Malware Analysis Report

2025-03-14 23:48

Sample ID 240603-f9w6zsdc8y
Target 9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe
SHA256 caf086f6227ed51b8e0d2e378c3d30a846af378771181913390a980ba6ae9dc3
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

caf086f6227ed51b8e0d2e378c3d30a846af378771181913390a980ba6ae9dc3

Threat Level: Shows suspicious behavior

The file 9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Modifies system executable filetype association

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:34

Reported

2024-06-03 05:37

Platform

win7-20240215-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717392900" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717392900" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system\rundll32.exe N/A
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/1844-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 1de1b08eb50e8ea6d15e35686ff9a730
SHA1 07d2c5a4bcf938b115e9a6a81575c79315fb7948
SHA256 7235ca38a864ced82cb9f621db511ac85f20ea65971fd797b0429d19f03c03d9
SHA512 e1a33fe6f8618ee0b11931553595fc76f9e57fa1364ebb302ac128dc1de7b97d57fe023ed6cd1c076791993d47797c305d6e3768b28b9536002a1ed0a637015b

\Windows\system\rundll32.exe

MD5 12e7b3ae2d53492e62af09beb1fb7e3c
SHA1 959873b17efc1cef25607e922d4fe9dc80d1752d
SHA256 1e17c97b3b15a24e14429ffd4717d1409a5c5e0eaf131d92ddade0ecfdbe03f9
SHA512 6568129e5b1d8f6250cadd59e5844acad9fe072e3f3b72a87edad3904788b40f1b5a232c9e7f762972f108b7f3b4713b4642ed8f470d4af16758c676523fcb81

memory/1844-12-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/2536-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1844-19-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/1844-21-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1844-22-0x00000000003E0000-0x00000000003E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:34

Reported

2024-06-03 05:37

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1717392901" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1717392901" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system\rundll32.exe N/A
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9d4b46a2cd2214b20896bd6d87b95ac0_NeikiAnalytics.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

memory/5032-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 2e6cd90877286a5e9cf8e840494196fd
SHA1 62fec7145be81d384a831b8e071c26beb5e40ae0
SHA256 2db32db8b487e469faf1c8cac9bc920924c8f9fcf71bb5f60115011e834580d8
SHA512 759fb6f6367a2043a9f5f794b352737881e6cb16d59639db3acc011d4d15fc54b330cce678aba8af73786abb1a499337194a6699a760a71feb577e8f9ad7daf8

C:\Windows\System\rundll32.exe

MD5 8e536ff037c10c4ddadee4dce2531e60
SHA1 569817f3f9e19662bf732b944069fd80d0c632f9
SHA256 384ca07e1ffcdf5bd92924442f325c596767aa028793a34ebebc2275a2865c3d
SHA512 8832fab3646a0b4e5633f03c3604121b59dff9c5711f0a43da020a588fbeef58e33a59fe5e02c8652d4764042b53bac97e784bdddf884af9a973d6805afe7168

memory/3640-12-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/5032-14-0x0000000000400000-0x0000000000415A00-memory.dmp