Malware Analysis Report

2024-11-13 13:25

Sample ID 240613-gpydzswgpc
Target 63fde96eac03191bf374790eced53680_NeikiAnalytics.exe
SHA256 d482f559d92bf17876e7f2e2ba9161b73f87ec545f57b2891797172f43b730dc
Tags
discovery persistence upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d482f559d92bf17876e7f2e2ba9161b73f87ec545f57b2891797172f43b730dc

Threat Level: Likely malicious

The file 63fde96eac03191bf374790eced53680_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence upx

Modifies AppInit DLL entries

Checks BIOS information in registry

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Enumerates connected drives

Checks installed software on the system

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:59

Reported

2024-06-13 06:02

Platform

win7-20240611-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioCD\shell C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp

Files

memory/2448-1-0x0000000000400000-0x00000000009D1000-memory.dmp

memory/2448-4-0x0000000010000000-0x0000000010030000-memory.dmp

\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

C:\Users\Admin\AppData\Local\Temp\wintoolsnet.ini

MD5 be56d128e9229646193c779eeeaf6d45
SHA1 29d6073fe7534607773c2d2b764eb4dc10ef17c0
SHA256 8d1eb9f47215d2c05e5afa46ca1e09ecc03300b2ed9905ff2731c3e597970d2b
SHA512 968b4945325537095aa3fbc488541628532b0cb6eaf9421f2dc82fb0dd743a0ed9e7575b34da9a83b14cea431b7ab40e494e00b733bc2cae1fa9890891853083

memory/2448-115-0x0000000000432000-0x0000000000436000-memory.dmp

memory/2448-204-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2448-205-0x0000000000400000-0x00000000009D1000-memory.dmp

memory/2448-208-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2448-209-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2448-212-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2448-215-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/2448-218-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2448-221-0x0000000010000000-0x0000000010030000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:59

Reported

2024-06-13 06:02

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe"

Signatures

Modifies AppInit DLL entries

persistence

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AudioCD\shell C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\63fde96eac03191bf374790eced53680_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 23.79.56.45.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 5isohu.com udp
US 45.56.79.23:80 www.aieov.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 45.56.79.23:80 www.aieov.com tcp

Files

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/3496-5-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3496-4-0x0000000000400000-0x00000000009D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wintoolsnet.ini

MD5 8d9683a470f8d23d3b24b4a6ba9708bb
SHA1 17ea0868943dea548dd5b907ddbd6e34a5fb9cf0
SHA256 0816d3c645891d0ba0b740b1a25f3e5b8d2cf452217dc6b0617f97a92fb26d5a
SHA512 85888fbee55561329d2884cc8603293eea2733c4c1e26f0b7a614c8019a0712e48bf08a37ac2159394270994e09e19f8c70296df1b5fb8e67c4a91f824bd0e64

memory/3496-116-0x0000000000432000-0x0000000000436000-memory.dmp

memory/3496-203-0x0000000000400000-0x00000000009D1000-memory.dmp

memory/3496-206-0x0000000000400000-0x00000000009D1000-memory.dmp

memory/3496-209-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3496-212-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3496-215-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll.000

MD5 1130c911bf5db4b8f7cf9b6f4b457623
SHA1 48e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256 eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA512 94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

memory/3496-220-0x0000000010000000-0x0000000010030000-memory.dmp

memory/3496-226-0x0000000010000000-0x0000000010030000-memory.dmp