Malware Analysis Report

2025-03-14 23:48

Sample ID 240603-ftfjasce8w
Target 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe
SHA256 fa8afbb7ed8b62521d89341a6dc3001bad19811297da7f77ca7fc7f0703c2d05
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fa8afbb7ed8b62521d89341a6dc3001bad19811297da7f77ca7fc7f0703c2d05

Threat Level: Shows suspicious behavior

The file 9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:09

Reported

2024-06-03 05:12

Platform

win7-20231129-en

Max time kernel

19s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dev18DE.tmp C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2212 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2212 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2212 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2212 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2212 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2212 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2212 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2520 wrote to memory of 3024 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE
PID 2520 wrote to memory of 3024 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE
PID 2520 wrote to memory of 3024 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE
PID 2520 wrote to memory of 3024 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE
PID 2520 wrote to memory of 376 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 2520 wrote to memory of 376 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 2520 wrote to memory of 376 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 2520 wrote to memory of 376 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev18DE.tmp!C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe! !

C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev18DE.tmp!C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp

Files

memory/2212-0-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2212-12-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 c06d2bf4e02efc8301ffdee923381cfd
SHA1 5ceea66714bd6040a2a57baa7e9eccd2b64e994a
SHA256 3e7a32d9723e43ce05931b8b79f4fb8ec5eee0eafed7d4d7a635e9d5d4da5e87
SHA512 0f1eb53c4bf4246614141adcf351bec9778373e4f6cf9700dc5ad00cd29b767ee1c0eb8d81b174890ddbcea39155895b6cb99681c3d20573faebd315628f3cf6

C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

memory/2192-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2520-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/376-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2520-30-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2520-24-0x00000000002F0000-0x000000000030B000-memory.dmp

memory/2192-31-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:09

Reported

2024-06-03 05:12

Platform

win10v2004-20240508-en

Max time kernel

23s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\devECA2.tmp C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\devECA2.tmp C:\WINDOWS\MSWDM.EXE N/A
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\devECA2.tmp!C:\Users\Admin\AppData\Local\Temp\9c9be88b4b2ae8ea58001b80b5e24610_NeikiAnalytics.exe! !

C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\devECA2.tmp!C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE!

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3760,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp
US 8.8.8.8:53 255.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 255.255.255.10.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 214.80.50.20.in-addr.arpa udp

Files

memory/3284-0-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 c06d2bf4e02efc8301ffdee923381cfd
SHA1 5ceea66714bd6040a2a57baa7e9eccd2b64e994a
SHA256 3e7a32d9723e43ce05931b8b79f4fb8ec5eee0eafed7d4d7a635e9d5d4da5e87
SHA512 0f1eb53c4bf4246614141adcf351bec9778373e4f6cf9700dc5ad00cd29b767ee1c0eb8d81b174890ddbcea39155895b6cb99681c3d20573faebd315628f3cf6

memory/3284-12-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4304-10-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\devECA2.tmp

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

memory/2468-9-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C9BE88B4B2AE8EA58001B80B5E24610_NEIKIANALYTICS.EXE

MD5 bbc3dacb3230d9571334ee50f695ed7c
SHA1 178ff54e399ee53f7281227dc3bc11a9a843b502
SHA256 8f5a9be3e51f165a5f1ac6413d58703e06997eb46e9560754f890eb96844ecd3
SHA512 e4e522c813c7aee70bcfa6c745b33149772a9e410ef96f811002dfb72d9979391c495788530f1302c418893d5b80291761673eed48670369a170c7b9b8a67483

memory/4304-24-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1108-21-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2468-25-0x0000000000400000-0x000000000041B000-memory.dmp