Malware Analysis Report

2025-08-10 21:49

Sample ID 240606-zdfznsbf8w
Target 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe
SHA256 0f7f9480172c6da790f19d065cab92249b91bec5b101622879bb0facdc9fceda
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0f7f9480172c6da790f19d065cab92249b91bec5b101622879bb0facdc9fceda

Threat Level: Shows suspicious behavior

The file 96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Uses the VBS compiler for execution

Deletes itself

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 20:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 20:35

Reported

2024-06-06 20:38

Platform

win7-20240419-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3028 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3028 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3028 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2812 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2812 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2812 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2812 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe
PID 3028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe
PID 3028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe
PID 3028 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tciv1ktg\tciv1ktg.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B5D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7141BAF496924431919328C38547CEDF.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe

Network

N/A

Files

memory/3028-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

memory/3028-1-0x0000000001230000-0x000000000123A000-memory.dmp

memory/3028-7-0x0000000073F90000-0x000000007467E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tciv1ktg\tciv1ktg.cmdline

MD5 728712e04c961cda3e49d3c08d6c7d9a
SHA1 668093e2df9ef830b7803653f2cabeda07de3cb3
SHA256 76ea6cb21ddf0b6ce8e985170f95fd6fb932fc2abd773793bfa3cb7c611aead0
SHA512 a071edc5cef693ea2bc99d68047a992deecf60d57049269c5a77a4544888082ec05f736aa7c7ec222afe1612b9a65fc5dae69eea3b2f6dadae7083af5f55d822

C:\Users\Admin\AppData\Local\Temp\tciv1ktg\tciv1ktg.0.vb

MD5 bbf2720d5823d8dc4dc3827422a3ed1a
SHA1 e33937437dd521e66857bd35c9f23a3120718a9c
SHA256 e49441288b84392b0c23ed81dc98af050297763673f887c2a978bf970f8c991c
SHA512 416a405e2bb90d4cd0a4f8a154dbc6163d14997a54710453515126d4d32033d6a6c12afbf7c0cf41f03d2fe0f238e9066735ba9cd895ba89db3ada22b0d833ea

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 6d558f3fc85a41c2079c819ce28efb8d
SHA1 e4ae283500c17f4094848c7d1a4b8df8b67d0188
SHA256 c07dd490d8e14b0f2d99580dee0ff50048807fd061d8912c721c4087e2decff5
SHA512 d5da9384f15d9be0de74b36ee0537aac3fa62b81d87439e890d05b6258778369d8f00de06a198ca1dd837f2c2aed816ab02a212b94197db34c9f0e15809ee9df

C:\Users\Admin\AppData\Local\Temp\vbc7141BAF496924431919328C38547CEDF.TMP

MD5 b78b2d324216b0b3fa4bc9694bd4c958
SHA1 7cb531df5925b23cd8d2334b86e9bb9fcecb35f5
SHA256 93225621ac3704c63bce3e6b7dd4b32f6f596083b724b6960deba0a55ad361fd
SHA512 afc3082ff9e8a240fd35cacdea4fcf5140890daa7b2c08b5522935c25851b81edc6102a56ff9633810aa27cf27506b95a98ac6031d80686aca0ef6a3c0eeaee1

C:\Users\Admin\AppData\Local\Temp\RES1B5D.tmp

MD5 dc6ed6594d0befb7d1e7260d36f6059f
SHA1 3785c1f867e9fa164c99ee3f32c9fee8a36c49c9
SHA256 aa36f922cbef69863c368faca315e5cf7b56aa6c510d0dd8a9aea84a2c42309a
SHA512 7919e91d5bf97c9ada87018455f95e081ca4be509505394fad2c99445df48e75572f73eb28aa63473c7a42e5f25cebcdf3996585052558aa5c436c6ecab50b73

C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp.exe

MD5 cd38fea6032ecfc04b7e03e68dd733d8
SHA1 6078dc36846c31e1e68708544ef18f03ce0f679c
SHA256 f30986951c1203cf43b2743a1f373798ab48bdc0f51e9a11e1a558c5703ae4c4
SHA512 1cbe41b8305a9263e5343089850b2fcf193b942b27e7911d25ac60fb41f6e49175519bfe79d936efc4f7b3073da6644422b296e0225ae2b9eba9cc5150771a87

memory/2604-23-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/3028-24-0x0000000073F90000-0x000000007467E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 20:35

