Malware Analysis Report

2025-01-18 01:38

Sample ID 240613-kd32wa1dkb
Target 6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe
SHA256 579fa842c06419b7e0079c51e7239aa7d8f8797e060325959381b3a3d230c0b6
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

579fa842c06419b7e0079c51e7239aa7d8f8797e060325959381b3a3d230c0b6

Threat Level: Shows suspicious behavior

The file 6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

Uses the VBS compiler for execution

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 08:29

Reported

2024-06-13 08:32

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp590E.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp590E.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1196 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1196 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2512 wrote to memory of 4124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2512 wrote to memory of 4124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2512 wrote to memory of 4124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1196 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp590E.tmp.exe
PID 1196 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp590E.tmp.exe
PID 1196 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp590E.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g4y3jegn\g4y3jegn.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AA3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF788A34152EC4689BE6B5A1D24A49D4.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp590E.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp590E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe

Network

Files

memory/1196-0-0x000000007462E000-0x000000007462F000-memory.dmp

memory/1196-1-0x0000000000E20000-0x0000000000E2A000-memory.dmp

memory/1196-2-0x0000000005780000-0x000000000581C000-memory.dmp

memory/1196-8-0x0000000074620000-0x0000000074DD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\g4y3jegn\g4y3jegn.cmdline

MD5 dade5b390765163a106e774a358b1000
SHA1 7ef43e73546f469b1f7b459efb0cf73e64c5d6f5
SHA256 8810223e111219f907d485d936a0cfc827448f0ba63d0a1d27175979b0f86767
SHA512 b5427f11085fdc60e6b3cbc034fef55c4b63b57114dd61832462758b6cc862ea2cf57ea00009c6fd50f85c4c8185655a0de1b44575792581fd289714ead21a02

C:\Users\Admin\AppData\Local\Temp\g4y3jegn\g4y3jegn.0.vb

MD5 69025d483cc73ba49d6332beccd0aef1
SHA1 1a890a7df0795e6ef19a594735967952719e9c3e
SHA256 68fd5753473c85f65a462403ffdacd4af6a641f9135242998be5fa6133461d18
SHA512 821d5aa253b51b518138247ee0f022e119aaf27a7c81a8aafd6f5a4993f81163596eae83118003fd34c7766135d2b058adeeec5bd9df7a1e9366f18b5b8ce453

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 d067db854b2319f0ee620a3347b0156b
SHA1 bb5da3ef814802c533b3a22a82a931c63b12aa29
SHA256 87a74c6c525deb3db3e055800f47d61689a64f845f1b980f7f83460a88d7f202
SHA512 eb515e2cc9c66dfd9eaa7d1eaebef6bbf682e1c766fe4274955b0c1158deabde7c13c0046fb8c1f24b52b4b696722b8a776706437fe810c100346b6b6f8a5789

C:\Users\Admin\AppData\Local\Temp\vbcF788A34152EC4689BE6B5A1D24A49D4.TMP

MD5 beff33b26c40320f3a2c39d929ab41c4
SHA1 5ec75699ac1d35f2a6d22e8d3b76cb9ff77847dc
SHA256 967685b0d16f87b3c1161d0892f3ab6ba379bfbdb2722109b9e57160b37b06b6
SHA512 bf2acc89bf85101e3948490343aca7e3f74f63e9add00e29e6a1d3e39cfac1d168c81a04f8b6121ff095929e9c4655d204b35eff41c391ad045de704eab92f21

C:\Users\Admin\AppData\Local\Temp\RES5AA3.tmp

MD5 e33800a14ce43883a9ffcbd629921ed3
SHA1 2c476564338a3b696f517f9ad4636fb8b51c6592
SHA256 98e4e2b9c15a8f69e37a4edddc9f48ff5d2c9b8a6562c65e4236bace54806e68
SHA512 276c0354b15002b213682944c33c8f6d8c1e602776428c6fb9bf07973fad1b621bd70d643afd78eadb6082ad3edb32aabbd56a7e18bdd83f99cbccc3c99b8a23

C:\Users\Admin\AppData\Local\Temp\tmp590E.tmp.exe

MD5 8477e5ae9b8e93b3bbfd7bbbdbe79759
SHA1 3687c7813becbae3d25c7392fd2341f12c7ee7ea
SHA256 62e1bc40c88ec1dc4358ac632b6c14d89dba4c29cdbc75571cef92f8dfa2f40c
SHA512 23a712f466fff17c2b141bf14fa675ead5585b7714987a928614990d8a7f68ebe71be3af971450cce3f4d861a5409a72bf579a3de9c503e0aaeeb67a02092256

memory/1196-24-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/3008-25-0x0000000000990000-0x000000000099A000-memory.dmp

memory/3008-26-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/3008-27-0x00000000058C0000-0x0000000005E64000-memory.dmp

memory/3008-28-0x00000000053B0000-0x0000000005442000-memory.dmp

memory/3008-30-0x0000000074620000-0x0000000074DD0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:29

