Malware Analysis Report

2025-08-10 21:49

Sample ID 240606-zddvbabf8s
Target 37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe
SHA256 61acb95b77f53ad74c16ea0bcb40a1e2e0605198901ac798e8bb905a09138353
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

61acb95b77f53ad74c16ea0bcb40a1e2e0605198901ac798e8bb905a09138353

Threat Level: Likely malicious

The file 37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe was found to be: Likely malicious.

Malicious Activity Summary


Downloads MZ/PE file

Executes dropped EXE

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 20:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 20:35

Reported

2024-06-06 20:38

Platform

win7-20240419-en

Max time kernel

132s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 20:35

Reported

2024-06-06 20:38

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe"

Signatures

Downloads MZ/PE file

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe C:\Windows\system32\cmd.exe
PID 4996 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe C:\Windows\system32\cmd.exe
PID 4672 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\240606203549332.exe
PID 4672 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\240606203549332.exe
PID 2568 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\240606203549332.exe C:\Windows\system32\cmd.exe
PID 2568 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\240606203549332.exe C:\Windows\system32\cmd.exe
PID 1428 wrote to memory of 3504 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203603050.exe
PID 1428 wrote to memory of 3504 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203603050.exe
PID 3504 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\242606203603050.exe C:\Windows\system32\cmd.exe
PID 3504 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\242606203603050.exe C:\Windows\system32\cmd.exe
PID 2920 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203616300.exe
PID 2920 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203616300.exe
PID 4060 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\242606203616300.exe C:\Windows\system32\cmd.exe
PID 4060 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\242606203616300.exe C:\Windows\system32\cmd.exe
PID 1464 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203628253.exe
PID 1464 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203628253.exe
PID 2264 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\242606203628253.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\242606203628253.exe C:\Windows\system32\cmd.exe
PID 3340 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203639503.exe
PID 3340 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203639503.exe
PID 1060 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\242606203639503.exe C:\Windows\system32\cmd.exe
PID 1060 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\242606203639503.exe C:\Windows\system32\cmd.exe
PID 3224 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203654003.exe
PID 3224 wrote to memory of 3084 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203654003.exe
PID 3084 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\242606203654003.exe C:\Windows\system32\cmd.exe
PID 3084 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\242606203654003.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203706019.exe
PID 2960 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203706019.exe
PID 1584 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\242606203706019.exe C:\Windows\system32\cmd.exe
PID 1584 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\242606203706019.exe C:\Windows\system32\cmd.exe
PID 3748 wrote to memory of 4644 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203716785.exe
PID 3748 wrote to memory of 4644 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203716785.exe
PID 4644 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\242606203716785.exe C:\Windows\system32\cmd.exe
PID 4644 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\242606203716785.exe C:\Windows\system32\cmd.exe
PID 3972 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203726253.exe
PID 3972 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203726253.exe
PID 1424 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\242606203726253.exe C:\Windows\system32\cmd.exe
PID 1424 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\242606203726253.exe C:\Windows\system32\cmd.exe
PID 5092 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203738175.exe
PID 5092 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203738175.exe
PID 3288 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\242606203738175.exe C:\Windows\system32\cmd.exe
PID 3288 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\242606203738175.exe C:\Windows\system32\cmd.exe
PID 3596 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203749738.exe
PID 3596 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203749738.exe
PID 3768 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\242606203749738.exe C:\Windows\system32\cmd.exe
PID 3768 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\242606203749738.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 4232 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203800050.exe
PID 3952 wrote to memory of 4232 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\242606203800050.exe

Processes

C:\Users\Admin\AppData\Local\Temp\37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240606203549332.exe 000001

C:\Users\Admin\AppData\Local\Temp\240606203549332.exe

C:\Users\Admin\AppData\Local\Temp\240606203549332.exe 000001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203603050.exe 000002

