Malware Analysis Report

2025-08-05 19:17

Sample ID 240513-mdjz4saa9t
Target b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics
SHA256 08707998b12ff7bd313fda087fe0f3a47d288922898a4ce6c0202b766d77b028
Tags
upx evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

08707998b12ff7bd313fda087fe0f3a47d288922898a4ce6c0202b766d77b028

Threat Level: Likely malicious

The file b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics was found to be: Likely malicious.

Malicious Activity Summary

upx evasion

Sets file to hidden

Deletes itself

Checks computer location settings

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 10:20

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 10:20

Reported

2024-05-13 10:23

Platform

win7-20240508-en

Max time kernel

141s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\ayahost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ayahost.exe C:\Users\Admin\AppData\Local\Temp\b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\ayahost.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\Debug\ayahost.exe C:\Users\Admin\AppData\Local\Temp\b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Debug\ayahost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Debug\ayahost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\ayahost.exe

C:\Windows\Debug\ayahost.exe

C:\Windows\Debug\ayahost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B23322~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.46.40:80 www.baidu.com tcp
US 8.8.8.8:53 1Dw34TjxV.nnnn.eu.org udp
US 8.8.8.8:53 bt7FM8wrhj.nnnn.eu.org udp
US 8.8.8.8:53 ZpQ7cQzRx.nnnn.eu.org udp

Files

memory/1736-0-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Windows\Debug\ayahost.exe

MD5 75c863e178af2097f1851725ecf4be46
SHA1 790a57ed3432602f3e821dc6dd3c09e5117fbda8
SHA256 86a90c773a97be8a443fb9d9986c7e23f39d556051037ff57f5c2346ee630008
SHA512 65a3d02be7ef42e55cf6c6cf6fd3ebbe8778f159db52366d45078bb725b1c9968ee56f14a595e83bafcc23a624214dc4d0db52bb1aa1de99ede7a39cdc375265

memory/2360-5-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1736-6-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2360-7-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2360-13-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2360-16-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2360-19-0x0000000000400000-0x0000000000416000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 10:20

Reported

2024-05-13 10:23

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\cwshost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\cwshost.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\Debug\cwshost.exe C:\Users\Admin\AppData\Local\Temp\b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\cwshost.exe C:\Users\Admin\AppData\Local\Temp\b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Debug\cwshost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Debug\cwshost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b23322dcd97791cb71fb6334b4fd6130_NeikiAnalytics.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\cwshost.exe

C:\Windows\Debug\cwshost.exe

C:\Windows\Debug\cwshost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B23322~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.baidu.com udp
NL 23.62.61.131:443 www.bing.com tcp
HK 103.235.46.40:80 www.baidu.com tcp
US 8.8.8.8:53 131.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 40.46.235.103.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 OinJazMkcP.nnnn.eu.org udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 yOVUMxqsM7.nnnn.eu.org udp
US 8.8.8.8:53 Y4gfdRpU6L.nnnn.eu.org udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/1696-0-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Windows\Debug\cwshost.exe

MD5 212e61333a2f6bd4c53c3292c6f94f64
SHA1 abb96ae8ef18daf48d427648a2259738b64204af
SHA256 5a1c24d7509d9eb33ea17497f0aa51c98020cf12ce5a30c0ccf1ad437cab736e
SHA512 573907c98f3f7788e6907f08ff0d01b71e317c5fabf51e2fd88bfff63fcf272dc68b2ee3d6b332a8fc69a4e08a25713510121645c41058070b4906d10343c451

memory/3252-5-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1696-6-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3252-7-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3252-13-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3252-16-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3252-19-0x0000000000400000-0x0000000000416000-memory.dmp