Malware Analysis Report

2025-01-18 01:03

Sample ID 240613-ha7vjs1hjj
Target 65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe
SHA256 c4cdd3457cc1a6f6e5e0ddc044e4971cb69bae89402ec223e0ab360495172e0a
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

c4cdd3457cc1a6f6e5e0ddc044e4971cb69bae89402ec223e0ab360495172e0a

Threat Level: Likely benign

The file 65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe was found to be: Likely benign.

Malicious Activity Summary


Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:33

Reported

2024-06-13 06:35

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xlnpdu3v\xlnpdu3v.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A98.tmp" "c:\Users\Admin\AppData\Local\Temp\xlnpdu3v\CSC5EEC71288F864AC2B6CF5B901A6CA69.TMP"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/3708-0-0x00000216C8760000-0x00000216C8761000-memory.dmp

memory/3708-9-0x00000216C8760000-0x00000216C8761000-memory.dmp

memory/3708-10-0x00007FF84DBB0000-0x00007FF84DDA5000-memory.dmp

memory/3708-11-0x00007FF82DA73000-0x00007FF82DA75000-memory.dmp

memory/3708-12-0x00000216CA330000-0x00000216CA35A000-memory.dmp

memory/3708-13-0x00007FF82DA70000-0x00007FF82E531000-memory.dmp

memory/3708-14-0x00007FF82DA70000-0x00007FF82E531000-memory.dmp

memory/3708-17-0x00007FF82DA70000-0x00007FF82E531000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xlnpdu3v\xlnpdu3v.cmdline

MD5 e39cfe761794a9b4f96eff66738dd976
SHA1 7318c5d78beccbf8db51e387c421d2cfd5c062b8
SHA256 d9ea9089d2e3a9009c2faffa0188616b05db770fd56332f2beca0a6a45abcc44
SHA512 fc9683d8db3a296975bec73c37f9a58b6d4edbe1acc355d484894abc52eb91541f81a5c0e4592cbd77621e52cd667de5690fddea97ebfff6c1b8d1d5e0db6a7f

\??\c:\Users\Admin\AppData\Local\Temp\xlnpdu3v\xlnpdu3v.0.cs

MD5 f420ebb3150f0764331a33377a7451b8
SHA1 8ed9b9d610e8ab76aea82a3830ad31059517630b
SHA256 dfb6ab38744b3a4e17cf7fa75b3126e88cbeabc907008f3921ff41c523a99a27
SHA512 b92767736261cb7c10f58576c44e62cd0d105e90e139b376d52ccb5cb7ca189205a1f7d7a5fec5d739f8763eded8b5c55b9057217fe9a55b1e151dc700760cbd

\??\c:\Users\Admin\AppData\Local\Temp\xlnpdu3v\CSC5EEC71288F864AC2B6CF5B901A6CA69.TMP

MD5 676d4e89d67840e800354e3ff8d13ddf
SHA1 33f2c0bae9f6b89690c3444ab7df03d2a22aebb3
SHA256 16619901c1d3511b43cec2be6c83957157f5c56a470d18ed2b7a84af5d25f5b9
SHA512 ab512aee78ea2eb68533f77d79272338b3eed31963dcf898af050cbb983bd56f14893f60740f3025c23266d4fec50d0053096bf325b150748d8856521d46c723

C:\Users\Admin\AppData\Local\Temp\RES1A98.tmp

MD5 449ad3187bf49ac091240870257315b4
SHA1 10986d59245796fa3c059229a03e7549c756fcab
SHA256 e84d11e720c96c747cf4b5412e949a7af933d3ebea63e89599a3cd31d9f73349
SHA512 630a63c83c01a8f80f42f6a5f1dd86a86c3e60cb1f4d9d9de633b4510f44c13c8e11733d8c4071299f812bb01555df7b7f1bec8b18db1fbdea97fbc9625f3b89

memory/3708-26-0x00007FF678400000-0x00007FF67846E000-memory.dmp

memory/3708-29-0x00000216CA2E0000-0x00000216CA2E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xlnpdu3v\xlnpdu3v.dll

