Malware Analysis Report

2025-06-16 07:16

Sample ID 240531-2b2jpsge36
Target 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe
SHA256 3dd195376379b17b924ac8393072772a017c0c16521717e9057aeaf1dc55ca14
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3dd195376379b17b924ac8393072772a017c0c16521717e9057aeaf1dc55ca14

Threat Level: Shows suspicious behavior

The file 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 22:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 22:25

Reported

2024-05-31 22:27

Platform

win7-20240215-en

Max time kernel

20s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE N/A
N/A N/A N/A N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\devB37.tmp C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2228 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2228 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2228 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2228 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2228 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2228 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2228 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1900 wrote to memory of 2608 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE
PID 1900 wrote to memory of 2608 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE
PID 1900 wrote to memory of 2608 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE
PID 1900 wrote to memory of 2608 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE
PID 1900 wrote to memory of 2732 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 1900 wrote to memory of 2732 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 1900 wrote to memory of 2732 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 1900 wrote to memory of 2732 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\devB37.tmp!C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe! !

C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\devB37.tmp!C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp

Files

memory/2228-0-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 8f2d28e86da4e46fc37522f9015ebdbc
SHA1 8523897a7511249a248565fdbee289196f7b2866
SHA256 b9bcc3b92f2d29bdf6bbd7a1caf5ef4b1ad668f264f6d5019f9f05fad25ae240
SHA512 bb04eb0e480fbe02fde3cf17defb774c9d9b5bcaf23bed81fcdb1ddfe4f9bcce7d77093965fe1752e696632a2c0fde8fb7d9ad0e63271ee1e7beb1cf4ff510a8

memory/2228-12-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\devB37.tmp

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

memory/1900-15-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2732-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1900-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2720-31-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 22:25

Reported

2024-05-31 22:27

Platform

win10v2004-20240508-en

Max time kernel

22s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dev4611.tmp C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dev4611.tmp C:\WINDOWS\MSWDM.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev4611.tmp!C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe! !

C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev4611.tmp!C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp
US 8.8.8.8:53 255.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 255.255.255.10.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/4116-0-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 8f2d28e86da4e46fc37522f9015ebdbc
SHA1 8523897a7511249a248565fdbee289196f7b2866
SHA256 b9bcc3b92f2d29bdf6bbd7a1caf5ef4b1ad668f264f6d5019f9f05fad25ae240
SHA512 bb04eb0e480fbe02fde3cf17defb774c9d9b5bcaf23bed81fcdb1ddfe4f9bcce7d77093965fe1752e696632a2c0fde8fb7d9ad0e63271ee1e7beb1cf4ff510a8

C:\Windows\dev4611.tmp

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

memory/1656-10-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4116-9-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE

MD5 150632f6084943205bd9f1e3edb2bf4d
SHA1 2531999c6b5e0f86492df09d1ac9deae2adcabfc
SHA256 ce266578e530304e3379580bcfb790cf39bc6ac6ef634986a335b9deb250da17
SHA512 59109755577d830253aee19cd74f93d386a1ae22e5ee8de21844f3eb31d3cd3f3672adcfb88cacee574ac798733908504c62f0b8341350281afae80a07d2d55c

memory/2208-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3480-23-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1656-24-0x0000000000400000-0x000000000041B000-memory.dmp