Malware Analysis Report

2024-10-10 12:12

Sample ID 240613-q92rks1hjh
Target 8206486f823d38566b59221e10710180_NeikiAnalytics.exe
SHA256 6e37b2027187d9187f49b7bbcc816a91d19bc139f875df90d60c2e49ef2dce45
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6e37b2027187d9187f49b7bbcc816a91d19bc139f875df90d60c2e49ef2dce45

Threat Level: Shows suspicious behavior

The file 8206486f823d38566b59221e10710180_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 13:58

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 13:58

Reported

2024-06-13 14:01

Platform

win7-20240221-en

Max time kernel

140s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8206486f823d38566b59221e10710180_NeikiAnalytics.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8206486f823d38566b59221e10710180_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8206486f823d38566b59221e10710180_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 316

Network

N/A

Files

memory/2144-0-0x0000000010000000-0x0000000010030000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 13:58

Reported

2024-06-13 14:01

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8206486f823d38566b59221e10710180_NeikiAnalytics.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3752 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3752 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3752 wrote to memory of 1696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8206486f823d38566b59221e10710180_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8206486f823d38566b59221e10710180_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1696 -ip 1696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 712

Network

Files

memory/1696-0-0x0000000010000000-0x0000000010030000-memory.dmp

memory/1696-2-0x0000000010000000-0x0000000010030000-memory.dmp