Malware Analysis Report

2025-01-18 01:14

Sample ID 240613-g4sgaaxclg
Target 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe
SHA256 2368452b449f64cc18419028e1c42ae095e4af3f3ff729d0600b4adf0b52c4e5
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2368452b449f64cc18419028e1c42ae095e4af3f3ff729d0600b4adf0b52c4e5

Threat Level: Shows suspicious behavior

The file 652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Deletes itself

Executes dropped EXE

Uses the VBS compiler for execution

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:21

Reported

2024-06-13 06:24

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4F79.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4F79.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4396 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4396 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4396 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3808 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3808 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3808 wrote to memory of 4356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4396 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp4F79.tmp.exe
PID 4396 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp4F79.tmp.exe
PID 4396 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp4F79.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uhgkdyfg\uhgkdyfg.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES511D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3302DD3A9AEF4D5A888576C7D0AE9C71.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp4F79.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4F79.tmp.exe" C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe

Network

Files

memory/4396-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

memory/4396-1-0x0000000000120000-0x000000000012A000-memory.dmp

memory/4396-2-0x0000000004A80000-0x0000000004B1C000-memory.dmp

memory/4396-8-0x0000000074E40000-0x00000000755F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uhgkdyfg\uhgkdyfg.cmdline

MD5 d22863aaf5ad31c403bac486a6e6c5ab
SHA1 b7922a86bd35eda8e91a8ca715faa40ac3afad8a
SHA256 fb4a1044389b7afdbbba77c6fc2360aa540b8ab510ee29ed320e5d91ab86dddb
SHA512 18f93035760745037f010597d166bd8ff7a006f0caade441889a9c3f9ef157c703647eedfe8cbe24cc97e1427104a814bfa56c4c921f7e1f7ac58db68e16ebb9

C:\Users\Admin\AppData\Local\Temp\uhgkdyfg\uhgkdyfg.0.vb

MD5 feea7bf0777d825ff6f463417ffe3118
SHA1 13b416c2bcaf75f47a53bdd01ef2b5bed716536c
SHA256 349ed88a0cfdd7c5274f43c931c87c5cf6ed9fc9c032d660435155361ffebd5e
SHA512 420f2676b52c2a331ebc9f2fc3a761a0429f421970646e8c968cc9b94fc1558d4bf614f42278a317826fdc78b51647ce3b430e135879b5ee2da471831d46d5e4

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 0da6623e576193254e58434a9edd0c6e
SHA1 b5dbdde35bb55f3eaaa16b23f9674e8119772212
SHA256 ee3e0e4c400bc1c6a4d5aae76e6d44b7b5ede8751d9a5d6203d3580bf3c374e3
SHA512 7cf4c77bb35583ca52c33a528a2e04da2956832577436bb99fb676f81dbc3e8bcd2dcdce2ee1874c569d407b82ec6a72f1e5b6c5ad17b4c37a50433726f9b778

C:\Users\Admin\AppData\Local\Temp\vbc3302DD3A9AEF4D5A888576C7D0AE9C71.TMP

MD5 c76960012f2515a536796f8cf7bd7419
SHA1 0f850e5b1239f7bb43a5713a87a5d506910b798a
SHA256 12f2ef52f8b696784df84eebd2e01e233fef4b1e6a04a7f65006f020cbd7e8cd
SHA512 84cb375599de6ed03788220ab210bb48715f0d4f097f4487ce5bd2c0a7a3a5baeadad9e6b2968473b76a3c54f9cb781027ce99ee3d5660330bd3f37e9fc168a1

C:\Users\Admin\AppData\Local\Temp\RES511D.tmp

MD5 0443f80cb452b7bfee29702ad29ab9df
SHA1 d043175a1ecb6a3e9c78c1593c85364d9e020dbc
SHA256 cea7b4596c41571d7bd84f9b91a330febc4dcecf15dab03214c8c44bf2cc8579
SHA512 f584e6b005e31b1fd455ee153667abe26aaa7c872335d557b18e93be647de5ad94cff0d4ac41e4523d5fe037947caab643d989af9ce9c9fcb31ddc696d59b9de

C:\Users\Admin\AppData\Local\Temp\tmp4F79.tmp.exe

MD5 eac923fad827b0c3c9987e60e8aaf886
SHA1 30e246cf0b74eb100d9b6957ad7c329620e9ecdb
SHA256 d5e4e5a3c8a2968139952c22d1977720fb258f4a25c92ef48d2b2e3cd150fa99
SHA512 6ceeb213de8011a77f747923a4f066a10c4e28485499a1691c6109c075f954bcac0b32c57871009aa5d5a6cff9e0333816fe78c4b93f34e480985b9f6e4f2a50

memory/1016-24-0x0000000074E40000-0x00000000755F0000-memory.dmp

memory/1016-25-0x0000000000C70000-0x0000000000C7A000-memory.dmp

memory/4396-26-0x0000000074E40000-0x00000000755F0000-memory.dmp

memory/1016-27-0x0000000005B90000-0x0000000006134000-memory.dmp

memory/1016-28-0x0000000005680000-0x0000000005712000-memory.dmp

memory/1016-30-0x0000000074E40000-0x00000000755F0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:21

