Malware Analysis Report

2025-03-14 23:47

Sample ID 240603-fxwdxsdh95
Target 9cb49f9bc534a016098cb107b295d1a0_NeikiAnalytics.exe
SHA256 78684c8e3d5b6b0742eceb772d81f81eb5c534cdfd0c7fae956f9abb7ef9a5f6
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

78684c8e3d5b6b0742eceb772d81f81eb5c534cdfd0c7fae956f9abb7ef9a5f6

Threat Level: Shows suspicious behavior

The file 9cb49f9bc534a016098cb107b295d1a0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Deletes itself

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:15

Reported

2024-06-03 05:18

Platform

win7-20240508-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cb49f9bc534a016098cb107b295d1a0_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\9cb49f9bc534a016098cb107b295d1a0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\9cb49f9bc534a016098cb107b295d1a0_NeikiAnalytics.exe N/A
File created C:\Windows\HidePlugin.dll C:\Windows\microsofthelp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9cb49f9bc534a016098cb107b295d1a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9cb49f9bc534a016098cb107b295d1a0_NeikiAnalytics.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Network

N/A

Files

memory/2184-0-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 03d2bd72c4349952ea8fe040f78e64dc
SHA1 81ded73c0bf89e2b7ba6acdfbcc6fb552a90691b
SHA256 2913a34005bc2269477f06d4f1c725ae7bd47c4c672b330f216668d985dc6c17
SHA512 1068c289339b8ccf665a8f0745addfe3d71358aba055026a1019b78aea4355f003c4fc59c38ed60ea17f135b94329c5e0c05ec524753391e2a83e4690b523d27

memory/1724-8-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2184-6-0x0000000000400000-0x000000000040D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:15

Reported

2024-06-03 05:18

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cb49f9bc534a016098cb107b295d1a0_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\9cb49f9bc534a016098cb107b295d1a0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\9cb49f9bc534a016098cb107b295d1a0_NeikiAnalytics.exe N/A
File created C:\Windows\HidePlugin.dll C:\Windows\microsofthelp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9cb49f9bc534a016098cb107b295d1a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9cb49f9bc534a016098cb107b295d1a0_NeikiAnalytics.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/4236-0-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 03d2bd72c4349952ea8fe040f78e64dc
SHA1 81ded73c0bf89e2b7ba6acdfbcc6fb552a90691b
SHA256 2913a34005bc2269477f06d4f1c725ae7bd47c4c672b330f216668d985dc6c17
SHA512 1068c289339b8ccf665a8f0745addfe3d71358aba055026a1019b78aea4355f003c4fc59c38ed60ea17f135b94329c5e0c05ec524753391e2a83e4690b523d27

memory/4236-5-0x0000000000400000-0x000000000040D000-memory.dmp

memory/3968-6-0x0000000000400000-0x000000000040D000-memory.dmp