Malware Analysis Report

2025-01-18 00:55

Sample ID 240613-lmyn7axclj
Target 7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe
SHA256 00aca96c37b587c8dc04756bdf8c9a5d1beadf81b450331aaf59e298a6d7e807
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

00aca96c37b587c8dc04756bdf8c9a5d1beadf81b450331aaf59e298a6d7e807

Threat Level: Shows suspicious behavior

The file 7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 09:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 09:39

Reported

2024-06-13 09:42

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\riogoo.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\riogoo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe C:\Users\Admin\riogoo.exe
PID 2176 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe C:\Users\Admin\riogoo.exe
PID 2176 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe C:\Users\Admin\riogoo.exe
PID 2176 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe C:\Users\Admin\riogoo.exe
PID 2176 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe C:\Windows\SysWOW64\WerFault.exe
PID 2176 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe C:\Windows\SysWOW64\WerFault.exe
PID 2176 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe C:\Windows\SysWOW64\WerFault.exe
PID 2176 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe C:\Windows\SysWOW64\WerFault.exe
PID 2620 wrote to memory of 2596 N/A C:\Users\Admin\riogoo.exe C:\Windows\SysWOW64\WerFault.exe
PID 2620 wrote to memory of 2596 N/A C:\Users\Admin\riogoo.exe C:\Windows\SysWOW64\WerFault.exe
PID 2620 wrote to memory of 2596 N/A C:\Users\Admin\riogoo.exe C:\Windows\SysWOW64\WerFault.exe
PID 2620 wrote to memory of 2596 N/A C:\Users\Admin\riogoo.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe"

C:\Users\Admin\riogoo.exe

"C:\Users\Admin\riogoo.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 860

Network

Country Destination Domain Proto
RU 193.104.27.110:80 tcp
RU 193.104.27.110:80 tcp

Files

\Users\Admin\riogoo.exe

MD5 9149516a0fb43c049ceae1b3aced6507
SHA1 9173351a3853b374c479b0de83fdff865a43310b
SHA256 676313f3b219ba2acc758d735e986506ef1b085bfa7e9fe8b34277cc1568f43f
SHA512 ff96d8e89a150e25fc9c2962f185c51b62e2ed870aa6cd082f49448330cfef010b156cfd2878c7806d689c23ac41fac9f8729b9274398a15e6a8f7e4cc4cd680

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 09:39

Reported

2024-06-13 09:42

Platform

win10v2004-20240611-en

Max time kernel

114s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\piotoo.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\piotoo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe"

C:\Users\Admin\piotoo.exe

"C:\Users\Admin\piotoo.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2308 -ip 2308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 1516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3196 -ip 3196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4060,i,8447163055677043976,7218082390179600880,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8

Network

Country Destination Domain Proto
RU 193.104.27.110:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 193.104.27.110:80 tcp
US 13.107.42.16:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\piotoo.exe

MD5 82acccac9c8db691f8caec2cf3e59c83
SHA1 d1bd41b0e133498dc319b188c8462b626b10dc70
SHA256 f9e8d5672b6f42620cb1e20abc7c36679692165fbe5b22816375d6c86d2241d2
SHA512 283450dbdc41b959ec407bcc901faf73889b59b957029888552daa774fdca7838f20077a0aec03982984a09919a1f795ac1c0e7243c8f86250714721293065ae