Malware Analysis Report

2025-03-14 23:45

Sample ID 240603-gm37fsfa89
Target 9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe
SHA256 b3266b445847ed5d3571cb5a99499df9622161d81aad9c0c739fdf093e2c436a
Tags
persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

b3266b445847ed5d3571cb5a99499df9622161d81aad9c0c739fdf093e2c436a

Threat Level: Shows suspicious behavior

The file 9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:56

Reported

2024-06-03 05:58

Platform

win7-20240221-en

Max time kernel

131s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\¹¤¾ß.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\½ØÍ¼ C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System\½ØÆÁ C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System\½ØÍ¼ C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe N/A
File created C:\Windows\System\½ØÆÁ C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 smtp.QQ.com udp
HK 43.129.255.54:25 smtp.QQ.com tcp
HK 43.129.255.54:25 smtp.QQ.com tcp
HK 43.129.255.54:25 smtp.QQ.com tcp
HK 43.129.255.54:25 smtp.QQ.com tcp
HK 43.129.255.54:25 smtp.QQ.com tcp
HK 43.129.255.54:25 smtp.QQ.com tcp
HK 43.129.255.54:25 smtp.QQ.com tcp

Files

C:\Windows\system\½ØÆÁ

MD5 d28ef4d1d066def6aecf0eaf3a201ca8
SHA1 720de6f226957770798896277f0e0bddeecd1659
SHA256 b92d29796b31ae84742ddcb6f630a5493d776452dd2e5b8558948f328593f8c7
SHA512 5248efbbd208dee121c7219b9ea7d97327ea9af8ddca646fddde4164184d34c3d82fba6584877cce7bef3e73edf107068bf4c7c6726a54e5494520e6611266aa

C:\Windows\system\½ØÍ¼

MD5 3db6d0732b83d0015646b90ca9a1cf82
SHA1 460eb3983d4939c06b5d8624e302caf211cd86ee
SHA256 e4f69a83df6dad5554d81f54826a1d3dee0d70b6f3b5198b330c759373539a28
SHA512 c917b0ca82d99589fd53f59bae0e8b769232cf116a0090acd9710f2bbd3a1131955654432f22afa08ef1d0fe02244eff81aae35c7c49eb3d93c5774a79e8cdec

C:\t23k.e

MD5 8a92b85e2e522334bc33a6bcafa0d50b
SHA1 e5dc1f1454a4c755503ccf2b37c279cdb8e8dbc5
SHA256 4557b5835b889db54607441e5f1adc1e7d6f42f9414de83a78c07488512c8ec7
SHA512 4fd2d8488e74d470ce6767feec0272d70523397456d9ac6302b67392fa8bf371786086aa6ffb53d7e356a1c11bcb72788e09ffa058cfaa96eedfb39206ec3f6c

C:\t23k.d

MD5 ab2719a4c20cc7a28eb6843dd735a0d7
SHA1 185a302ad82348f9bba3872dafa6c5c362465211
SHA256 ed3b5a57e0a01951d3350446756f0f27deb05677aa75edf3b4ad3e68fe57c74d
SHA512 d1dc082a4e219e87cb702147470af4d32d2a21e48686ce9d7fa49c9f4a08c296815243b5097d6f15444acf521bce0d534502a3b8cd887fa86c4c584633b6cc71

C:\t23k.c

MD5 c38b8999f30e38d08f8d3981c5c16592
SHA1 55ddd8181a77d917937fb40353a9726b5fde77ee
SHA256 a45b7746ce6dc3f92057f5a4c24a41e59cb6c2c8026fb2e88a7d42c04efb48d6
SHA512 d45f8278c8fcd362d46a18e3b35e8190c0cc058596f6005fb54fa1c8f995f22ab8ec027348a1317a27ceeccffc4e8e0b3857ee56af0b2c7e055bfae2bac9fa6a

