Malware Analysis Report

2025-01-18 01:16

Sample ID 240613-hbtpbaxeqe
Target 65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
SHA256 0480734fca847ba66ac1465be0fd2298b4c0f17a291caf354eba808dc7ee3652
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0480734fca847ba66ac1465be0fd2298b4c0f17a291caf354eba808dc7ee3652

Threat Level: Shows suspicious behavior

The file 65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Deletes itself

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Program crash

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:34

Reported

2024-06-13 06:36

Platform

win7-20240611-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp

Files

memory/2136-0-0x0000000000400000-0x0000000000517000-memory.dmp

\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

MD5 1b1f29b083b8302b5dad3c23f51607e4
SHA1 49bb960d0c511918063839ca82bbc4c6a349007c
SHA256 189607d972886da1928acd54525181eeadc6428e38268ac981bda8d7824e92af
SHA512 a02b7ea9a2dbcb550147631e969214f2c57933c683b70a8cde6bce0a7e39f7afbcf6c35b13da067c7c74e29a56e1435dfcd33712d918f3fcab7531a19f7cc7fb

memory/2052-9-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2136-8-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2052-10-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/2052-16-0x0000000002E70000-0x0000000002F87000-memory.dmp

memory/2052-31-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2052-37-0x000000000EE50000-0x000000000EEF3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:34

Reported

2024-06-13 06:36

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 312

C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.163:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.163:443 www.bing.com tcp
NL 23.62.61.163:443 www.bing.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 163.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/1832-0-0x0000000000400000-0x0000000000517000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

MD5 0af4f2a386b680425b062a80b3f4d6a3
SHA1 9f462841bebf75ea451942b364a2fbaa74b2dc40
SHA256 901090afdaaaf52abe73079c52f29890be46bffd4266168b6ecfdd11ff096ad6
SHA512 02c7c387b5606cf4723f2b31f5a6c69091c9367faeef45dea248dedda050f0f7ba727407f06b89140f1acab40eb8db8414a11cb6b0001550f12bbcef22e0cc3d

memory/1832-6-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1860-7-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1860-9-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/1860-14-0x0000000005070000-0x0000000005187000-memory.dmp

memory/1860-22-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1860-27-0x000000000B9D0000-0x000000000BA73000-memory.dmp