Malware Analysis Report

2025-08-05 19:17

Sample ID 240513-mj7clabd54
Target b2b26a00029aa1306e0a472f22263550_NeikiAnalytics
SHA256 1a7b18e4e336abe72f64a9a232b0b79e6b13a71e77eb7266885447b7da0e0695
Tags
evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1a7b18e4e336abe72f64a9a232b0b79e6b13a71e77eb7266885447b7da0e0695

Threat Level: Likely malicious

The file b2b26a00029aa1306e0a472f22263550_NeikiAnalytics was found to be: Likely malicious.

Malicious Activity Summary

evasion

Sets file to hidden

Checks computer location settings

Executes dropped EXE

Deletes itself

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 10:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 10:30

Reported

2024-05-13 10:33

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\wkmhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\wkmhost.exe C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\wkmhost.exe C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\wkmhost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\wkmhost.exe

C:\Windows\Debug\wkmhost.exe

C:\Windows\Debug\wkmhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B2B26A~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 wwdorL62c4.nnnn.eu.org udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 Wcoz8pZdMl.nnnn.eu.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 9femG7FYPp.nnnn.eu.org udp
US 8.8.8.8:53 jLpxX5jgd3.nnnn.eu.org udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 J1W9IZCHNl.nnnn.eu.org udp

Files

C:\Windows\debug\wkmhost.exe

MD5 b6b831c86307d99fade6a989e89a1421
SHA1 fc6d79c43fb04e91752c92f3596b71c483242005
SHA256 a5eace26fe58bebdd961a4217f9abbf890025f7891b66483738bd0e99c182195
SHA512 635e15c4cbf5abbfa88477dd916a7c7e791251cb7d09242015825f98b8cd812d9cb00390cfdadc445e2c1eeb931f95d8d35835ddbb9d292021e38036117e8a4e

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 10:30

Reported

2024-05-13 10:33

Platform

win7-20240221-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Debug\zskhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Debug\zskhost.exe C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\zskhost.exe C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Debug\zskhost.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +a +s +h +r C:\Windows\Debug\zskhost.exe

C:\Windows\Debug\zskhost.exe

C:\Windows\Debug\zskhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B2B26A~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 wwdorL62c4.nnnn.eu.org udp
US 8.8.8.8:53 Wcoz8pZdMl.nnnn.eu.org udp
US 8.8.8.8:53 6IVtm3l6z.nnnn.eu.org udp
US 8.8.8.8:53 gzDMkWtpD.nnnn.eu.org udp
US 8.8.8.8:53 GOXSE0VZv.nnnn.eu.org udp

Files

C:\Windows\Debug\zskhost.exe

MD5 a19b178c9c39ed649b13fe223b76e483
SHA1 23c7a05d64563af5e5e59d0d1f8f4662e8ac4be0
SHA256 5b9a64f8fe4e239c383291297dbce0c8a889f31cb0b3f1559171da16a4f3c277
SHA512 ce0c2b2b85aea4e2f24195767a395142efbe0c57f418ae8139164735a105c863a8f505564e61c0c1d1ac80b4fb5f5d6c311cbc693e20adfc8e7324776b6441d6