Malware Analysis Report

2024-11-13 13:35

Sample ID 240613-k6y9dswenn
Target 6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe
SHA256 4d6791812e13a440b8781fd23fcb4457d35fb0e417fbc143838e9e56f26df3fd
Tags
upx evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4d6791812e13a440b8781fd23fcb4457d35fb0e417fbc143838e9e56f26df3fd

Threat Level: Likely malicious

The file 6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

upx evasion

Sets file to hidden

Checks computer location settings

UPX packed file

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 09:13

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 09:13

Reported

2024-06-13 09:16

Platform

win7-20240419-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\iuyhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\iuyhost.exe C:\Users\Admin\AppData\Local\Temp\6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\iuyhost.exe C:\Users\Admin\AppData\Local\Temp\6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\iuyhost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\iuyhost.exe

C:\Windows\Debug\iuyhost.exe

C:\Windows\Debug\iuyhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\6FB635~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 EiPcxb1ZvM.nnnn.eu.org udp
US 8.8.8.8:53 Rf4Z13NdLg.nnnn.eu.org udp
US 8.8.8.8:53 eckWbWkimz.nnnn.eu.org udp
US 8.8.8.8:53 r5PUz7GDI.nnnn.eu.org udp

Files

memory/2208-0-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Windows\Debug\iuyhost.exe

MD5 fe8b0b0c73e536f1067f271a4e344113
SHA1 9186a44e3573eb7f1c236d8840c5f338b015fa29
SHA256 a87e35c2c9d5223f28391a67a0403e191821b07ab8c9f251add98ca59b867f35
SHA512 89b6501f66f4a2b083c652a290357b23fa4300af095ec5e2ca8a0d8c27fc5088c86b882c58b18162cc7d03e6a732f953ee80a5af41211fb625d1e13fafb3a8cf

memory/2032-5-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2208-7-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2032-8-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2032-9-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2032-13-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2032-18-0x0000000000400000-0x0000000000416000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 09:13

Reported

2024-06-13 09:16

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\mcihost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\mcihost.exe C:\Users\Admin\AppData\Local\Temp\6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\mcihost.exe C:\Users\Admin\AppData\Local\Temp\6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\mcihost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6fb635ab3409d03ffc7a3674d4354430_NeikiAnalytics.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\mcihost.exe

C:\Windows\Debug\mcihost.exe

C:\Windows\Debug\mcihost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\6FB635~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 7zftEvcznh.nnnn.eu.org udp
US 8.8.8.8:53 OISyjqYq.nnnn.eu.org udp
US 8.8.8.8:53 xUd9vhfSlY.nnnn.eu.org udp
US 8.8.8.8:53 SJ7W92XCr.nnnn.eu.org udp

Files

memory/4184-0-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Windows\Debug\mcihost.exe

MD5 24dc6462e48909265df3dda31e406b94
SHA1 93871c108774ee84f0575d220140002b00aba1de
SHA256 25b1b779cfbbec0cc02dfe0c6bc3e19a305e9bff3fd57a3f1029b6e5cc7b060d
SHA512 c4b980b6befb5fc8afc863a383ec36d0d2de0a7fbfad51e7effddd091eeef3d02d5193d94a2da1eb15860015fb1d8b85897fa92936fe61cc7f84dc2c499975df

memory/3040-5-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3040-7-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3040-8-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3040-12-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3040-15-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3040-19-0x0000000000400000-0x0000000000416000-memory.dmp