Malware Analysis Report

2024-09-23 11:50

Sample ID 240614-m35ywa1gjj
Target 049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe
SHA256 6cb8b68ee6a31233c2bba4bac31cfb382caa4ab65fc83b70a2b84a89e48a62a2
Tags
bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

6cb8b68ee6a31233c2bba4bac31cfb382caa4ab65fc83b70a2b84a89e48a62a2

Threat Level: Shows suspicious behavior

The file 049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Writes to the Master Boot Record (MBR)

Loads dropped DLL

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 11:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 11:00

Reported

2024-06-14 11:03

Platform

win10v2004-20240611-en

Max time kernel

131s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 c.gj.qq.com udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
HK 43.135.106.117:80 c.gj.qq.com tcp
HK 43.135.106.117:80 c.gj.qq.com tcp
NL 23.62.61.56:443 www.bing.com tcp
US 8.8.8.8:53 oth.eve.mdt.qq.com udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 117.106.135.43.in-addr.arpa udp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
US 8.8.8.8:53 68.47.33.101.in-addr.arpa udp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
US 8.8.8.8:53 dlied6.qq.com udp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
CN 122.189.171.73:80 dlied6.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CN 42.56.64.52:80 dlied6.qq.com tcp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
CN 211.93.212.206:80 dlied6.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
US 8.8.8.8:53 dlied6.qq.com udp
CN 211.93.212.206:80 dlied6.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 122.189.171.73:80 dlied6.qq.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
CN 115.56.90.107:80 dlied6.qq.com tcp
US 8.8.8.8:53 dlied6.qq.com udp
CN 42.56.64.52:443 dlied6.qq.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e573345\QQPCDownload.dll

MD5 9d44d2a1e8c988979a2f7d77a4f038fa
SHA1 d91d84512e7ce2957f2b4e6fc2d97d04ba7f1557
SHA256 fd1af002dd83bb74d244414df2bd90553050486671410aec2a9dea729114aa2f
SHA512 4d14b1099e5104ee9b853b2201c08fef8fff16953e530b19c18df73e0fb2bb8f018b10c1070c37420f63156fb9b203bbce3f90d1f4c2fee7a9f7a2a7fc33d657

C:\ProgramData\Tencent\DeskUpdate\Guid.db

MD5 2d5e50a755df0fcd330f74ab54d023cd
SHA1 9effdcf0484faf627c42685e4a00614ee3568c54
SHA256 c1e51cd97f8537ab2d417486a601f8e267077058ddee2cf3326a26fe1e22baeb
SHA512 d58e02fbf10d2fe69bb5be7ea2134835e7b3003a9c3085425474e33566447a4305adde4c28d920837603c3968b7d7b62d9555d4b4bb565eb667ec369d9030d64

C:\ProgramData\Tencent\DeskUpdate\GuidInfo.db

MD5 af821c527d4ac8a247d7dad165ca3cab
SHA1 a969dc01c12369f3e836ba240e4b37168c56c930
SHA256 20ee2d553faaa580224133a8ec72303ee772e277af415db2dab357a74e835b00
SHA512 ff3391504a98e2ef0e576cd09d18591ee8b2ced2d01db99f4f144ad578cb4abfd72c075eeeb3879a5bfa387e7710c8408a3f171a8ac316f9d64813ddd75f6485

C:\ProgramData\Tencent\DeskUpdate\GuidList.db

MD5 b2da859b4807071972e7b7a5d86a583e
SHA1 6e458089c7bb7d8d98e175a2c6b94d8a4e7d5c38
SHA256 164b1f18d8fe4ae5b99f2e15adce96532c75096cb5dcfec120c042a837a932dd
SHA512 6422140ac2a84200d40d9494fd73213a752696ea04a29717096150c15f42e56f8b539d0d1de973eec16ffeaba54437baa200cfe2834eb1e8308e2d5cead2ebf4

C:\Users\Admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db

MD5 7716cbade8ff3f8e277a987b256ad0bc
SHA1 8c3105caf7986b7d103acf7ea97be06fd21e28a5
SHA256 654b1897d84e2731cf5b00e67e7606e0347ac90ddb0dc27991518b11faf3ef6b
SHA512 452b8914188235c40c14a9d07b51c0d1a105cf536b67dad4f291aa3dc0e6996a7c33201c06b0142a2c3f536fd7c0011a78d9834c8bef67b45d76899c25736ed1

