Malware Analysis Report

2025-08-05 12:50

Sample ID 240509-aj5gsafg2y
Target a923172e99c654d59dc54c291514d5c0_NEIKI
SHA256 8248dd738672533329b97b8dd2a346a1ed68b96bfe5adbaf9e41a64d4667e578
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8248dd738672533329b97b8dd2a346a1ed68b96bfe5adbaf9e41a64d4667e578

Threat Level: Shows suspicious behavior

The file a923172e99c654d59dc54c291514d5c0_NEIKI was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 00:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 00:15

Reported

2024-05-09 00:18

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a923172e99c654d59dc54c291514d5c0_NEIKI.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a923172e99c654d59dc54c291514d5c0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\a923172e99c654d59dc54c291514d5c0_NEIKI.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 mswke.dll -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3728-0-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mswke.dll

MD5 db7349002f34926a1a4739352016ef7c
SHA1 959390512349767af31fde1af854b176c41198c3
SHA256 824ec6ef24df25e87ff5553eea571c879eed0b4a9a9c3c30fefb5f9b69ca22ee
SHA512 5e79b833594346fa8c0db7074d4369e9b473b86912ea17183748cb91d247e1aa61b4380c1e2e79cd2548065b37cc53ff9525fe19e8251889a27fd3d0e0633175

memory/4708-11-0x0000000002970000-0x0000000002972000-memory.dmp

memory/4708-10-0x0000000010000000-0x0000000010164000-memory.dmp

memory/4708-12-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/4708-13-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/4708-15-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/4708-14-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/4708-16-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/4708-18-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/4708-17-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/4708-19-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/3728-21-0x0000000000400000-0x00000000005F1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 00:15

Reported

2024-05-09 00:18

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a923172e99c654d59dc54c291514d5c0_NEIKI.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a923172e99c654d59dc54c291514d5c0_NEIKI.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a923172e99c654d59dc54c291514d5c0_NEIKI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ = "dm.dmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\ = "dm.dmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mswke.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer\ = "dm.dmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID\ = "dm.dmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\ = "Dm" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\ = "{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mswke.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26037A0E-7CBD-4FFF-9C63-56F2D0770214}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a923172e99c654d59dc54c291514d5c0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\a923172e99c654d59dc54c291514d5c0_NEIKI.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 mswke.dll -s

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.dmiug.com udp
US 8.8.8.8:53 2.dmiug.com udp
US 8.8.8.8:53 3.dmiug.com udp
US 8.8.8.8:53 4.dmiug.com udp
US 8.8.8.8:53 5.dmiug.com udp
US 8.8.8.8:53 6.dmiug.com udp
US 8.8.8.8:53 7.dmiug.com udp
US 8.8.8.8:53 8.dmiug.com udp
US 8.8.8.8:53 9.dmiug.com udp

Files

memory/2860-0-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mswke.dll

MD5 db7349002f34926a1a4739352016ef7c
SHA1 959390512349767af31fde1af854b176c41198c3
SHA256 824ec6ef24df25e87ff5553eea571c879eed0b4a9a9c3c30fefb5f9b69ca22ee
SHA512 5e79b833594346fa8c0db7074d4369e9b473b86912ea17183748cb91d247e1aa61b4380c1e2e79cd2548065b37cc53ff9525fe19e8251889a27fd3d0e0633175

memory/2584-11-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2584-10-0x0000000010000000-0x0000000010164000-memory.dmp

memory/2584-12-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/2860-17-0x0000000000790000-0x0000000000792000-memory.dmp

memory/2860-16-0x0000000010000000-0x0000000010164000-memory.dmp

memory/2584-13-0x000000006FFF0000-0x0000000070000000-memory.dmp

memory/2860-19-0x0000000002180000-0x000000000218A000-memory.dmp

memory/2860-18-0x0000000002180000-0x000000000218A000-memory.dmp

memory/2860-20-0x0000000010000000-0x0000000010164000-memory.dmp

memory/2860-22-0x0000000000790000-0x0000000000792000-memory.dmp

memory/2860-23-0x0000000002180000-0x000000000218A000-memory.dmp

memory/2860-24-0x0000000000400000-0x00000000005F1000-memory.dmp