Malware Analysis Report

2024-09-23 04:17

Sample ID 240618-ll8srssaqr
Target 342c921d10ea2966e78b3e4f5f0d6fb0_NeikiAnalytics.exe
SHA256 f40fd89b764f2c952de772d9cec995929112b29d3dcfe15c8cdbff93efc2431d
Tags
metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f40fd89b764f2c952de772d9cec995929112b29d3dcfe15c8cdbff93efc2431d

Threat Level: Known bad

The file 342c921d10ea2966e78b3e4f5f0d6fb0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan

MetaSploit

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-18 09:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 09:38

Reported

2024-06-18 09:40

Platform

win7-20231129-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\342c921d10ea2966e78b3e4f5f0d6fb0_NeikiAnalytics.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\342c921d10ea2966e78b3e4f5f0d6fb0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\342c921d10ea2966e78b3e4f5f0d6fb0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\342c921d10ea2966e78b3e4f5f0d6fb0_NeikiAnalytics.exe"

Network

N/A

Files

memory/2992-0-0x0000000000400000-0x00000000004E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 09:38

Reported

2024-06-18 09:40

Platform

win10v2004-20240508-en

Max time kernel

80s

Max time network

100s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

MetaSploit

trojan backdoor metasploit

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\342c921d10ea2966e78b3e4f5f0d6fb0_NeikiAnalytics.exe C:\Windows\System32\RuntimeBroker.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\342c921d10ea2966e78b3e4f5f0d6fb0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\342c921d10ea2966e78b3e4f5f0d6fb0_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

memory/3960-0-0x000001BA8A1C0000-0x000001BA8A1C1000-memory.dmp

memory/4472-1-0x0000000000400000-0x00000000004E4000-memory.dmp