Malware Analysis Report

2025-08-10 21:37

Sample ID 240529-jls17sfe3y
Target 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe
SHA256 c72f3f17d1d8dcd619bfdd3b67e834c91ba8a4d1cda1a4ef1cbda0763d153166
Tags
upx persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c72f3f17d1d8dcd619bfdd3b67e834c91ba8a4d1cda1a4ef1cbda0763d153166

Threat Level: Shows suspicious behavior

The file 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 07:45

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 07:45

Reported

2024-05-29 07:48

Platform

win7-20240419-en

Max time kernel

17s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE N/A
N/A N/A N/A N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dev1B9C.tmp C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dev1B9C.tmp C:\WINDOWS\MSWDM.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1968 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1968 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1968 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1968 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1968 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 3056 wrote to memory of 2664 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE
PID 3056 wrote to memory of 2664 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE
PID 3056 wrote to memory of 2664 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE
PID 3056 wrote to memory of 2664 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE
PID 3056 wrote to memory of 2504 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 3056 wrote to memory of 2504 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 3056 wrote to memory of 2504 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 3056 wrote to memory of 2504 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev1B9C.tmp!C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe! !

C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev1B9C.tmp!C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp

Files

memory/1968-11-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 c63b4134b74602a3c45a65664b08d981
SHA1 395e802be36cc24865439eac672ddf85733aafaf
SHA256 2495dffa440d3090c798cb22a73a8beacb063221b2a894f7fbc62a4b6d5b4a58
SHA512 82894f5428ae58cfdbcf2c3ef9d08dfe533d91c67b290f875337196f731137c38ca855293caa6c9568ed510564a5fc71372f38d3edeae0a7036dd57265d122dd

memory/3056-22-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE

MD5 6503efe0a01c2d50c97be27f3cb10a43
SHA1 a0cb3708603a18f02352d01ec672020e5bad5073
SHA256 0cf9864ae3a8679ed503f954a453452c93fa44f99ca6f39bbc5860abde7fd35e
SHA512 ebdbc553ba4348676fd3f2ca12e48af53a229b449a36e653dbfca90efb34d21033e41d1157dcca28c2b1e5f91368c0839298992247cf7d2e8feca5feab8ecea4

memory/1144-23-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1968-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE

MD5 7773466d12176502f9cb8f5c0fc446db
SHA1 1294700f0cbf4e4e0e542aaa37bec665edf64a57
SHA256 aa0d09a1b1d0dca61ff07b37dbe49198e72c0aa168e46c61b542af33398b23a8
SHA512 e07628145ca10964983d8e3d99cf9533fa3ca4afb63c9cea05b23ac1998626fbf20114b12fe17d9c8a39fa526706d01e1ca3c005baa26fc7e5c4a3de8239e5c6

memory/3056-32-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2504-30-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1144-33-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 07:45

Reported

2024-05-29 07:48

Platform

win10v2004-20240508-en

Max time kernel

21s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dev4CF7.tmp C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dev4CF7.tmp C:\WINDOWS\MSWDM.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev4CF7.tmp!C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe! !

C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev4CF7.tmp!C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
US 8.8.8.8:53 255.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 255.255.255.10.in-addr.arpa udp
N/A 10.127.1.255:78 udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.98:443 www.bing.com tcp
US 8.8.8.8:53 98.61.62.23.in-addr.arpa udp
NL 23.62.61.115:443 www.bing.com tcp
US 8.8.8.8:53 115.61.62.23.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4204-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 c63b4134b74602a3c45a65664b08d981
SHA1 395e802be36cc24865439eac672ddf85733aafaf
SHA256 2495dffa440d3090c798cb22a73a8beacb063221b2a894f7fbc62a4b6d5b4a58
SHA512 82894f5428ae58cfdbcf2c3ef9d08dfe533d91c67b290f875337196f731137c38ca855293caa6c9568ed510564a5fc71372f38d3edeae0a7036dd57265d122dd

memory/4204-9-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Windows\dev4CF7.tmp

MD5 6503efe0a01c2d50c97be27f3cb10a43
SHA1 a0cb3708603a18f02352d01ec672020e5bad5073
SHA256 0cf9864ae3a8679ed503f954a453452c93fa44f99ca6f39bbc5860abde7fd35e
SHA512 ebdbc553ba4348676fd3f2ca12e48af53a229b449a36e653dbfca90efb34d21033e41d1157dcca28c2b1e5f91368c0839298992247cf7d2e8feca5feab8ecea4

memory/3904-10-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe

MD5 9a76c8036cb6587af961e847403610a8
SHA1 cbd99501ab11df43371f75b6406f637d04c2b869
SHA256 83f22a876f1736a2a51f236e9d7e948477f0ab8bfe18ac305c55a1a452476fd7
SHA512 ea7c7bff73177f1248af5d9f1c97f61231221741c483a2c7900b918a1c0e4abdf6f73ce4b5f2448812bf11dea263e3e963002783cafd7d45089ada2658b9baa0

memory/2212-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3904-20-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2372-21-0x0000000000400000-0x0000000000429000-memory.dmp