Malware Analysis Report

2024-10-23 19:28

Sample ID 240629-kcbw1atgjd
Target 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe
SHA256 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76

Threat Level: Known bad

The file 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Async RAT payload

Asyncrat family

AsyncRat

Async RAT payload

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 08:26

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 08:26

Reported

2024-06-29 08:29

Platform

win7-20240220-en

Max time kernel

130s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wps.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\wps.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe C:\Windows\system32\cmd.exe
PID 2872 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe C:\Windows\system32\cmd.exe
PID 2872 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe C:\Windows\system32\cmd.exe
PID 2704 wrote to memory of 2624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2704 wrote to memory of 2624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2704 wrote to memory of 2624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2604 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2604 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2604 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2604 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\wps.exe
PID 2604 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\wps.exe
PID 2604 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\wps.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wps" /tr '"C:\Users\Admin\AppData\Roaming\wps.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp195A.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "wps" /tr '"C:\Users\Admin\AppData\Roaming\wps.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\wps.exe

"C:\Users\Admin\AppData\Roaming\wps.exe"

Network

Country Destination Domain Proto
US 23.224.239.121:666 tcp
US 8.8.8.8:53 webwhatsapp.cc udp
HK 8.217.140.110:65503 webwhatsapp.cc tcp
N/A 127.0.0.1:65503 tcp
N/A 127.0.0.1:65503 tcp
N/A 127.0.0.1:65503 tcp
US 23.224.239.121:666 tcp
US 23.224.239.121:666 tcp
US 23.224.239.121:666 tcp
US 23.224.239.121:666 tcp

Files

memory/2872-0-0x000007FEF5913000-0x000007FEF5914000-memory.dmp

memory/2872-1-0x0000000000840000-0x0000000000856000-memory.dmp

memory/2872-2-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

memory/2872-11-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp195A.tmp.bat

MD5 13fb216b897307a0b242f6a1b6fce5a0
SHA1 54f2dc9e106d185a22da386a3d2e6ef6b1e50fbd
SHA256 8dbd1a804e5ccb8179796039e83f8090517bb29095ae2bce3d3148d0a0f00eab
SHA512 9622e19b5e9eedc64425c107ca9c0d6e1fdb3d14d7be3c0f9bfb20d0e59a07cecbf4c420985a9fb9e7ef72f89a2e60d99128fab047b3d4e6f875b1841f7a76a9

memory/2872-12-0x000007FEF5910000-0x000007FEF62FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\wps.exe

MD5 f285bb29b6e4476df16c5dca03df7e30
SHA1 3a2d1d3600487aefc3839f8873a3a388d8417fba
SHA256 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76
SHA512 adfedad4d0476f0cc3b6eb5b1a51699f60ec0c72ad42740174594773f4e91ab2bf1f2e5782cac2c34ced3d76054cb0edb4e9aeb17290a3b17f6a33d31d8a7433

memory/2684-17-0x0000000000CF0000-0x0000000000D06000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 08:26

Reported

2024-06-29 08:29

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wps.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\wps.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76_NeikiAnalytics.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "wps" /tr '"C:\Users\Admin\AppData\Roaming\wps.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp538E.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "wps" /tr '"C:\Users\Admin\AppData\Roaming\wps.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\wps.exe

"C:\Users\Admin\AppData\Roaming\wps.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
N/A 127.0.0.1:65503 tcp
US 8.8.8.8:53 webwhatsapp.cc udp
HK 8.217.140.110:65503 webwhatsapp.cc tcp
US 8.8.8.8:53 110.140.217.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 23.224.239.121:666 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 23.224.239.121:666 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 23.224.239.121:666 tcp
US 52.111.229.43:443 tcp
N/A 127.0.0.1:65503 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 23.224.239.121:666 tcp
N/A 127.0.0.1:65503 tcp
N/A 127.0.0.1:65503 tcp
US 23.224.239.121:666 tcp

Files

memory/640-1-0x00000000003C0000-0x00000000003D6000-memory.dmp

memory/640-0-0x00007FFEF97C3000-0x00007FFEF97C5000-memory.dmp

memory/640-2-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

memory/640-7-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp538E.tmp.bat

MD5 532c875503ce6d22291ae87f7db5e644
SHA1 643a77273178d30958b20140a38e4315667a2b66
SHA256 95352ef0ef235947a8009faadec3793becfb6386eb0c4848089127293e165d17
SHA512 ea24939d05e41357e77ab8f92a97085a783e1b528bd3181ac4398b51e6f65dfb5c83e6ffb58d03cfeca32bf39760d6a0a7550618bea26b69592d5107b9af5acb

C:\Users\Admin\AppData\Roaming\wps.exe

MD5 f285bb29b6e4476df16c5dca03df7e30
SHA1 3a2d1d3600487aefc3839f8873a3a388d8417fba
SHA256 8b0d6fa7c6440dc7f932c00911cb7b67f19af21cee5ed46b5f5970008e20cd76
SHA512 adfedad4d0476f0cc3b6eb5b1a51699f60ec0c72ad42740174594773f4e91ab2bf1f2e5782cac2c34ced3d76054cb0edb4e9aeb17290a3b17f6a33d31d8a7433