Reported

2024-06-13 06:24

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1601.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1601.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2420 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2420 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2420 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2988 wrote to memory of 1648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2988 wrote to memory of 1648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2988 wrote to memory of 1648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2988 wrote to memory of 1648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2420 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp1601.tmp.exe
PID 2420 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp1601.tmp.exe
PID 2420 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp1601.tmp.exe
PID 2420 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp1601.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uxu53i2e\uxu53i2e.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1777.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33B99B868A73441A8797CCFF7BC48.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp1601.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1601.tmp.exe" C:\Users\Admin\AppData\Local\Temp\652132d22858cf85b4cbf387f759abf0_NeikiAnalytics.exe

Network

N/A

Files

memory/2420-0-0x0000000073FEE000-0x0000000073FEF000-memory.dmp

memory/2420-1-0x00000000001B0000-0x00000000001BA000-memory.dmp

memory/2420-7-0x0000000073FE0000-0x00000000746CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uxu53i2e\uxu53i2e.cmdline

MD5 c2d79c3b0a02b4a87bca272272ffe93d
SHA1 b03f15cf8bb6b1557dadfc695319ed79792b5883
SHA256 19fbedcdabd68193b5dc6e752b47502e3c77518c5f023c53b4529dbef2b7b79d
SHA512 5cb2b5c95de3f1bd85476127d6af5a3bb31467af7e337b2c872b7cc85c755f1e6e14a6a46638936d68e43e16886748caa4aee481b2017fe3c3790c0af72f7ba4

C:\Users\Admin\AppData\Local\Temp\uxu53i2e\uxu53i2e.0.vb

MD5 e8eb8fce0625d85d1174e05aa91fbafa
SHA1 66bc46142bba3342397aec47404823643e290e31
SHA256 998f5baa833b49f0c0dc4f3cb7b5cfac4266f8068e2aab9328d56c74a9243cec
SHA512 c491e51ef04f6fde989254901fec12b9029529f0731cd74791488c1628f1c05a035cfa6324200e35625b1db3b9270b91ad4d9417ffcef32992f2046eb10d9816

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 1d3f11c643def34e7d4c8e4663f10077
SHA1 e565753e2edf2ddfbb5371f27c5a71be80b2f992
SHA256 42f660f95cfdc0ce6a35bea6407b05c61d1566b7a91018333bd80e662317a0c4
SHA512 bfc2d75da3bd7c4c23c89fa7787cc3242b6e1747c06e76bca0e7c93c1acf676e9b734ea8ac3f7e73daf5addbff2b533415b013bf6b58256151a171c54a1fccd4

C:\Users\Admin\AppData\Local\Temp\vbc33B99B868A73441A8797CCFF7BC48.TMP

MD5 f37a21c77550a6929e4c752d83f4de46
SHA1 ce47432f650042e6b16052ca70d23d5fb195e9c3
SHA256 04d2ba9c2f23596fb8ecfa5520db737a694cacbf3903b30cbdbac8819afbcd64
SHA512 4ca47cdcb073f3043a6043be2835faf8b097ca7329ea6b986d304221edade3345944cdd30f4eba9e13b720927fc264aad9cd0a88ab3007b4af600f4da7ecda1d

C:\Users\Admin\AppData\Local\Temp\RES1777.tmp

MD5 3147c01fc75f52ad3d7867007dea1e01
SHA1 5b47d616a96a5eb11ce79de7042925e6acaf81ac
SHA256 deb83b9fee4e3886c72c68381ed157c79091fd2c7b21f1b7c1bc45243ec94846
SHA512 8f81da34d711204814719676d3bf2006e95ef94f43d5b48d41813a8a82e512b8fc294587b547071d7c5a853c0eae124c191cd69f0ec1bc28eaa57393a55b19a6

C:\Users\Admin\AppData\Local\Temp\tmp1601.tmp.exe

MD5 f7b63a05c48889856360d55b2e482e3b
SHA1 f27927c93fd90d3f535ce1790c592b010f5a5aed
SHA256 3d7979b86b451752a6d5f8449073ce98cb8725ab797f00405ad0aba9c426df0e
SHA512 0136694cc34c1705fcc11737c52f53c79d2dcc0550bed0d9af16dc07189a077fe017c9aa575d237b8e48ff2f7c2a9a21de7827812ff81503c80c9515cda744e4

memory/2420-23-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/2560-24-0x0000000000D00000-0x0000000000D0A000-memory.dmp