Malware Analysis Report

2024-09-09 18:09

Sample ID 240618-qxc8fswbkh
Target 4c276213761e704f93fcaa1c70596b50_NeikiAnalytics.exe
SHA256 c45f88ab04fb740e7956f8d83a29f5d2c68ad9495dcba3d1102f8d91bc120448
Tags
persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c45f88ab04fb740e7956f8d83a29f5d2c68ad9495dcba3d1102f8d91bc120448

Threat Level: Likely malicious

The file 4c276213761e704f93fcaa1c70596b50_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence privilege_escalation

Event Triggered Execution: AppInit DLLs

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 13:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 13:38

Reported

2024-06-18 13:40

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c276213761e704f93fcaa1c70596b50_NeikiAnalytics.exe"

Signatures

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\gjsfhjk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\gjsfhjk.exe C:\Users\Admin\AppData\Local\Temp\4c276213761e704f93fcaa1c70596b50_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\eurgebe.dll C:\PROGRA~3\Mozilla\gjsfhjk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 3000 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe
PID 2388 wrote to memory of 3000 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe
PID 2388 wrote to memory of 3000 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe
PID 2388 wrote to memory of 3000 N/A C:\Windows\system32\taskeng.exe C:\PROGRA~3\Mozilla\gjsfhjk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4c276213761e704f93fcaa1c70596b50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4c276213761e704f93fcaa1c70596b50_NeikiAnalytics.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A25644CA-8161-49DB-958D-9A5745E23C72} S-1-5-18:NT AUTHORITY\System:Service:

C:\PROGRA~3\Mozilla\gjsfhjk.exe

C:\PROGRA~3\Mozilla\gjsfhjk.exe -tuxiydl

Network

N/A

Files

C:\PROGRA~3\Mozilla\gjsfhjk.exe

MD5 35d923447b3fcb17ba39f3ad44eb726a
SHA1 3cba838028facc1f4919fdd77ad4b9acb5136b16
SHA256 2537bc2f2c754e26faaddd9fd7c42e6280b313b95780b47c33eddc408d20062a
SHA512 4fd85a0b966f57619893b497e00240d641eb851ac26ad07f8d32fb0f276e7c7c7010ec130c3d9402eba272e66dead8b5bb21b7250206139dbcc6e43026633b64

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 13:38

Reported

2024-06-18 13:40

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c276213761e704f93fcaa1c70596b50_NeikiAnalytics.exe"

Signatures

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PROGRA~3\Mozilla\ywswmda.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Mozilla\ywswmda.exe C:\Users\Admin\AppData\Local\Temp\4c276213761e704f93fcaa1c70596b50_NeikiAnalytics.exe N/A
File created C:\PROGRA~3\Mozilla\dzldqrl.dll C:\PROGRA~3\Mozilla\ywswmda.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4c276213761e704f93fcaa1c70596b50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4c276213761e704f93fcaa1c70596b50_NeikiAnalytics.exe"

C:\PROGRA~3\Mozilla\ywswmda.exe

C:\PROGRA~3\Mozilla\ywswmda.exe -zhzkoil

Network

Files

C:\ProgramData\Mozilla\ywswmda.exe

MD5 e0d765a68ee5caa3cd2647f76259f2c9
SHA1 ee6e8bcc05f18ef8fb470a1485e599f34354bee0
SHA256 24f9ad59433ae4cf05b19f28f66a2f613578692444cff33884f58144226bda32
SHA512 6bbe2ac2854a0fb7e0cddc871da366bf73a7f8459021f023f3f604d7c411332e58613bb792ec76026c8708839cdc588e8b47e4d3664ec097f580b08a4471f99e