C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e573345\beacon_sdk.dll

MD5 573ec741ba9393c06292c329ca78e50c
SHA1 8f7956a1f2a40af28f0f470b82a90042bdfd836c
SHA256 0118930d91b51e6e4dfea02c4b81c152cbb848e227c02a1dcdc0909b167fdad0
SHA512 741574fecb16a6581c1a8d5fb412752915dc02a0f8b8a485a8fdf0d71005851c5fa6710fba242234a5a9ef250d3d85aff24af7492a16922351ec783d5b9d19cd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 11:00

Reported

2024-06-14 11:03

Platform

win11-20240611-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 c.gj.qq.com udp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
HK 43.135.106.184:80 c.gj.qq.com tcp
HK 43.135.106.184:80 c.gj.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
SG 101.33.47.68:8081 oth.eve.mdt.qq.com tcp
CN 122.189.171.73:80 dlied6.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 211.93.212.206:80 dlied6.qq.com tcp
CN 122.188.37.244:80 dlied6.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 122.189.171.73:80 dlied6.qq.com tcp
CN 157.255.4.39:443 master.etl.desktop.qq.com tcp
CN 211.93.212.206:80 dlied6.qq.com tcp
CN 122.188.37.244:80 dlied6.qq.com tcp
CN 122.189.171.73:443 dlied6.qq.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e57378b\QQPCDownload.dll

MD5 9d44d2a1e8c988979a2f7d77a4f038fa
SHA1 d91d84512e7ce2957f2b4e6fc2d97d04ba7f1557
SHA256 fd1af002dd83bb74d244414df2bd90553050486671410aec2a9dea729114aa2f
SHA512 4d14b1099e5104ee9b853b2201c08fef8fff16953e530b19c18df73e0fb2bb8f018b10c1070c37420f63156fb9b203bbce3f90d1f4c2fee7a9f7a2a7fc33d657

C:\ProgramData\Tencent\DeskUpdate\Guid.db

MD5 fb4e548725f4ebaf6bc11dfa325edf47
SHA1 ba121baf2a7d530a03cff2444f328c533ba40e02
SHA256 5087bc3b5b154c14d6507a1c288052a5ae9a256038c65f0acfab9854d0f17357
SHA512 8bcae49a525a0c2baa6a008c7fcbb5fec9e6d6a5ef58e5b77b4593607548f7c924eeec9e3d06254fac9b96c6c1f38c13559be2aa5e5c33de3b2f4fde7b61f4e7

C:\ProgramData\Tencent\DeskUpdate\GuidInfo.db

MD5 280b68d86aeb8e3d733a05af974613fd
SHA1 3b19e474d2f8660a44a47e19c92b9a8d174ab79d
SHA256 41b74290367f443ea2fb9f7c8663dbf9524a6cb9bd1f49aeb2c6825fa14c6777
SHA512 8f68da265df7169a9b8a9973242d01c0516979a29a98888304818b95b64576cb2e96b2bf2163f9525f8e848916a77442ed89a328b1f46c343682e540d8e53eff

C:\Users\Admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db

MD5 7132aa5b44e6db59fed194d032e27f35
SHA1 d489a1d1921e4936fe897adbb711d067f0fa7c0e
SHA256 8a6e8a4b65c5d2e096d675788aba40e1a7a08b7fc6757e1b8a7bbeaea55cbb91
SHA512 897bd105b8647a6a985d2c96a647ff55fcabf9cb8aae359161eac86a6d9f5cb2189b33b2de209b2fc49e2986438b5189e8176bcdc6974a08ab9cb4b661a2ebb3

C:\ProgramData\Tencent\DeskUpdate\GuidReport.dat

MD5 b31dad42f37b6b8ab277601b977edda6
SHA1 b66f746516e6f194b026e30840171269954c3844
SHA256 8ccb71878ef1b25f1ba942686d33a54d00b490b646dbd152ca178aa2edb289f5
SHA512 e36ec1c7ec44ab92161499d262fbdc8644898f531c65a02e0a4d5a8d40710a8a560c510e035d3193f7669e387aa11a4e58fd443c9f3a59145fa411e92b67883b

C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e57378b\beacon_sdk.dll

MD5 573ec741ba9393c06292c329ca78e50c
SHA1 8f7956a1f2a40af28f0f470b82a90042bdfd836c
SHA256 0118930d91b51e6e4dfea02c4b81c152cbb848e227c02a1dcdc0909b167fdad0
SHA512 741574fecb16a6581c1a8d5fb412752915dc02a0f8b8a485a8fdf0d71005851c5fa6710fba242234a5a9ef250d3d85aff24af7492a16922351ec783d5b9d19cd