Malware Analysis Report

2025-08-05 15:53

Sample ID 240529-kac2aagd9t
Target 4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe
SHA256 1614d4f29b90108fb81d661dbc8a23054e05916be3f1f10fb2cc92c28b8fa540
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1614d4f29b90108fb81d661dbc8a23054e05916be3f1f10fb2cc92c28b8fa540

Threat Level: Shows suspicious behavior

The file 4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Uses the VBS compiler for execution

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 08:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 08:23

Reported

2024-05-29 08:26

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3012 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3012 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3012 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2992 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2992 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2992 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2992 wrote to memory of 2684 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3012 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe
PID 3012 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe
PID 3012 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe
PID 3012 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3s201bfx\3s201bfx.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1CA6AC478EC4A759128C269FC754843.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe

Network

N/A

Files

memory/3012-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

memory/3012-1-0x0000000000A40000-0x0000000000A4A000-memory.dmp

memory/3012-7-0x0000000074C00000-0x00000000752EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3s201bfx\3s201bfx.cmdline

MD5 e0f883f60d4ea1f1a1d7188b10c6992b
SHA1 c944065a79ab2afa75860309c4e7fa361f68035d
SHA256 f35a61e45c1e8c4046058c027f11812fa4f5744662130a37d12e00f6475b95fe
SHA512 d4d0f1939da80fa60093c8e321a7a2fad7eb3ce32b963a5a7f17a3585d29dd51829b42d18caeb5de76667caa90eec54e33646244473c7b76a61b576351ee93cb

C:\Users\Admin\AppData\Local\Temp\3s201bfx\3s201bfx.0.vb

MD5 f5414a370d81bcc0889ec51b40e2a17d
SHA1 1a385d595e6e2145ad87f287e0432669f164e195
SHA256 212bfd7c0c709f459c74da37beef90503743ef310763da611cd91e463ba90144
SHA512 e6d4ec54e87a2361afb87fe5be1bc864bc6cddf827e6e3e009f93b21aa0c067cd2bfb4884572311d673f6be6867b84303f2eeecd69b34b23d51f4ec247d991a2

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 fe7f8b2ad94f2dd05a2c947427a74ba9
SHA1 b19e8a90a803138b0b2c69b58ec3a24204ca1161
SHA256 8c4add7b83002205eca576055025b3b9644dc00d7003d5fd3402eacdaebcd758
SHA512 e56cb122cb2ffb065a505d74e181d866e1ea5586bf83455baa00fb0340c7d6be5d47abbd74eb6182ffb0e17b306ffcaf0c75d40268c7badf83e3e6c838fc0dc7

C:\Users\Admin\AppData\Local\Temp\vbcA1CA6AC478EC4A759128C269FC754843.TMP

MD5 d7fac24256c6bd5ddfb8744cc2dee209
SHA1 ecbc0aedffdf343d0730d11bd5825b253dee922b
SHA256 bcc0cd64ac303961da5a9608f45fbb4831e2c1065e2d81c2e699b32893a1cd27
SHA512 05215b4b4a254f3d2b819c511d2ef87ef97314ada724afcbd4a5ef72178ba0b3d3240fafa33a849b426343dc044568919df34589cfe0401da0db374b14e1e3ce

C:\Users\Admin\AppData\Local\Temp\RES73AA.tmp

MD5 366186ad91ed5426fb7cc0320a7f83c4
SHA1 81b58baf6cca46c0d6c83a1ff412c74e76ff4f20
SHA256 62f484784a41ad4f88fcc98c3014a9d56b5a3be456428eac70df0187882e279e
SHA512 7be53a6f2f5851c61066a1431237e6464e67c7e846a97b824fde5e2e3423c0065f33a99fdab9b9306bd9a570fd671a714fc3a4fa609c05f493f921ba5ad7f2b3

C:\Users\Admin\AppData\Local\Temp\tmp6EDA.tmp.exe

MD5 15e5bfe7442711f0347f912933fe88fa
SHA1 d8b02268418418b92113918e664ef6e5f0ce781f
SHA256 d6396b9a0f8a0e956609975d977e42283ea2f1cd69fda7bf581747aa9b846972
SHA512 7db44f3445f017b3ad10ab6f518cab42d70f2cec16cdc744bc1bc912c5a095f0da2ca838c1b66b383a8d1ea6a1f58213c7bfb7e8e3520250ed0654a8f006b4a6

memory/3012-24-0x0000000074C00000-0x00000000752EE000-memory.dmp

memory/2412-23-0x00000000009B0000-0x00000000009BA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 08:23

