Malware Analysis Report

2024-09-11 07:34

Sample ID 240613-zdmr8azbph
Target 84e23aae561f911040313c129b920c70_NeikiAnalytics.exe
SHA256 c57aa295cc39c34536d8370f55863de4571bb5b326c330b6dfd91f419a75c467
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c57aa295cc39c34536d8370f55863de4571bb5b326c330b6dfd91f419a75c467

Threat Level: Shows suspicious behavior

The file 84e23aae561f911040313c129b920c70_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Unsigned PE

Suspicious use of SetWindowsHookAW

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 20:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 20:36

Reported

2024-06-13 20:38

Platform

win7-20240220-en

Max time kernel

144s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A

Suspicious use of SetWindowsHookAW

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe
PID 2924 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe
PID 2924 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe
PID 2924 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe
PID 2924 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe
PID 2924 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe
PID 2924 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe

Processes

C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe

C:\Users\Admin\AppData\Local\Temp\~TMP361A.exe -3 -d"C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~TMP361A.exe

MD5 d103c69a2b79e9e685ba480f1fb496f4
SHA1 6b3ff64ee98ff17be8c4fd0396da2ea94c77a53e
SHA256 2d77173468a624140032940d29fcbc2b49b70b0b7fe1e2110bc3e1b597e58d29
SHA512 8a1bc5fa7b9cd1d32b20463a0c4bc54b89f9580527b67303c164ea85fba5cbe3477a7dd286fe4322846f949aa2047380968fe41da5fff73a190db3c28b5e48c7

memory/2924-11-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2632-12-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2632-13-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2632-14-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2632-15-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2632-16-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2632-17-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2632-18-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2632-19-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2632-20-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2632-21-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2632-22-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2632-23-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2632-24-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2632-25-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 20:36

Reported

2024-06-13 20:38

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A F:\~TMP4214.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\A: F:\~TMP4214.exe N/A
File opened (read-only) \??\K: F:\~TMP4214.exe N/A
File opened (read-only) \??\N: F:\~TMP4214.exe N/A
File opened (read-only) \??\R: F:\~TMP4214.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: F:\~TMP4214.exe N/A
File opened (read-only) \??\X: F:\~TMP4214.exe N/A
File opened (read-only) \??\Y: F:\~TMP4214.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: F:\~TMP4214.exe N/A
File opened (read-only) \??\P: F:\~TMP4214.exe N/A
File opened (read-only) \??\S: F:\~TMP4214.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: F:\~TMP4214.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\B: F:\~TMP4214.exe N/A
File opened (read-only) \??\I: F:\~TMP4214.exe N/A
File opened (read-only) \??\L: F:\~TMP4214.exe N/A
File opened (read-only) \??\O: F:\~TMP4214.exe N/A
File opened (read-only) \??\Q: F:\~TMP4214.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: F:\~TMP4214.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: F:\~TMP4214.exe N/A
File opened (read-only) \??\T: F:\~TMP4214.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: F:\~TMP4214.exe N/A
File opened (read-only) \??\M: F:\~TMP4214.exe N/A
File opened (read-only) \??\W: F:\~TMP4214.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: F:\~TMP4214.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookAW

Description Indicator Process Target
N/A N/A F:\~TMP4214.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe F:\~TMP4214.exe
PID 1092 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe F:\~TMP4214.exe
PID 1092 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe F:\~TMP4214.exe

Processes

C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe"

F:\~TMP4214.exe

F:\~TMP4214.exe -3 -d"C:\Users\Admin\AppData\Local\Temp\84e23aae561f911040313c129b920c70_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 98.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

F:\~TMP4214.exe

MD5 d103c69a2b79e9e685ba480f1fb496f4
SHA1 6b3ff64ee98ff17be8c4fd0396da2ea94c77a53e
SHA256 2d77173468a624140032940d29fcbc2b49b70b0b7fe1e2110bc3e1b597e58d29
SHA512 8a1bc5fa7b9cd1d32b20463a0c4bc54b89f9580527b67303c164ea85fba5cbe3477a7dd286fe4322846f949aa2047380968fe41da5fff73a190db3c28b5e48c7

memory/1092-8-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1208-9-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1208-10-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1208-11-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1208-12-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1208-13-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1208-14-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1208-15-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1208-16-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1208-17-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1208-18-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1208-19-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1208-20-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1208-21-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1208-22-0x0000000000400000-0x00000000004A2000-memory.dmp