Malware Analysis Report

2025-08-10 21:24

Sample ID 240530-brgalaac58
Target 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe
SHA256 be85695b3b872d21ed9f3964b33263e9c53638fab301614aac13cde64b7510ab
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

be85695b3b872d21ed9f3964b33263e9c53638fab301614aac13cde64b7510ab

Threat Level: Shows suspicious behavior

The file 5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Deletes itself

Uses the VBS compiler for execution

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 01:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 01:22

Reported

2024-05-30 01:25

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2972 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2972 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2972 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1744 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1744 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1744 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1744 wrote to memory of 2400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmp.exe
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmp.exe
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmp.exe
PID 2972 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sqsi2jmq\sqsi2jmq.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B6EA7FC1D47410197F8E8AFD2931E2C.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe

Network

N/A

Files

memory/2972-0-0x000000007443E000-0x000000007443F000-memory.dmp

memory/2972-1-0x00000000011C0000-0x00000000011CA000-memory.dmp

memory/2972-7-0x0000000074430000-0x0000000074B1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sqsi2jmq\sqsi2jmq.cmdline

MD5 6784ab54b573c8a6a287b21cddbb58db
SHA1 4bc6715a0ab4fe2ab0e028c387f1787a83f98259
SHA256 37e678787a0c5bf30667f700f3af4b0e4ce319da09503130aa4f13e57f6ffda5
SHA512 631fbcfa1e89581d3c38c11db8dde30e4fe8014c4db9908ed5435b9c5afd261f2521dc048dec11c7e5b6f552d486a52e01cef10c1b9872ceef3664758ccda611

C:\Users\Admin\AppData\Local\Temp\sqsi2jmq\sqsi2jmq.0.vb

MD5 8bdf955aa9328da5f8ee11272e7887eb
SHA1 71b8d962763de28244f72d83ceb576405a2fc4c1
SHA256 c73568bce98bdf7c0076bd05f7e0d09497d482d3260ea862b49d2d29904d5971
SHA512 18aa11eff803e8df84ee08aeba70524d084e07f1276beee96125c20fe3e2127c8cfb5336e6f9ddb04426c39c0d72a984e7d377a32465828a0d9ee3eaa0e16d22

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 a97063714b84737fc77f6fce4ad4d3f7
SHA1 583584fdc0f722e9fcc26fed46ba75bb0fea1a74
SHA256 34df7c97d889d94d665cff8f1c4cae29aa3f2b9c19aca980a6aa06ce8fe5e182
SHA512 00581e4726f11a14f3a403060de2572cc3a75b03dd62d1a249d104b918368300026fb42b0d2c4b217c2199209002d14ba58fa493973876bb21ee9a1eb4a6084e

C:\Users\Admin\AppData\Local\Temp\vbc1B6EA7FC1D47410197F8E8AFD2931E2C.TMP

MD5 7ba54c5eba3d935f8450c1dbcc67d434
SHA1 d41945b18d307c6b8622208eabc6ccad776ab13c
SHA256 d59712bbe4150495cc10c34a850994f4cecbd174f06a274acf8ffbbc4bf3789b
SHA512 1c11002105db08dc648db6f2b590aee753b48a8b4add3212e8d22a7f75f790d44f51f0f8a56799538e95ab5e82166f41213af5f443e1b384d221d23caa66dbc8

C:\Users\Admin\AppData\Local\Temp\RES1C09.tmp

MD5 b909d94d7a92f03b08de5e4e5ca9e593
SHA1 4d7bb4d28b47712a42bb30bedb89858d2ca46100
SHA256 23e4a9552a389d540e1f35a8a136ad8f399cadc6211c92b138dcb9d3fc8bfa70
SHA512 8ae4d96f55e2bd0f160898d2c66a2a34ebefe3f166c0947ed7719ae34732afbf046144a2b380d4a32d22ac3cc760751a800b55b246aebe6f1fde5795ea923aa8

C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmp.exe

MD5 ef2d269c32fd1dd7d354f38fb00e9209
SHA1 d3e74b775d96a263ef4a10eb93cc3134e5b73a9b
SHA256 58ea275814f34df73dbb50d00acfa4d70d7979e7207ce8dbfb678846138363be
SHA512 42736feb85bd35c14910a065043bc57400a1a727fd823c0bb8d920a0a0395ae06c1e574d378b2b87ab5c19e197731cc41ffd5b079962d96ad1b98d4887fa53bd

memory/2732-23-0x0000000001270000-0x000000000127A000-memory.dmp

memory/2972-24-0x0000000074430000-0x0000000074B1E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 01:22

