F70000-0x0000020DE9F71000-memory.dmp

memory/3880-10-0x00007FFEFCBB0000-0x00007FFEFCDA5000-memory.dmp

memory/3880-11-0x00007FFEDE553000-0x00007FFEDE555000-memory.dmp

memory/3880-12-0x0000020DEA090000-0x0000020DEA0AA000-memory.dmp

memory/3880-16-0x00007FFEDE550000-0x00007FFEDF011000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\h1nmufib\h1nmufib.0.cs

MD5 f420ebb3150f0764331a33377a7451b8
SHA1 8ed9b9d610e8ab76aea82a3830ad31059517630b
SHA256 dfb6ab38744b3a4e17cf7fa75b3126e88cbeabc907008f3921ff41c523a99a27
SHA512 b92767736261cb7c10f58576c44e62cd0d105e90e139b376d52ccb5cb7ca189205a1f7d7a5fec5d739f8763eded8b5c55b9057217fe9a55b1e151dc700760cbd

memory/3880-18-0x00007FFEDE550000-0x00007FFEDF011000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\h1nmufib\h1nmufib.cmdline

MD5 595f41431e15d03d04ec94b621a9fda1
SHA1 083b8aff98f97bee80f25b7cc1b4f1e4a187e4ed
SHA256 86a3d0ff1b1405f8f230882967e26fd1dca5e0082cb2ac45096557cc4a61bedb
SHA512 208996b825cbfb8deaa9ce9a8b36987ddccfd67b079140729f7bae03aa13902a82865db84e5af9563ea1ef73ead2f2ecad8fb28ed8dcb8f8916ab859ed2e124b

\??\c:\Users\Admin\AppData\Local\Temp\h1nmufib\CSCAD75CB55BBBB45DB945D976598DD419F.TMP

MD5 713f9aeb21ccb3e99bb3381c4540d6ee
SHA1 d8a83b391abbec4d4941338eabe1f3aea55928f5
SHA256 a9befb7094c94120609c4e7ff43c63547784f1e68b13ac934a216b125a6cc699
SHA512 513e4c266a12f819c317bb0a8980b8f7a60c7964aaabedbc8697a59d1145047376000e020ecb8c94ff9ebf46b06ba5be1de9322c93e757c2907f8419829a6882

C:\Users\Admin\AppData\Local\Temp\RES55FF.tmp

MD5 b8727c8ca738a3e497206cf008a0a8cb
SHA1 7ec48abe37e1cb425275aabf1a371c0473d2b9f3
SHA256 b62870250bfd5f49424be86c074247fe345fb8ccd2f0fced3af9a2e9cc1de51e
SHA512 9e2be4e1e95818b6d57c1091b18f367eda6cd9a1a151d1e4fe5f7aa4c3a59acb7395b3769461b71861148d43d6b306081a36564226dd515aba0a01ef0b53b7b1

C:\Users\Admin\AppData\Local\Temp\h1nmufib\h1nmufib.dll

MD5 c7c172df867782e9b7fbbd166d2b66a5
SHA1 743696987e1e3d9ecfb974588ed38bcecb7d7594
SHA256 68bf013a088b340bf79cfd07d928140ac7dc6a6619d6c6b0c8eb114daf3fe376
SHA512 b8f0e220bbd5da23593bbb9b643371cec2c3a93199a7707ccda059c0af7abd149833beb6d80002f651397770a51a84eddc4301d0ba219927f9384f8509b774e6

memory/3880-27-0x0000020DEA0D0000-0x0000020DEA0D8000-memory.dmp

memory/3880-30-0x00007FF66E7E0000-0x00007FF66E839000-memory.dmp

memory/3880-31-0x00007FFEDE550000-0x00007FFEDF011000-memory.dmp