Malware Analysis Report

2025-01-18 02:01

Sample ID 240613-jgm96azbne
Target 69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe
SHA256 c8468234c23f6e2a7985cdb3dfda34a3f0a357f762e3e54d369f19d94fb5d7e2
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

c8468234c23f6e2a7985cdb3dfda34a3f0a357f762e3e54d369f19d94fb5d7e2

Threat Level: Shows suspicious behavior

The file 69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Unsigned PE

Runs .reg file with regedit

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:38

Reported

2024-06-13 07:41

Platform

win7-20240508-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\TrkWks = "C:\\Users\\Admin\\AppData\\Local\\TrkWks.exe" C:\Windows\SysWOW64\regedit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Network

N/A

Files

memory/2980-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2980-1-0x0000000000020000-0x0000000000029000-memory.dmp

memory/2980-2-0x0000000000020000-0x0000000000029000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

MD5 815dc60dafb80c98b73d7e2677e354c0
SHA1 4719d47bddca660bc7ea913f66567bb6f963e73d
SHA256 eae9854927aa4f85a269d29ecc0c48ff074d46ebb3d02899a859c0468c4e959a
SHA512 e72fa7b3fe4c0188db7f5721ce56a6ba66ce7d2f0f0de6ecbe3b21d87267f0d2b3988ce97d2ffac897a9984e950ac33648abbd6e2949a74158a254794333e5e7

memory/2980-13-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\TrkWks.exe

MD5 49abb714dd72f6dee2e102a7de9e2011
SHA1 23fd610b88bd5347fb5033f5cf2ae6e0cd836408
SHA256 66ec041bf7e59850aa93fd7f350da2cb4e02a6aa03066d619cc5860ff6b47412
SHA512 f89f47f5c71f546a73538df967b7949ba5289b2eddcfdc0737fecbb74dcefd27b1f54a21c71688765661c0a1fab72f521b5a1f3170aed040d2f80d31dc084073

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:38

Reported

2024-06-13 07:41

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinHttp = "C:\\Users\\Admin\\AppData\\Local\\WinHttp.exe" C:\Windows\SysWOW64\regedit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Network

Files

memory/1004-0-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

MD5 f44153ef26be29552cf320325ad8b72e
SHA1 74ac72ba2ff0f871e59b11c95ad707372662370c
SHA256 767009fb8726500a4bc54b2ee744cc3ada64fdf16a44e22ff9dfe7652e2a439f
SHA512 1d42a4dba1d8d0df9f8fedfba384ffdbcff3103c8ba360f255b5d7e8a46128f40521e4d16cf6de04365b3b6ffad8bc681cf7042d92867ab3d912601a3d5e6e65

C:\Users\Admin\AppData\Local\WinHttp.exe

MD5 04dc0697bd8b651005aaae52ded921e4
SHA1 baa0902ba21b7e01f75f1e7eb59308cc537d65b8
SHA256 3595f5be0db294b499cc348212765a02df40fd02e463344f5e8bbdb2ad58abdd
SHA512 6b3d002f12fdbcb6b73d16ff2bab9f19c800668c944702c4d86e55da93194ea0e0e9ea3ba0b1401cf3e03d3832bf74825233e1d40bf108ad08aed13aea6d8755

memory/1004-10-0x0000000000400000-0x0000000000409000-memory.dmp