Reported

2024-05-30 01:25

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp373D.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp373D.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3832 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3832 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3832 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4984 wrote to memory of 3372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4984 wrote to memory of 3372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4984 wrote to memory of 3372 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3832 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp373D.tmp.exe
PID 3832 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp373D.tmp.exe
PID 3832 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp373D.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\df5xu4mq\df5xu4mq.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3894.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6E5B6E5CFDE4D04829B178BC9209964.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp373D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp373D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e7d3090a4a4d29a3489992fdeba41b0_NeikiAnalytics.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3832-0-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

memory/3832-1-0x0000000000270000-0x000000000027A000-memory.dmp

memory/3832-2-0x0000000004C80000-0x0000000004D1C000-memory.dmp

memory/3832-8-0x0000000074E10000-0x00000000755C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\df5xu4mq\df5xu4mq.cmdline

MD5 6746de9010cff33a3b6471bc5196eac5
SHA1 cf56cfa7e7daf2db4b044ee4bd38ab55aeefa12b
SHA256 37c84438a5f578ca0dfd24ec8e31bc3c3d6a2eb4bd31adc90be9b695ef439a13
SHA512 1074e73e83a9e6d98bf5b07d40ae7ebf427654aa98988c4c490d8f86140dacce28b066e776453deb60c70580db239a681cfaf48012537d1ff25c0042bf31c410

C:\Users\Admin\AppData\Local\Temp\df5xu4mq\df5xu4mq.0.vb

MD5 27078adc3da0872741177fc825e6c4e2
SHA1 cc13e2ec1e440b360a1855768e601a71ae7a06d7
SHA256 7002e5e1555d2b3bcca3acbdc976ff445a757699e0d44c2d0f5efb5a9794cf1f
SHA512 7311e926c41ec6c69c3bd13d062b8f5bb8e63052cee9226ba13ffec6cce45928dd3fc6f31fd890b87b63149dae4b731722bcf0f973332ea858a623a9aa1700ba

C:\Users\Admin\AppData\Local\Temp\RES3894.tmp

MD5 ce8e2b166f03e1bc3547d6a509fb63f5
SHA1 65990d470f23113d2f39b5fa3dd9c2251666cea6
SHA256 4ee4dd944580900218002950184bdcce5a85fe7b7f409676358709eb78f24672
SHA512 9cf5497b03d934fb068f1ffffd624272de0f62fd36552cbc2a5ee69513402a05b1eb1176891076d7362a7fbcc7f969e4eac26e8b89008b62460029a1c4b7b225

C:\Users\Admin\AppData\Local\Temp\vbcA6E5B6E5CFDE4D04829B178BC9209964.TMP

MD5 cf2f28692faddd7765bb3ac3a27e6e4a
SHA1 b41200f76053f6b7a7874bfb90708177505a811c
SHA256 71f07e565c00ace2f1354e1eef1eba0dce4900f7e2f13a169d0cbf1b7af3878c
SHA512 880e55a63a6ffc73a8f701a51ccbcf99880d13192a0878e4df1635798df587a3b786afe56b69fa8bb73decbd5d96b67be33dd720dc07022ef12f0e53d6758c60

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 279dfe372bf97b0f16f26c01b38df0ae
SHA1 3dcb28c0373847b008e52daadbf4fb595605aa32
SHA256 51753483b41ad909290855b0c693da6b5182a46371ba71c757e03b3719254e97
SHA512 08359c1af8e54944a15d225003195b1587211c930bfedcfb080aa4e96fb7f0f4752c21432ae6c37826c68fa67cfeb9d5a47a0627c364d1134ac7b39985d65a90

C:\Users\Admin\AppData\Local\Temp\tmp373D.tmp.exe

MD5 436273e53633901c67c2e8baf90a35e7
SHA1 063c3693ca0c39b6d850910c7388b8903de8f232
SHA256 2e5ce3eff5640e5d13abcccae896f819585b134dcbebecf3928e833fa4076adf
SHA512 349e2ed0eac2a6d262ff752ef4dce606b6dc7b09cfa722020c9fa59772d36025c4c6b05315f7abce91a5ae00ed6a927b5269793291d4ccba8e3861d653a26a28

memory/3832-24-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/964-25-0x0000000074E10000-0x00000000755C0000-memory.dmp

memory/964-26-0x0000000000650000-0x000000000065A000-memory.dmp

memory/964-27-0x0000000005530000-0x0000000005AD4000-memory.dmp

memory/964-28-0x0000000005020000-0x00000000050B2000-memory.dmp

memory/964-30-0x0000000074E10000-0x00000000755C0000-memory.dmp