Malware Analysis Report

2025-03-14 23:46

Sample ID 240603-gdgbbsef62
Target 9d69d86336b4584759ff071877611100_NeikiAnalytics.exe
SHA256 fca144d99c83d6703c1d95ad9a677a6d1f52105d0082f28bd3a027b3c0b9865d
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fca144d99c83d6703c1d95ad9a677a6d1f52105d0082f28bd3a027b3c0b9865d

Threat Level: Shows suspicious behavior

The file 9d69d86336b4584759ff071877611100_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Deletes itself

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:41

Reported

2024-06-03 05:43

Platform

win7-20240220-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d69d86336b4584759ff071877611100_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\9d69d86336b4584759ff071877611100_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\9d69d86336b4584759ff071877611100_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d69d86336b4584759ff071877611100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9d69d86336b4584759ff071877611100_NeikiAnalytics.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Network

N/A

Files

memory/2836-0-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 0ec63ebf4491fa69393f280536966160
SHA1 cb42011c6b69cc9c68cd67bb42d02295429af12f
SHA256 94370395cbbdc6ebd680b60aaccdb40e7a3e9042b21bfdb91a935adbbfbfb1d0
SHA512 ce840745241e3441d6d844598988b44b1ad29c8d985d49d96c19e11f1e98d2d88d95ac5622b5c54f4d22f87ad631fff614cc1d3a12b7df9b9b6b94816d71328c

memory/2836-7-0x00000000003A0000-0x00000000003A3000-memory.dmp

memory/2836-6-0x00000000003A0000-0x00000000003A3000-memory.dmp

memory/2504-9-0x0000000000400000-0x0000000000403000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:41

Reported

2024-06-03 05:43

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d69d86336b4584759ff071877611100_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\9d69d86336b4584759ff071877611100_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\9d69d86336b4584759ff071877611100_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d69d86336b4584759ff071877611100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9d69d86336b4584759ff071877611100_NeikiAnalytics.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2128 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/4752-0-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 0ec63ebf4491fa69393f280536966160
SHA1 cb42011c6b69cc9c68cd67bb42d02295429af12f
SHA256 94370395cbbdc6ebd680b60aaccdb40e7a3e9042b21bfdb91a935adbbfbfb1d0
SHA512 ce840745241e3441d6d844598988b44b1ad29c8d985d49d96c19e11f1e98d2d88d95ac5622b5c54f4d22f87ad631fff614cc1d3a12b7df9b9b6b94816d71328c

memory/4752-4-0x0000000000400000-0x0000000000403000-memory.dmp