Malware Analysis Report

2025-06-16 03:38

Sample ID 240526-rl745ahc2x
Target 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe
SHA256 4f780492c9a8a825f7c259aae31d0a9f00b435d7f87e297390c8386c63f32769
Tags
upx bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4f780492c9a8a825f7c259aae31d0a9f00b435d7f87e297390c8386c63f32769

Threat Level: Shows suspicious behavior

The file 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx bootkit persistence

UPX packed file

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 14:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 14:17

Reported

2024-05-26 14:20

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WG8D80.tmp N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\WG8D80.tmp

C:\Users\Admin\AppData\Local\Temp\WG8D80.tmp

Network

N/A

Files

C:\Users\Admin\Favorites\Íâ¹Ò×÷·»¹Ù·½Õ¾ [www.zuowg.com].url

MD5 7c8c531ff6a158742da186b1fad6e00e
SHA1 98d4551e0d6ac034838a17437640f3335edfaa86
SHA256 00ddbc71282fdbf74b8a02cc75b2c3d66529fe7664c148cc0ca79576a883c501
SHA512 1788173da6e9cf7e5421c02854ca9122d0825927f33fc64bafb76377ee80c0e1a8112c36ee40b1cbce86e121f864777e8ddf9aecd282f3cc82b70e12cc904805

\Users\Admin\AppData\Local\Temp\WG8D80.tmp

MD5 e6b75a3573c1825d9827bf8720369010
SHA1 1fb308d81358ca8db5e6f7609b9caf697477b415
SHA256 8f55a211f420fcdae8ca894407f72e423997d054dbdab14c54568570a30daa03
SHA512 4713e374786be79088b276b322b2aa2e747bb1adc4fe7de6612a433c64a917b63d9cdd0de3cdcc786e2b7b11da421b6f73e60b9db7ceaba4cfe5d0d11528608c

memory/1284-29-0x0000000002AE0000-0x0000000002B03000-memory.dmp

memory/1284-34-0x0000000002AE0000-0x0000000002B03000-memory.dmp

memory/2528-36-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2528-38-0x0000000000400000-0x0000000000423000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 14:17

Reported

2024-05-26 14:20

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
CN 103.21.140.207:5927 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 kxsx.vicp.net udp
CN 47.111.82.157:5927 kxsx.vicp.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\Favorites\Íâ¹Ò×÷·»¹Ù·½Õ¾ [www.zuowg.com].url

MD5 f9fc3e4f710ea6068eccca29ed784970
SHA1 eb6f961e7102e3aef227b204ff4dd9563f745812
SHA256 1c12badabe490d7c3d63bb0187965344ce0ed923eab707e446900a9b98913fcb
SHA512 b2d0db7a2c4b4d4e53a8daf2caff6a0ea826133038380e5dcf8c6493417f2884ecd61f047798189a3cff13cca3b9dbe99e5a501ce5de10488b2a337389b019ed

C:\Users\Admin\Favorites\Íâ¹Ò×÷·»×ÊÔ´Õ¾ [42724920.ys168.com].url

MD5 514d1b59ae8925c5edea3c446ce588dd
SHA1 60dd675b65c7ffaac6ca731dba265a6f316a6f75
SHA256 6bbfe9e113e075b646ae49400657b8bb20cbab06854b38bf007ac6e15cd7b773
SHA512 5bf3d0f1715b445852ad184907d2161967d51cb8fe9673330438d8705502bc63e263222c43839140c613a427b0b58b297e522b3953c2543453625e01b8017253

C:\Users\Admin\AppData\Local\Temp\e574934.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

C:\Users\Admin\AppData\Local\Temp\e574954.tmp

MD5 5870ea0d6ba8dd6e2008466bdd00e0f4
SHA1 d41bf60d0dedff90e3cfc1b41b7e1a73df39a7d5
SHA256 5a7dac8c8b5d7cf1115246dfaf994e7f50e16a7eac1488642396f5e23fddfe0d
SHA512 0c620d5e7383adcf979feccc3b1bad584a5cec8b3d74d0ace8bb786f1f04ba87fa70d59d041dc3833977d44a75f2070181d4054c7c0b9c4ce2d66249b4b3c837

C:\Users\Admin\AppData\Local\Temp\e574955.tmp

MD5 f6b847a54cfb804a25b8842b45fd1d50
SHA1 bb22fef07ce1577c8a7fa057d8cf05502c013bfc
SHA256 5dd2f5a957946e0b6f63660ebd897851aad4795d4c847396c47ddbb647715583
SHA512 dd08a55f538e2a33e6a0c496dc97ae9045594cbbf62f7894ae8ded63f4dc0b2e89c5935269adfd1c19607b1d2474bddc49f6acb955e6dc53a55560663ca2137a