Malware Analysis Report

2025-03-14 23:47

Sample ID 240603-fypb1aea39
Target 9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe
SHA256 66d7b8fb9b80db6290c427884cb409d95918a0bf64f3269420b17ad16fbce87e
Tags
upx persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

66d7b8fb9b80db6290c427884cb409d95918a0bf64f3269420b17ad16fbce87e

Threat Level: Shows suspicious behavior

The file 9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence

UPX packed file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:17

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:17

Reported

2024-06-03 05:19

Platform

win7-20240508-en

Max time kernel

19s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE N/A
N/A N/A N/A N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dev1842.tmp C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dev1842.tmp C:\WINDOWS\MSWDM.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1936 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1936 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1936 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1936 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 3040 wrote to memory of 2756 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE
PID 3040 wrote to memory of 2756 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE
PID 3040 wrote to memory of 2756 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE
PID 3040 wrote to memory of 2756 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE
PID 3040 wrote to memory of 2768 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 3040 wrote to memory of 2768 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 3040 wrote to memory of 2768 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE
PID 3040 wrote to memory of 2768 N/A C:\WINDOWS\MSWDM.EXE C:\WINDOWS\MSWDM.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev1842.tmp!C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe! !

C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev1842.tmp!C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE!

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp

Files

memory/1936-1-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 36b594ef79ea6d5f2ae23b4dbd940245
SHA1 7f016dde472df1dc3e0377d88c05475207bc44b3
SHA256 af3eb1fff772cba996abad554c8b9b73d92706b8f8a40cd7d07a170d41bed0d9
SHA512 d48a9b0d23d97afe6deb4a6f26174b1d812d0069bb5ec2496f6ec4d22ce070564f5e4d465394b63328bc8dc857a4462e6aea57bbde2c607d51c9e1d0addf673e

\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe

MD5 04fb3ae7f05c8bc333125972ba907398
SHA1 df22612647e9404a515d48ebad490349685250de
SHA256 2fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef
SHA512 94c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2

memory/2092-19-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3040-18-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1936-12-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE

MD5 678ca650ce6f4849bd4a8317e07655fd
SHA1 c0a47ecd684c4b1e8d4709926d175345ca250c76
SHA256 99e55d1fc3fe376f762f5f23995307a81f4dbe750d4b4570da1f6fe06abf901a
SHA512 4807b6dccb0638a06306ff4b3549bafe4edef8576a5a5312a060cc7de35953a486e639f25ddcf31b216bde716991ae494de0b248f2ca217212c165a92c2dc612

memory/3040-36-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2768-33-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2092-37-0x0000000000400000-0x0000000000418000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:17

Reported

2024-06-03 05:19

Platform

win10v2004-20240226-en

Max time kernel

48s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dev162.tmp C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dev162.tmp C:\WINDOWS\MSWDM.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev162.tmp!C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe! !

C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE

C:\WINDOWS\MSWDM.EXE

-e!C:\Windows\dev162.tmp!C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE!

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp
US 8.8.8.8:53 255.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 255.255.255.10.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/2132-0-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 36b594ef79ea6d5f2ae23b4dbd940245
SHA1 7f016dde472df1dc3e0377d88c05475207bc44b3
SHA256 af3eb1fff772cba996abad554c8b9b73d92706b8f8a40cd7d07a170d41bed0d9
SHA512 d48a9b0d23d97afe6deb4a6f26174b1d812d0069bb5ec2496f6ec4d22ce070564f5e4d465394b63328bc8dc857a4462e6aea57bbde2c607d51c9e1d0addf673e

memory/1032-7-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Windows\dev162.tmp

MD5 04fb3ae7f05c8bc333125972ba907398
SHA1 df22612647e9404a515d48ebad490349685250de
SHA256 2fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef
SHA512 94c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2

memory/2132-10-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3624-17-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE

MD5 4418728dcb9aa000a6bbbeda2ddebcba
SHA1 a76e262c9b0f8097839d58942c0f0a556c61d051
SHA256 ea05bb131d0d8c2fa4049002990ca40f451ef0c073fb94b56f28a2d73c1f8969
SHA512 9eeb3f67c3bb6a2bb0d9de7497fe6f53d4eaf49ea9b4a42c8c6ef60be8ba07386de3a5487d891aa50de95f1f10289d6f9adcf1bc9c9fabfd170329d1ba5ccdfa

memory/3624-20-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1032-23-0x0000000000400000-0x0000000000418000-memory.dmp

memory/3792-24-0x0000000000400000-0x0000000000418000-memory.dmp