Malware Analysis Report

2025-01-18 02:07

Sample ID 240613-jhmp1szbrc
Target 69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe
SHA256 a57320c28a1c5939e2107e21d5ca1bbdbdd8c1f31fa558a7391d6df8d6483616
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a57320c28a1c5939e2107e21d5ca1bbdbdd8c1f31fa558a7391d6df8d6483616

Threat Level: Shows suspicious behavior

The file 69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:40

Reported

2024-06-13 07:42

Platform

win7-20240611-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXEA7C.tmp N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXEA7C.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXEA7C.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\EXEA7C.tmp

"C:\Users\Admin\AppData\Local\Temp\EXEA7C.tmp" "C:\Users\Admin\AppData\Local\Temp\OFMA7D.tmp" "C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\EXEA7C.tmp

MD5 34cabedafaf5ce498d245242ac48670e
SHA1 7a78f2a64618448f8118203f3c7225f6f84622d0
SHA256 6dbefd357dc6ad020b5f4c7597312029094bdf9cc08bf2ae911bb2617ab28b39
SHA512 6801b911e4272093129cea416d4e8334250f6d393b4d634d251c22922f5c1906516cf53e2958011e7cb3e2a3e86ba74ea2547bbbcaba210db375ac0a6152fe18

C:\Users\Admin\AppData\Local\Temp\OFMA7D.tmp

MD5 082069362450094d1fec642739a254ad
SHA1 adc27fe04047274393c10c721bbb4eab84b23bd5
SHA256 2de063a397b4023aa91547554c34c10aa17aa7257e87797670a16c11fdffa8cf
SHA512 655dbd75945d69276d7bef40ff0a1b2a4a5958a31ef05fa9ddaed44743c813f1733c02aee91889e4b9d5c2456408c35d1cdfaf942cf974734b5226afaf6670f5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:40

Reported

2024-06-13 07:42

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp

"C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM4F88.tmp" "C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp

MD5 34cabedafaf5ce498d245242ac48670e
SHA1 7a78f2a64618448f8118203f3c7225f6f84622d0
SHA256 6dbefd357dc6ad020b5f4c7597312029094bdf9cc08bf2ae911bb2617ab28b39
SHA512 6801b911e4272093129cea416d4e8334250f6d393b4d634d251c22922f5c1906516cf53e2958011e7cb3e2a3e86ba74ea2547bbbcaba210db375ac0a6152fe18

C:\Users\Admin\AppData\Local\Temp\OFM4F88.tmp

MD5 082069362450094d1fec642739a254ad
SHA1 adc27fe04047274393c10c721bbb4eab84b23bd5
SHA256 2de063a397b4023aa91547554c34c10aa17aa7257e87797670a16c11fdffa8cf
SHA512 655dbd75945d69276d7bef40ff0a1b2a4a5958a31ef05fa9ddaed44743c813f1733c02aee91889e4b9d5c2456408c35d1cdfaf942cf974734b5226afaf6670f5