C:\Users\Admin\AppData\Local\Temp\242606203603050.exe

C:\Users\Admin\AppData\Local\Temp\242606203603050.exe 000002

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203616300.exe 000003

C:\Users\Admin\AppData\Local\Temp\242606203616300.exe

C:\Users\Admin\AppData\Local\Temp\242606203616300.exe 000003

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203628253.exe 000004

C:\Users\Admin\AppData\Local\Temp\242606203628253.exe

C:\Users\Admin\AppData\Local\Temp\242606203628253.exe 000004

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203639503.exe 000005

C:\Users\Admin\AppData\Local\Temp\242606203639503.exe

C:\Users\Admin\AppData\Local\Temp\242606203639503.exe 000005

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203654003.exe 000006

C:\Users\Admin\AppData\Local\Temp\242606203654003.exe

C:\Users\Admin\AppData\Local\Temp\242606203654003.exe 000006

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203706019.exe 000007

C:\Users\Admin\AppData\Local\Temp\242606203706019.exe

C:\Users\Admin\AppData\Local\Temp\242606203706019.exe 000007

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203716785.exe 000008

C:\Users\Admin\AppData\Local\Temp\242606203716785.exe

C:\Users\Admin\AppData\Local\Temp\242606203716785.exe 000008

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203726253.exe 000009

C:\Users\Admin\AppData\Local\Temp\242606203726253.exe

C:\Users\Admin\AppData\Local\Temp\242606203726253.exe 000009

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203738175.exe 00000a

C:\Users\Admin\AppData\Local\Temp\242606203738175.exe

C:\Users\Admin\AppData\Local\Temp\242606203738175.exe 00000a

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203749738.exe 00000b

C:\Users\Admin\AppData\Local\Temp\242606203749738.exe

C:\Users\Admin\AppData\Local\Temp\242606203749738.exe 00000b

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203800050.exe 00000c

C:\Users\Admin\AppData\Local\Temp\242606203800050.exe

C:\Users\Admin\AppData\Local\Temp\242606203800050.exe 00000c

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 147.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 icbl.zisi.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 icbl.zisi.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 19.94.70.193.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 eazs.iyrw.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 eazs.iyrw.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 xqrg.jxof.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 xqrg.jxof.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 tdqv.tdkc.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 tdqv.tdkc.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 easo.wgcj.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 easo.wgcj.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 ikly.fcax.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 ikly.fcax.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 xvgj.lvin.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 xvgj.lvin.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 mven.cypg.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 mven.cypg.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 reew.qymi.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 reew.qymi.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 mfmm.qynz.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 mfmm.qynz.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 ygag.qyyk.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 ygag.qyyk.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 chtk.cwgt.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 chtk.cwgt.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 sbtk.pqsh.v5.mrmpzjjhn3sgtq5w.pro udp
PL 193.70.94.19:80 sbtk.pqsh.v5.mrmpzjjhn3sgtq5w.pro tcp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\240606203549332.exe

MD5 d0d6880502bbead351a87173675f31cf
SHA1 f02291544d27320015f247b83e4552f331b691ba
SHA256 ce29edcd61c8a701005bb11947708e5a99600e134ffb3e38ea8a2311217e71b5
SHA512 92f09ee8fa5e367f3fbf5a50ca3ac4f527c1de3993649b721302eb305ca431b79cf4713c3e55105bd6bbcde1a03094db7c70c1d85f4ba1eb4bcb5f9d0b97cd0f

C:\Users\Admin\AppData\Local\Temp\242606203603050.exe

MD5 0a3a66d8ef2c9c35b3519e3d549004e5
SHA1 da2321bfbbae463b87d3627bc181645a1ff1b387
SHA256 d40b7ed908b8e8cab67f252619a419451b803429af67701cd320327f6ca46671
SHA512 e01b008db00c136e265f4a08fb2440bef58242ea701a72370d7db4df8e3b4548480d851e31cfb4a6f0c3886d4576a9734e4d80cca4d77442b48e0c9dbd8571e6

C:\Users\Admin\AppData\Local\Temp\242606203616300.exe

MD5 6505c4bc05054c493fac20f93a3f0f52
SHA1 cd9de89f77cb12b3b2a8488601b07ee18b15ca0d
SHA256 df42bdd50be84a6bc8973b606742cdf0a09fb86f24ea7e04c82f10b26b547b29
SHA512 e482ddcbbd187761d31750605ad184f92438601aea30c35e0fabed01a68b40bc710b18a50e999a15ab33355ff214b47b99b893635742c175b9f30b5a908d6381

C:\Users\Admin\AppData\Local\Temp\242606203628253.exe

MD5 2549561906a641061306e78b63d2d983
SHA1 c26bc557d91f4fd6fdce46e93f2ba7003c0dc3d5
SHA256 a3103bd409ae6e3c0180f582777753f6d05b91577316e546141bda02cb50faff
SHA512 edf56bf4c9cab93d20dfeae518b39f7a7ae107b61179fc74581758a3bfea4f209e81ad572ef53dd8c656b894109f33637a24719ceb9b1e6265e1ac20f7f8efa6