Reported

2024-05-29 08:26

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9192.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9192.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 60 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 60 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 60 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3032 wrote to memory of 4976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3032 wrote to memory of 4976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3032 wrote to memory of 4976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 60 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp9192.tmp.exe
PID 60 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp9192.tmp.exe
PID 60 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp9192.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y0uz5btg\y0uz5btg.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc40C896F462E541AF88CF5CAAC13F31D1.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp9192.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9192.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4cba71691b8bc14345aa4dc0baced850_NeikiAnalytics.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.91:443 www.bing.com tcp
US 8.8.8.8:53 91.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/60-0-0x000000007481E000-0x000000007481F000-memory.dmp

memory/60-1-0x0000000000A50000-0x0000000000A5A000-memory.dmp

memory/60-2-0x0000000005430000-0x00000000054CC000-memory.dmp

memory/60-8-0x0000000074810000-0x0000000074FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\y0uz5btg\y0uz5btg.cmdline

MD5 da580bc98c0c556618567d5c3246c564
SHA1 01b5834c60034497f215d0568a980f1d2ba06c9d
SHA256 17665eb9b47e04076f5d802ae7ff604aadcb4f6d83d20257d3674cce8390eba4
SHA512 5ff66e3b21933eabb85e7e14ce908cd2b0774a63db1a8e1f5609051fca9140302753cbb9274aa6e6e3bf76b9a7c8e60648aca41527635ad9867650d860aca8ba

C:\Users\Admin\AppData\Local\Temp\y0uz5btg\y0uz5btg.0.vb

MD5 0a0272f463e1edfa08a6cb20c2868c57
SHA1 0b6a78e086f65d05a59f203ffeae49b1f04eb870
SHA256 51b73e371321c2f70a871b54dd2e97be76cd7005427d9331cd9b43165c55a34f
SHA512 8520d68cdc5b54c913d45eb50a9d646837c435bdb4266b171f5b0bdc9a6da200d96522a01360532026cd00f8070b7d06d21a214d21ed698de73e27e6b4234ea4

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 507b7a3423d21c48cf075fe17e385256
SHA1 2fd8e4f388b1f2afe559e9bbb080e52abd946ac5
SHA256 efeccdd0122c3fc4cda7874a20c78e70135f35c476e3531ef746b01a7e722935
SHA512 23cf74478e267d2f975f6586468dc1492e10b51190ad80cb5fe7d7ee0836d77ed3f3a0b363fcd6679f3c829defd6bb6ced0fabbabd9145d55ff9b669efce85fe

C:\Users\Admin\AppData\Local\Temp\vbc40C896F462E541AF88CF5CAAC13F31D1.TMP

MD5 1ad4d5540a1e5a64c58750df3e54aae8
SHA1 f0c3c45ce926c78b323f09b57cf6cacb41d3ea4d
SHA256 5d7d6ed50d2b73b8a554f887ab3985321f054dff7c8aecd147a9115baea8d098
SHA512 2b4477d537a9693937ecf78fe7e5aca41a541033ee87980bc0ae1c11b763fc04b3737d4546e81484994122e73d3c23964891ba915047249fc9a9670fd9840b36

C:\Users\Admin\AppData\Local\Temp\RES93E3.tmp

MD5 fa90ef308f770c5de6b4dc21286b2b42
SHA1 7f948fad6a74ba7e56e400ba7b8fc3d7f1e989a2
SHA256 f4afc189b6386b93645587fc29d868dcf046cc10caca6a31b88daff22348c1f0
SHA512 1af6ba24782cc42b004ddee99c82dbe9ab3d32ea24ed4ac4051d8bbb2e859e2339625065616d0e6734e4753c1415c7c6fa81e2344d0b95dda2a7733868299eed

C:\Users\Admin\AppData\Local\Temp\tmp9192.tmp.exe

MD5 04fce4dbc4f5dbbcdcb6b48a4dbb9e35
SHA1 8cdd58e2c29f96b9392928a9f6cdd36132deee67
SHA256 41145d035da0fee193d74d5920fead57bb4af13f4c24c2f27dce8086684f8ed7
SHA512 77a06855ef9418cd2dd1c51ed151a6891c8d3849d1331ca2c3f08e08915314fc39f5e37ee9090c5101e4172a7a11830fe5a78f139a28a509a319cc179adaac38

memory/60-24-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/876-25-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/876-26-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

memory/876-27-0x0000000005EF0000-0x0000000006494000-memory.dmp

memory/876-28-0x00000000059E0000-0x0000000005A72000-memory.dmp

memory/876-30-0x0000000074810000-0x0000000074FC0000-memory.dmp