Reported

2024-06-13 08:32

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp17D5.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp17D5.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1848 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1848 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1848 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2592 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2592 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2592 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2592 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp17D5.tmp.exe
PID 1848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp17D5.tmp.exe
PID 1848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp17D5.tmp.exe
PID 1848 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp17D5.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xjzy1zpr\xjzy1zpr.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES197A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2139DC4F48748F0A2787AF449F5013.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp17D5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp17D5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6cfaec5b26f5f3986467e51636454230_NeikiAnalytics.exe

Network

N/A

Files

memory/1848-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

memory/1848-1-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

memory/1848-7-0x0000000074AD0000-0x00000000751BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xjzy1zpr\xjzy1zpr.cmdline

MD5 d3def52a594984b805cff666adffa90b
SHA1 74f0326153f70f85e60fd41e811989da2c1467d5
SHA256 88cd817b884def83db58d7dd9f459c4e586f7048e297f41e78490a0f2e22cb71
SHA512 ec531944ab231f0ccab50e4a425c50a0a9eeaea0882d83bf83f94e4f89cc43dfb303cdefa0578fbf9878e8bbbe09a2a0c946fa44ef93598e28da44afd74b9832

C:\Users\Admin\AppData\Local\Temp\xjzy1zpr\xjzy1zpr.0.vb

MD5 82a7d70fce6ce22c55c3c0c066bf7b73
SHA1 c1dff740d34c833fec97f2eaa93658ebd1b23fba
SHA256 c0c966e6066998576955ac3e7314dad17dcad63599923b2e9f1d67bdb67cb824
SHA512 f016864b906f6f093b61d4e53341ba36b43535f2802ca25e61d18a57e2f150475b66f2946ee1da829dc0b87eb42cb51454e86c8c1a31cde359cbe54647d6e975

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 493f67d6275c42bab39b1c1a5a4247ef
SHA1 d3f7d1e09032f81ddfe97aeca2f482d33fe52619
SHA256 c76d66eac044b9aa50d6bc3edd6d8c3c6fe5d07cbc12a73784310fa1e8c2e48a
SHA512 9247eee8744d691ddd40735ee1a2538e5adf9f137376196ec6ddcd9b239a16e90027d0ccb99cedb59d03da4fc5b41cbe728f99e97c7cbf80e410f24c01e74bdf

C:\Users\Admin\AppData\Local\Temp\vbcD2139DC4F48748F0A2787AF449F5013.TMP

MD5 2cfddb631f8cff2b8f0b0d9d372b3881
SHA1 7648a3172bcd0703779b4bb0d8c36ddc1b35896b
SHA256 16ea095a572b9f230ecf268321ef3f899f2fd0f045effab0316629191467e63b
SHA512 4a18e401cf71e7d158488ad86ac0d5b9f49afd0fbce1902cdc27a0556edd41001bee585f503fbbe9aa3da1bc0fcbb06355225ab02dab027719c40c70e7d0df20

C:\Users\Admin\AppData\Local\Temp\RES197A.tmp

MD5 b786b7564057ca2eb71d89730407bec2
SHA1 d80974a17e1da25de91abc46cf175d9e1ad6f1da
SHA256 0e4e300fda12fcc16c5353bd790abf9c0df39d3c7470c387a73cac3ec5b049df
SHA512 1760fc3de08bbaefb5e0172f66cab7d7a601f5cd25308dceb5fd77dd49631c76d50edf69dc3948baf1fbb46c9d74d9731c9563d61e49cf63b32dc422207e52d4

C:\Users\Admin\AppData\Local\Temp\tmp17D5.tmp.exe

MD5 0b6c654d6277fac0bf1dde68c10eb323
SHA1 ca7b3192ae4f9afb90a05f81cdd8de6660a9e85e
SHA256 8292ddcd61ed5a325d4da83b76eb91bb02b4eff0359e6ef341eff00e6a2ecc9b
SHA512 32d270b3849bc29f25fde3183caa9f810e8ea2f7f7e23ef6382aa97696fb734cd16d3a4af4a31977c1aa869a4fc43be3c4d2d8e6b5bc1656bad15e2866aff990

memory/2736-23-0x00000000002E0000-0x00000000002EA000-memory.dmp

memory/1848-24-0x0000000074AD0000-0x00000000751BE000-memory.dmp