Malware Analysis Report

2025-01-18 01:37

Sample ID 240613-ket6cs1dmg
Target 6d07ebb10f0c376fe83728c5e4903910_NeikiAnalytics.exe
SHA256 e180262fa23508eb588a22bb9faf2dd2a3cf275cb12f2d402a2d9b9ce23c5455
Tags
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

e180262fa23508eb588a22bb9faf2dd2a3cf275cb12f2d402a2d9b9ce23c5455

Threat Level: Likely benign

The file 6d07ebb10f0c376fe83728c5e4903910_NeikiAnalytics.exe was found to be: Likely benign.

Malicious Activity Summary


Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 08:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 08:31

Reported

2024-06-13 08:33

Platform

win7-20231129-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d07ebb10f0c376fe83728c5e4903910_NeikiAnalytics.dll,#1

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\NDISAPI.log C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\NDISAPI.log C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d07ebb10f0c376fe83728c5e4903910_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d07ebb10f0c376fe83728c5e4903910_NeikiAnalytics.dll,#1

Network

N/A

Files

C:\Windows\SysWOW64\NDISAPI.log

MD5 2c12252f8d3ee2ef71a5758b2b9f98bf
SHA1 c29c34d806abd22bca70d12217ff4f0b6fef08dc
SHA256 26fc45856effb8dc9aa8cfb7437aee3ce9031e4204abbfedbcb7c3d4316313a0
SHA512 aaa38fb1ca8d7bb635952bda2545eea10c567b3dd78ca48df60581528edfdaedf1cb152cbe3c93b2d75aad33f7e4595193b1af8ca4e55e96582f2de9d7bd31b7

C:\Windows\SysWOW64\NDISAPI.log

MD5 7a8de150dcd4f88db258acffa70eb1fe
SHA1 5a19ae254c82d5afce99f9cde954959c12d35f63
SHA256 dfeb74c55b1929af991ed6c18dc516eb5338e626a757a0b643d69a51fab145cb
SHA512 b75441009af5aa53e54fd574803d3c2a6a496a1e474d72c65188932e0c9ec25d451821c8c8abb7c3bf0fe28d81c28379b550a3099304c767602a1ae162bc1c48

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 08:31

Reported

2024-06-13 08:33

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d07ebb10f0c376fe83728c5e4903910_NeikiAnalytics.dll,#1

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\NDISAPI.log C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\NDISAPI.log C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 2668 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d07ebb10f0c376fe83728c5e4903910_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d07ebb10f0c376fe83728c5e4903910_NeikiAnalytics.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

C:\Windows\SysWOW64\NDISAPI.log

MD5 2b7a55a64720ba65080a73ab689868b8
SHA1 cd036df27a1f69c017c38349a14c9e51661ecef4
SHA256 27f9cbbb9d481bd5a8d41a88682dcc26f14e6945ddd773ad75e9a3491c8b26c3
SHA512 b0bc1ab3c2b0e87a7fe66c26009be3c655375df7b1cd66cb9a9e8593c81bb9b1ac0b0a368a4f88fc39dac5def3e98557fff61035f4d0d65215d6943c6f3a7738