Malware Analysis Report

2025-03-14 23:45

Sample ID 240603-gmlmeadh6s
Target 9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe
SHA256 94cba4ae9e7864cc785e801a921086197f71531a5daf91d2d81c2f5c7688bbd9
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

94cba4ae9e7864cc785e801a921086197f71531a5daf91d2d81c2f5c7688bbd9

Threat Level: Shows suspicious behavior

The file 9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:55

Reported

2024-06-03 05:57

Platform

win7-20240221-en

Max time kernel

19s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dev189F.tmp C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1964 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1964 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1964 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1964 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1964 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1964 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 1964 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe C:\WINDOWS\MSWDM.EXE
PID 2344 wrote to memory of 2264 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE
PID 2344 wrote to memory of 2264 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE
PID 2344 wrote to memory of 2264 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE
PID 2344 wrote to memory of 2264 N/A C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev189F.tmp!C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe! !

C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp

Files

memory/1964-0-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 d4f324176e864a4ba6c86ac00ec33851
SHA1 953a5de37833fae53d66912fa86d8adceb3dd74e
SHA256 3c69a2458dc6d1a1d1022efae1146c5541c661eb7e161124eabea1bf4fc8c43b
SHA512 703eec6157d0750d0684f091d14c229a640adc5266a9499a7e7d16963514198ca6ad495954495eac70b76f130a14461742e8149c4f43e7ddd43c9387b56ab399

\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe

MD5 c8f40f25f783a52262bdaedeb5555427
SHA1 e45e198607c8d7398745baa71780e3e7a2f6deca
SHA256 e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316
SHA512 f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

memory/1768-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2344-14-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1964-12-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2344-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1768-26-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:55

Reported

2024-06-03 05:57

Platform

win10v2004-20240426-en

Max time kernel

19s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" C:\WINDOWS\MSWDM.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\MSWDM.EXE C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\dev5890.tmp C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\WINDOWS\MSWDM.EXE N/A
N/A N/A C:\WINDOWS\MSWDM.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe"

C:\WINDOWS\MSWDM.EXE

"C:\WINDOWS\MSWDM.EXE"

C:\WINDOWS\MSWDM.EXE

-r!C:\Windows\dev5890.tmp!C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe! !

C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE

Network

Country Destination Domain Proto
N/A 10.127.255.255:78 udp
N/A 10.255.255.255:78 udp
N/A 10.127.0.255:78 udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 255.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 255.255.255.10.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2884-0-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\MSWDM.EXE

MD5 d4f324176e864a4ba6c86ac00ec33851
SHA1 953a5de37833fae53d66912fa86d8adceb3dd74e
SHA256 3c69a2458dc6d1a1d1022efae1146c5541c661eb7e161124eabea1bf4fc8c43b
SHA512 703eec6157d0750d0684f091d14c229a640adc5266a9499a7e7d16963514198ca6ad495954495eac70b76f130a14461742e8149c4f43e7ddd43c9387b56ab399

memory/3544-10-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2884-9-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\dev5890.tmp

MD5 c8f40f25f783a52262bdaedeb5555427
SHA1 e45e198607c8d7398745baa71780e3e7a2f6deca
SHA256 e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316
SHA512 f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

memory/3544-15-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2212-16-0x0000000000400000-0x000000000041B000-memory.dmp