C:\Users\Admin\AppData\Local\Temp\242606203639503.exe

MD5 1ace3fc93e32cb03229794e61d87d957
SHA1 444084812f62b2f19dea44ff780f3bd4303752b7
SHA256 14499598d5b6db4d58b11a9a374cf421961986a8f510cc6a667df02dee266edb
SHA512 5482483ce8500e85d24c221be665916a7fb890da528c8ab76a80902f48db10bfe4a45503006840675da4a653da726cc5e148f5838effcc75a3a305a4de2ebfd0

C:\Users\Admin\AppData\Local\Temp\242606203654003.exe

MD5 caa9f6b2ff2839a4fc7c6f320138497e
SHA1 64770bd53e3919fa028f813ed010277ddc4b4aa2
SHA256 4ae6c3a6eecdb53f5eb27f1d3ee0c9d4d62124139201a406cb4938ae3551e2ad
SHA512 2068ee449b9f29a8e64448eccd4393fa681785992387e03080b8ab2edc5fddf93a410cc9d518c7a4a26bece729eaf851b40fe9f0f75d11e06c829e1bee783283

C:\Users\Admin\AppData\Local\Temp\242606203706019.exe

MD5 6d5371a8b8c8c91e8d9ca5c67aa79a60
SHA1 91cfa80d93877823c919a76075d4127c787fb7de
SHA256 5f17e4c05642a6aacb1ae4b1525c3997113985406e675511e436be890b295891
SHA512 9488c5c90b783ce3b73ddb90a8c267bfce0723e2c6aadb31c10a7e4f41c5f9c899ca71343b16daf50162cb75fc5593df41d1efaf75899b63761385285f9a0562

C:\Users\Admin\AppData\Local\Temp\242606203716785.exe

MD5 a6c44b70a42fb11b35c7b0dca7a29be0
SHA1 9a3cddd4978dbbb5ffa2447c38c7eeae11fbfc53
SHA256 988896b27b47f9293676e309eb65ee0f7db4b9b2805a07e56d47e62b79b41866
SHA512 2d195dba9e9a9b51a23f58f28f943e6f5ad710a9d3c6802f298cc893127c3b501954e0b2a2a6ec42a23c4fb36debc421a804f39b8835e63245829d059eb18dae

C:\Users\Admin\AppData\Local\Temp\242606203726253.exe

MD5 74253133447a54e69353cbe68733de08
SHA1 c496e144f0b8e01c503a4b9e06fbeafa32078213
SHA256 737aeebfda2e705abf51345eba946ca697d317e410b0ef5480f3c0f82698ebd9
SHA512 cfc090a542400c2a0b049737c52047871ff220a2bce8ccd9555e358b5d9bbad480942ce1405aef2f71814c5b4864257de7c6f72f0adf26c54601c9b7e6fa3999

C:\Users\Admin\AppData\Local\Temp\242606203738175.exe

MD5 63dc5e07b42a45c4b808d10fc861eafd
SHA1 18d43937cb1d7621daebb3fcb720f951414d91ce
SHA256 25d3d6f9c1f99dc8be1aa222e7778ba31ec9f3cffda327523c7fcbd13811ab3c
SHA512 296cd0297b18ce99ce515cfb54d4f8e76b7a6f6960862c9942ac4c2462731e799a7a04915f3a942e7178cb36f7af4d6b4cbb18a476729080b6282a0e74ae7092

C:\Users\Admin\AppData\Local\Temp\242606203749738.exe

MD5 67ccad3da4d68c6bab572dd287c4582f
SHA1 026414056b7b209f46c7a16c294323fcb9182370
SHA256 e4f7ead7fd7023db96d8d37001da1036a77cbfa61bbafa781ef5599259bfa07f
SHA512 df1028c1439de83c33ec22ee759c979bd4a8995be97e3113c1012929ebc85f5b99ee2769628f18c1429659dd3785d3d62b50620601644bd462487d4d58884e57

C:\Users\Admin\AppData\Local\Temp\242606203800050.exe

MD5 a89408d2e107392f85b87988dd7f40d5
SHA1 9e937c9906eeb7e1e889e1a4bee2942efa5dd8cb
SHA256 4748e8829507e99bfe75a9854e4ee459cd5a857aff3e1473b3313692bae0d18d
SHA512 02a23f1f002976d8614dfadf01228114ff049c7885efb3e0a68e827f2006e73aca20efccd5a7f46c5becac88969030bc74f033a3d2836fbe9138fe6ed8baba3b