Reported

2024-06-06 20:38

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 568 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 568 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 568 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 932 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 932 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 932 wrote to memory of 1752 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 568 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe
PID 568 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe
PID 568 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\05n3rjai\05n3rjai.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A5D3DB2937D4A19960E9D7CECE8571.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\96ebdd4a73ae3b37ce3d048681a48f60_NeikiAnalytics.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
BE 2.17.107.122:443 www.bing.com tcp
US 8.8.8.8:53 122.107.17.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 34.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 147.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/568-0-0x000000007484E000-0x000000007484F000-memory.dmp

memory/568-1-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

memory/568-2-0x0000000005520000-0x00000000055BC000-memory.dmp

memory/568-8-0x0000000074840000-0x0000000074FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\05n3rjai\05n3rjai.cmdline

MD5 74dad794e05f01dc5a40a01da18c180b
SHA1 b09e470b6ace2e96fb46df2fd3518367b3470b91
SHA256 0f3ee0493025a1b29546902bbf882734666cd518a63dd408cfc40da1d9096352
SHA512 0f554728fa762411d011fa4aa815a34b1db35b9c570ce08cda031f9c45e566869a0c50dd8639c49345af22380c24dc14ea410e4028c05467646fa6a4672ed37b

C:\Users\Admin\AppData\Local\Temp\05n3rjai\05n3rjai.0.vb

MD5 021fe420534bbf97e3d780bf9f9f6ab5
SHA1 a9be3d88e95e23e220e62b7bb82dd9839ee3f143
SHA256 ad488028d85d772587054b26f5a0f6ce4d8adf56ab0e194b6b979685e2c8cb53
SHA512 ccd5b06c5fe99c9e91737797f6bc528ef45964936c3b27f683f47c3d8a7c23ca3d14c4d6f565d8691b78505eb2ec42bf75381dc9ec6827a2119fb809e112c862

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 12f93dbf0ba2262acdf828655ae77d94
SHA1 0ae33357bb626d0d8bd016b00a94053b70e108cf
SHA256 871f96772ed2dfb47c814144cb4f9a4308ea17ecfc4e7ad179fbe4f26015fe7e
SHA512 5a08cce813af88a2c36ecc8dd85b0a7adcaa3991d7f021b2ac244fe7b0232c4dbe0f58cda5d6160607e8eba387351609b63ca5cb6a2a04bb41f150ace9bc9359

C:\Users\Admin\AppData\Local\Temp\vbc2A5D3DB2937D4A19960E9D7CECE8571.TMP

MD5 7ca3abf5e1669f6273fbe5ad027b0131
SHA1 5cf5e7dcad9c73536776f05331519f1af6d3653e
SHA256 79d40d63870b09f409db5125ee2c646bcecf168a6400dee4a6b7e58649da94c5
SHA512 b99ef3d94dd83b45846cfeaf2000edbfb448aedc904651cd62e93c5f863e656c8609c96e8c550d17f184e26ab6f2aed7788e40c9353e38ded496842b5b8950c9

C:\Users\Admin\AppData\Local\Temp\RES4F78.tmp

MD5 6e809b13fe8adebb135cd1e9329ffe8a
SHA1 89425c9c129a79bc08f6c9d5ed600ebdfa2e8ada
SHA256 767ca06c8d672aa79d724a1e6671d2fb824e410dc00ca4c4e049d85ee8844f08
SHA512 0f377bf10f4db4095d7f24261195de203436d6ecf3dd69879022157a33c8149847802ebf343614e9e04faae3b83bf9019ebe612c26fb62330304dc96cc3a6d3e

C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe

MD5 bb63640629a4f6d323c3fcd7fe8b4ddf
SHA1 1fc543140b4c949630b262d4a7d52ddd36248190
SHA256 da91e9d1305ceb0f0a805c9649d7aedcfb0bed22ed03319509ce899a95719fbf
SHA512 04feb7d005b71a264e79d087503f8376a09e18af5d44aec372ef1ae2a7b8ab86f2078df64914ba20aae9f5c406eab4d985412f6187a5a0f35e54d86aa51c7c70

memory/568-24-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/2652-26-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/2652-25-0x00000000005F0000-0x00000000005FA000-memory.dmp

memory/2652-27-0x0000000005490000-0x0000000005A34000-memory.dmp

memory/2652-28-0x0000000004F80000-0x0000000005012000-memory.dmp

memory/2652-30-0x0000000074840000-0x0000000074FF0000-memory.dmp