Malware Analysis Report

2024-11-15 07:46

Sample ID 240619-r39paascqa
Target c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe
SHA256 0b0b4a48930c16a3abf27ec4eff34eb05d4b2d351438e3fc0708a0a54150355f
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0b0b4a48930c16a3abf27ec4eff34eb05d4b2d351438e3fc0708a0a54150355f

Threat Level: Shows suspicious behavior

The file c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 14:44

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 14:44

Reported

2024-06-19 14:46

Platform

win7-20240611-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21082\2.exe.manifest

MD5 bfac74236f1e608af27428665adc4b2d
SHA1 be0b54e633d97f6d7748cb7ec22e0ccdccc39977
SHA256 a7a1e535948b381901a22e15d1a5c5ea40787ae1a8f2ae7a42971d378ffbba9d
SHA512 c93aa76ea7293131ba2f8283175f45bd8e442549e796927d75e1cfa4c6dbae3189c9c9f93097ad3ac60609f06218e30fbc627d2e13c8c91a3f299d13f03d9508

C:\Users\Admin\AppData\Local\Temp\_MEI21082\python27.dll

MD5 018a9873015fddb712d44d36ba09e676
SHA1 94603bd77d3d1d73c49494f21efb891fb38ad0ac
SHA256 db5abf8f14c45843bdf4a65bff502b9e5bfce0fe969121b14168cb609ae0caa4
SHA512 5fced694f06672fedb21f63ed3461908ab698fe7e567b0b210d3c61c7791857e29fe3034160109516f5312676d3c80e42f67449c23e4544ecce77c9a67b23d7a

C:\Users\Admin\AppData\Local\Temp\_MEI21082\MSVCR90.dll

MD5 c57d4e31734fa87dc4d5dd236fbf534c
SHA1 a918b8bbe6f91b94c95f00046719ff05f01e2db7
SHA256 d7566fb962532f1250eeb1149fd65a9f5abce97995cfa5b89d5cb8f502f08dee
SHA512 4aa9dd98fedf22f77b113195ad58c27dd02bd7bbc41942aaa837f303d9ed0b7d39a7573befc33dade229c82634adc9238aa7e5f9018e60d97ac9e0340d2f1e76

C:\Users\Admin\AppData\Local\Temp\_MEI21~1\_ctypes.pyd

MD5 6ae4a18b7591824366b0b41f24d52d45
SHA1 e22e8abf69c8676b68fe42d9f26c2bd5f731af39
SHA256 f943df92c70b640b6462312a048d92df8d2e4447129a6d2b75f8f99d6b5d641a
SHA512 f882514fb21191c16dd0e778a26400e3614622df3da9e75da8360def79aeb23d96c820e10351a103ce910272192d39760f271d20cbb3763ef1d8b427b676559c

C:\Users\Admin\AppData\Local\Temp\_MEI21~1\_socket.pyd

MD5 1a5c016edfe7fe97de9d31981f048044
SHA1 ef9ddea3006a8d89bf89099f8952290f05d6f75c
SHA256 85a8bf57179152370bc1598d4fc8d6d7fe31ea839c4c6b0f2c20e52a87b8d101
SHA512 bed7dd0c5f3082555710e01ffba164e33f3c45522429657b6768c8c39affeb9dec516fcbc5a2f833b5cab83dc1bd616c1774df7662e83fe55f5fcd4ff4083f78

C:\Users\Admin\AppData\Local\Temp\_MEI21~1\_ssl.pyd

MD5 8fd7848b51ea13322302f7683ab622e3
SHA1 fe667643d8cf57c228c3eb35a65d5c5c0ad236f8
SHA256 bf7015462eca2a7b049085ef5879dbabc8ca1eba65e7b84379fb57e392f28f65
SHA512 ad848cbb867d02bc4afffe48b168c4b0707c100861d5b8410ce21ec2c2466db33998bf43ceb894bc80b6daa475275fecf9d47a1b1917538013490d29c030c16b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 14:44

Reported

2024-06-19 14:46

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI4682\2.exe.manifest

MD5 bfac74236f1e608af27428665adc4b2d
SHA1 be0b54e633d97f6d7748cb7ec22e0ccdccc39977
SHA256 a7a1e535948b381901a22e15d1a5c5ea40787ae1a8f2ae7a42971d378ffbba9d
SHA512 c93aa76ea7293131ba2f8283175f45bd8e442549e796927d75e1cfa4c6dbae3189c9c9f93097ad3ac60609f06218e30fbc627d2e13c8c91a3f299d13f03d9508

C:\Users\Admin\AppData\Local\Temp\_MEI4682\python27.dll

MD5 018a9873015fddb712d44d36ba09e676
SHA1 94603bd77d3d1d73c49494f21efb891fb38ad0ac
SHA256 db5abf8f14c45843bdf4a65bff502b9e5bfce0fe969121b14168cb609ae0caa4
SHA512 5fced694f06672fedb21f63ed3461908ab698fe7e567b0b210d3c61c7791857e29fe3034160109516f5312676d3c80e42f67449c23e4544ecce77c9a67b23d7a

C:\Users\Admin\AppData\Local\Temp\_MEI4682\_ctypes.pyd

MD5 6ae4a18b7591824366b0b41f24d52d45
SHA1 e22e8abf69c8676b68fe42d9f26c2bd5f731af39
SHA256 f943df92c70b640b6462312a048d92df8d2e4447129a6d2b75f8f99d6b5d641a
SHA512 f882514fb21191c16dd0e778a26400e3614622df3da9e75da8360def79aeb23d96c820e10351a103ce910272192d39760f271d20cbb3763ef1d8b427b676559c

C:\Users\Admin\AppData\Local\Temp\_MEI4682\_socket.pyd

MD5 1a5c016edfe7fe97de9d31981f048044
SHA1 ef9ddea3006a8d89bf89099f8952290f05d6f75c
SHA256 85a8bf57179152370bc1598d4fc8d6d7fe31ea839c4c6b0f2c20e52a87b8d101
SHA512 bed7dd0c5f3082555710e01ffba164e33f3c45522429657b6768c8c39affeb9dec516fcbc5a2f833b5cab83dc1bd616c1774df7662e83fe55f5fcd4ff4083f78

C:\Users\Admin\AppData\Local\Temp\_MEI4682\_ssl.pyd

MD5 8fd7848b51ea13322302f7683ab622e3
SHA1 fe667643d8cf57c228c3eb35a65d5c5c0ad236f8
SHA256 bf7015462eca2a7b049085ef5879dbabc8ca1eba65e7b84379fb57e392f28f65
SHA512 ad848cbb867d02bc4afffe48b168c4b0707c100861d5b8410ce21ec2c2466db33998bf43ceb894bc80b6daa475275fecf9d47a1b1917538013490d29c030c16b