MD5 02a1c3c8229345412d4b8267be87f8ce
SHA1 506eaf3b9c96c6ffa98cabc0ef1ec481b2473852
SHA256 0209958012b19956084ef5aa1a82226c3d7f07bee5d9a2ddd4a3c1a331cd0923
SHA512 63fb0f6f5565833afd353ab6ba54da3a8c5ea5ed65e44a988f7b944efd5d2f8e53600587f67675af57785d4309d10d50a6ba941f18e92661be0c972261f8fe62

memory/3708-32-0x00007FF678400000-0x00007FF67846E000-memory.dmp

memory/3708-33-0x00007FF82DA70000-0x00007FF82E531000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:33

Reported

2024-06-13 06:35

Platform

win7-20240508-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\30fyqlan\30fyqlan.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47CA.tmp" "c:\Users\Admin\AppData\Local\Temp\30fyqlan\CSC2A85F629F97344EF92AEDE8F54287AEF.TMP"

Network

N/A

Files

memory/2952-0-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2952-9-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2952-10-0x000007FEF5053000-0x000007FEF5054000-memory.dmp

memory/2952-11-0x0000000001E80000-0x0000000001EAA000-memory.dmp

memory/2952-12-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

memory/2952-13-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

memory/2952-17-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\30fyqlan\30fyqlan.cmdline

MD5 1472a3806517b93b182b6b21291ab393
SHA1 4417aebfc0e02cc76514275501d219a1d9b128ce
SHA256 2e4fda4a699e2573a9bca7e4799d17dd638777cade9691765c65f1c5568b1817
SHA512 82ddd4c59d47f5f4009382e2bf3d2e5bb42ad2be464e72ad9d912da69fcdb4012352f6dc1c8e53c4c916855ed491a2f4428373da961177f0516e990d46d83169

\??\c:\Users\Admin\AppData\Local\Temp\30fyqlan\30fyqlan.0.cs

MD5 f420ebb3150f0764331a33377a7451b8
SHA1 8ed9b9d610e8ab76aea82a3830ad31059517630b
SHA256 dfb6ab38744b3a4e17cf7fa75b3126e88cbeabc907008f3921ff41c523a99a27
SHA512 b92767736261cb7c10f58576c44e62cd0d105e90e139b376d52ccb5cb7ca189205a1f7d7a5fec5d739f8763eded8b5c55b9057217fe9a55b1e151dc700760cbd

\??\c:\Users\Admin\AppData\Local\Temp\30fyqlan\CSC2A85F629F97344EF92AEDE8F54287AEF.TMP

MD5 0c4a48baf0a977f2edcb00530476afcc
SHA1 2bdab88df9245d673f69179dd2daf1368cc0cc81
SHA256 57bd64a7b32e3c6227d9cfeac91305a85e79820af86b8eef0c52ad9645d5f4bf
SHA512 99ee83197d97727847126c022dd626fdec28cab6ba14eb970eb7ac2ed833b6d725e2c09cba126a674b00b988f3f3bdc9177c8b28b816ee1a427b2d3ace601c2c

C:\Users\Admin\AppData\Local\Temp\RES47CA.tmp

MD5 01fa66185aac8e6b405c308c85d1d83c
SHA1 03ab607241c60c25855bfe972a22e433cdc02705
SHA256 efe05dcf0ad3064da979b08ed016891cbe6e1cbb6a88a5e22c3742d0f311fb07
SHA512 12453c747a6627c5fd305a2a8134e941387104aff9f3cfe54537c4593db775625a1a311ceee0408944b8f3da8f1caae611d9df7387965d3e88fcdba71aa4236a

memory/2952-27-0x00000000003A0000-0x00000000003A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\30fyqlan\30fyqlan.dll

MD5 c684213ab190af3e3c449d20dda9ce58
SHA1 500aa254ccf3997da33b285f899827a691a2d21f
SHA256 a79a0d2dfbbffdf7a51b9cfc969dae2fbc183b38bc50ff5baa2958af8823ef5c
SHA512 f0c89885965d0c612e1156e17af479bda2d75e2a24b98e7aa3bc1ed14a8fa38018723a656cee680fb7a11f3f2245d41650ed08ef3739c4837ae6f22f075510b7

memory/2952-29-0x000000013F030000-0x000000013F09E000-memory.dmp

memory/2952-30-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp