Malware Analysis Report

2025-08-10 21:49

Sample ID 240606-zcrpsabf7s
Target 173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe
SHA256 69e08247421ab76a58969c63494783c861046ab39beeeede4c29bcb2be20a69c
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

69e08247421ab76a58969c63494783c861046ab39beeeede4c29bcb2be20a69c

Threat Level: Likely malicious

The file 173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary


Downloads MZ/PE file

Executes dropped EXE

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 20:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 20:34

Reported

2024-06-06 20:37

Platform

win7-20240419-en

Max time kernel

131s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 20:34

Reported

2024-06-06 20:37

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe"

Signatures

Downloads MZ/PE file

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe C:\Windows\system32\cmd.exe
PID 4888 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe C:\Windows\system32\cmd.exe
PID 4468 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203452446.exe
PID 4468 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203452446.exe
PID 1688 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\242606203452446.exe C:\Windows\system32\cmd.exe
PID 1688 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\242606203452446.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203509165.exe
PID 2764 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203509165.exe
PID 4520 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\242606203509165.exe C:\Windows\system32\cmd.exe
PID 4520 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\242606203509165.exe C:\Windows\system32\cmd.exe
PID 3980 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203519930.exe
PID 3980 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203519930.exe
PID 2724 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\242606203519930.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\242606203519930.exe C:\Windows\system32\cmd.exe
PID 4372 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203533524.exe
PID 4372 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203533524.exe
PID 3580 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\242606203533524.exe C:\Windows\system32\cmd.exe
PID 3580 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\242606203533524.exe C:\Windows\system32\cmd.exe
PID 4656 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203545289.exe
PID 4656 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203545289.exe
PID 4308 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\242606203545289.exe C:\Windows\system32\cmd.exe
PID 4308 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\242606203545289.exe C:\Windows\system32\cmd.exe
PID 3120 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203557430.exe
PID 3120 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203557430.exe
PID 3444 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\242606203557430.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\242606203557430.exe C:\Windows\system32\cmd.exe
PID 872 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203616008.exe
PID 872 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203616008.exe
PID 1424 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\242606203616008.exe C:\Windows\system32\cmd.exe
PID 1424 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\242606203616008.exe C:\Windows\system32\cmd.exe
PID 912 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203629946.exe
PID 912 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203629946.exe
PID 1040 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\242606203629946.exe C:\Windows\system32\cmd.exe
PID 1040 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\242606203629946.exe C:\Windows\system32\cmd.exe
PID 4612 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203641227.exe
PID 4612 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203641227.exe
PID 3792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\242606203641227.exe C:\Windows\system32\cmd.exe
PID 3792 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\242606203641227.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203652258.exe
PID 1260 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203652258.exe
PID 4016 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\242606203652258.exe C:\Windows\system32\cmd.exe
PID 4016 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\242606203652258.exe C:\Windows\system32\cmd.exe
PID 2980 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203707055.exe
PID 2980 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203707055.exe

Processes

C:\Users\Admin\AppData\Local\Temp\173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203452446.exe 000001

C:\Users\Admin\AppData\Local\Temp\242606203452446.exe

C:\Users\Admin\AppData\Local\Temp\242606203452446.exe 000001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203509165.exe 000002

C:\Users\Admin\AppData\Local\Temp\242606203509165.exe

C:\Users\Admin\AppData\Local\Temp\242606203509165.exe 000002

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203519930.exe 000003

C:\Users\Admin\AppData\Local\Temp\242606203519930.exe

C:\Users\Admin\AppData\Local\Temp\242606203519930.exe 000003

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203533524.exe 000004

C:\Users\Admin\AppData\Local\Temp\242606203533524.exe

C:\Users\Admin\AppData\Local\Temp\242606203533524.exe 000004

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203545289.exe 000005

C:\Users\Admin\AppData\Local\Temp\242606203545289.exe

C:\Users\Admin\AppData\Local\Temp\242606203545289.exe 000005

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203557430.exe 000006

C:\Users\Admin\AppData\Local\Temp\242606203557430.exe

C:\Users\Admin\AppData\Local\Temp\242606203557430.exe 000006

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203616008.exe 000007

C:\Users\Admin\AppData\Local\Temp\242606203616008.exe

C:\Users\Admin\AppData\Local\Temp\242606203616008.exe 000007

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203629946.exe 000008

C:\Users\Admin\AppData\Local\Temp\242606203629946.exe

C:\Users\Admin\AppData\Local\Temp\242606203629946.exe 000008

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203641227.exe 000009

C:\Users\Admin\AppData\Local\Temp\242606203641227.exe

C:\Users\Admin\AppData\Local\Temp\242606203641227.exe 000009

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203652258.exe 00000a

C:\Users\Admin\AppData\Local\Temp\242606203652258.exe

C:\Users\Admin\AppData\Local\Temp\242606203652258.exe 00000a

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203707055.exe 00000b

C:\Users\Admin\AppData\Local\Temp\242606203707055.exe

C:\Users\Admin\AppData\Local\Temp\242606203707055.exe 00000b

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 hswl.ywkq.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 hswl.ywkq.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 19.94.70.193.in-addr.arpa udp
US 8.8.8.8:53 cesf.fqqw.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 cesf.fqqw.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 lyvv.vtgl.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 lyvv.vtgl.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 njwx.tsar.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 njwx.tsar.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 rqvg.ycge.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 rqvg.ycge.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 147.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 pjbm.tegk.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 pjbm.tegk.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 jhrg.ctvz.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 jhrg.ctvz.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 lixn.mesk.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 lixn.mesk.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 ubwj.veow.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 ubwj.veow.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 hamj.dxpu.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 hamj.dxpu.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 srba.yzfu.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 srba.yzfu.v5.mrmpzjjhn3sgtq5w.pro tcp

Files

C:\Users\Admin\AppData\Local\Temp\242606203452446.exe

MD5 5cc3c38bc39e074585094ae51d42ae8a
SHA1 2d4d6f82a6af720dfd20662467c84baca9e39fc9
SHA256 1d109b9ff455f169a2c34792000023d0f5af1ee7c5da2ffc4f6d07fd83bf4ea1
SHA512 76b6ac6ca9de4cd5085affac2342f1e6d930098143c20d451a47f3cdf02366a81b3b6e92d91e049b552b0c3a4766c965d9ca62367f0cd61a9da79f42f45b8359

C:\Users\Admin\AppData\Local\Temp\242606203509165.exe

MD5 150c6b2b1120d3a52e450e8c2778b158
SHA1 af5c9cdd0f585ace8755c049b37cb9060aa9aa57
SHA256 450b9c768bed28fed87aba49b6d2d355ae758e17af61901adb4a47c5c2549254
SHA512 7c31fec64018348932f10f4eabfd73149cfe97ebb1883f7404862ce8c18f4d2da82e509e7ece2186697acc185d463eea9e41d707295b443eec32eba06e556efd

C:\Users\Admin\AppData\Local\Temp\242606203519930.exe

MD5 59dbc86fbf1b220a5449403947e16397
SHA1 8cdbd1feefb0ccff759139bb225cff73a0be0c69
SHA256 30582a36a49b196f8f6007fa71901d183f7f968d561c7fc3ca88f0e3904fafc7
SHA512 95b2ccf9c311e2ca3e37caa3a86673e63e74c68bfac90e4261da57227fc8eb36745fd459013a8cb4dfe7b998c06fd4116f53776506f6a99ff0bfdd53516e0d58

C:\Users\Admin\AppData\Local\Temp\242606203533524.exe

MD5 2085802bf8d0b85df86c2386271a6ed5
SHA1 a216407e260c069e27bb182dd6caa5801efe490c
SHA256 bf83e79568a8d34289c796858c0cd2bcca838f7f71e841a6862deeb258ff4ef5
SHA512 7a46c05670bf814a020607f3ee55c36f445905b6c59e2a5ff726d0ba746fa0e7c8747200ad999ce764f49e6d130a0cbd53b235ae66816a95df1b0a0c08d7e4a6

C:\Users\Admin\AppData\Local\Temp\242606203545289.exe

MD5 cb964412424d7d0befac1b370f31f417
SHA1 a2c62671871b1b01843bf09d25d41acfcd2ed380
SHA256 798b31b735e1d09d4f6940f5a22c20842d3d57225b7f5dff9575b144299995fe
SHA512 f18d597dad944c79f9dd73d7bb18ecc3b476776e6b36b573601fb759c46630fce208e40994f5301d6b4837c63bdfb4ffd4ccf615d3cb05aeb2052719532e652c

C:\Users\Admin\AppData\Local\Temp\242606203557430.exe

MD5 14b02fbc4c564c342df2d358a3453569
SHA1 5b36d8a983dcacfe3f24bf8c9a03fbd4a70401a0
SHA256 442ec87b0e8299aa94d5e455a816652d87a880dde2944057ff69d755b1dc504a
SHA512 482c236b5b61bd44e8517480f994aea764bb2f12e53254d496798b61649865ea2acee8349315795478e9987de1a5674aaafd38c73ef1ecd37f3f347a9dff7390

C:\Users\Admin\AppData\Local\Temp\242606203616008.exe

MD5 8eb1b22528d943b8b08abeedb5be6633
SHA1 16d2a92e3746e6c73a148d01ebf24c34b3333234
SHA256 3d0475f6cc6e4ee292c484b60c00bd85be3ba338f75b929645a9d6920308bf0c
SHA512 3173a93ba527798d95cba94b092697cde2285702c3df595377460bd7bfd043e8de30fcb7b0b33cb9ac42e0d233d78b7d220172be502d4c14e26f5d47a2f8b09e

C:\Users\Admin\AppData\Local\Temp\242606203629946.exe

MD5 82fc37db6e9728be89f708ca837a508f
SHA1 8a23fa9c53fe616ea07695f229d396495743a981
SHA256 9eb3b49151cb039d4897132ac7e15f203653acad5f06bb2c7c9dffac19a80daa
SHA512 24e6ea1399f8898a7190e8669e745eb451ea2ef3ee40d93dd26c961b764f0dbf3466f14bbf5ad4874a6f254220cee3847da8a1b7a0105e31ecdba03ef84bc635

C:\Users\Admin\AppData\Local\Temp\242606203641227.exe

MD5 feecb3de0c5a07e4dda59a150000d48a
SHA1 c0d2d3c4437d8057a10e8e52868abc3ba66da39e
SHA256 9b7a49494bd2cb6207ef9310600745358223e237aaff2f1990aa9b21cb40d1c6
SHA512 b10f31648e336a351a3cb0801e34f81bd015e778fb263a71fbdfd7de73563d69f24d31806b3e323a70c6eebe6935e9783da6943cd02dd18cf26d9571ff8b9c3b

C:\Users\Admin\AppData\Local\Temp\242606203652258.exe

MD5 699734ad4c389af02bdd7c1208116a69
SHA1 798f228b03b2628891e33b7d28665ef583289b95
SHA256 eb635420accdcca2c95262e60fcb98b3d3e57de8e551151e293abf9d9164cd4d
SHA512 34914e3dbed739c31c4016eaa8d78be0da0c3ecb0bfd937b2172b8f0f635256fda1d424a5cb23ab5d253c7aa86204b9f04b64b091e5f2be8437767a434eff9ab

C:\Users\Admin\AppData\Local\Temp\242606203707055.exe

MD5 8dbb1498cb0cd7eadbcf0665fd246a5c
SHA1 42c7491035fd1af1aec68cc0326cfacd31e26113
SHA256 0df236f0527684758b44745f0361d94beadcf2d56c353ca65979d2a1c2436c37
SHA512 744e68f4a91db84751244352fbb7ea42c6cb5b0ccb35703470a78039f99bed6802197dd110f3812116f6b38b5ea428b871315a9f45f9ca33dba5cf1004aea321