C:\Windows\system\½ØÍ¼

MD5 6894e9e7e3952b0451e136265d613ea4
SHA1 2e564cfa29755b7b5b879c6e40fee93cb2fe9874
SHA256 a63ffbd1271ab77697c4f138614dd7e695c14a81879c4483c3f9c5de4bf3b78b
SHA512 4f0bd6ae604ad380f21e5d74b3081b94d8f45b4c9734b5c4f8ee74aa1d16785fc6c27fe5bfe13604532ce0945293b5441f02e036ff439c4655583e9ac2b3d23d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:56

Reported

2024-06-03 05:58

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\¹¤¾ß.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\½ØÆÁ C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe N/A
File created C:\Windows\System\½ØÍ¼ C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System\½ØÆÁ C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System\½ØÍ¼ C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9dd1c24b524f566c9899bf128d5bde50_NeikiAnalytics.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 smtp.QQ.com udp
HK 43.129.255.54:25 smtp.QQ.com tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
HK 43.129.255.54:25 smtp.QQ.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
HK 43.129.255.54:25 smtp.QQ.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
HK 43.129.255.54:25 smtp.QQ.com tcp
NL 52.142.223.178:80 tcp
HK 43.129.255.54:25 smtp.QQ.com tcp
HK 43.129.255.54:25 smtp.QQ.com tcp
HK 43.129.255.54:25 smtp.QQ.com tcp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

C:\Windows\System\½ØÆÁ

MD5 2d86e90c8077c7c810045f96fe8972e0
SHA1 d4dfe7859823ee4219450fba7c4d074b01d1e29b
SHA256 9b6ae565e235738cb64aec55a2b79af7b1b2d8933da3e2ce275182ce0332bee4
SHA512 a34a0b287a7bcfd77d79a614bf6ab6a41d69ff744a20147b447a11c2a692321262cf53f2681082b75112fd87844ee6034944cdb9c8d7ec38b68e0d062f9664f1

C:\Windows\System\½ØÍ¼

MD5 b65d2ba5e50d037a38543ef90633e2d0
SHA1 e23a73d98ae4b0b9ec6e63fbe97ac7efc227e235
SHA256 012f106a4d5cce1bcc58ac86641429a85ca43395660043deb349e1e0931ca263
SHA512 a6354752eb84ee786c57d6078845aa1f5bf59afc328614f7b568b83845a183c58077b369dc18087f4a4a654d68fd39a61855c7775ca7528b388b7ebbdadeea4a

C:\t4uo.e

MD5 cbc42ac6cfa38f069546db6ed4556698
SHA1 cdf072713888da589831fc2486d09dcdc23a76dd
SHA256 017f5a37c733d1311e1435177c76e71cb1c66634881f18d5156e992f59e8739d
SHA512 f3c0345a95801e30b43ad2124391400d68eefb28816148ae6a7bbf9dbcca40ddbfeb16c8c89d53d34015652b7992d74b4a4d8783b002c32e466af40802652dab

C:\t4uo.d

MD5 ba2e8dd3d9ad4add44e918ac69ee1c09
SHA1 d01ad0acb946071ce7b9b7bfc22adb4f031ce5d3
SHA256 7d9c085d259b1149d2e856a024a15122642e1b4a840dd8156a9689524b451326
SHA512 0c805bbffc991f2ab9a941cd387550bb2048521c990c658c3f0e41d473430737aa4d82c54d1e4e2747b233cb46da9e09a45335cf8654fef1cd21c0c9e6d9a51b

C:\t4uo.c

MD5 bd60be048650b193b5259cc9b9a46fe2
SHA1 5a7e7c63373249e016dfa44fdb0789ac8092f910
SHA256 97110deded06d332e1e892d8353387498a15c3769173470e56978bb106d60b0a
SHA512 d444638fca9fc8feabb6b5b963133e7e299a3c0620b672a0d8a4350bc79eb0f7d94666b17f334903a1ee4b72fabc627247c99715c08827e4cf91b0c86c6031b0