Malware Analysis Report

2025-08-10 12:15

Sample ID 240607-nyqh3agf52
Target 54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe
SHA256 a69b8c96db4b68c72e103978877238ef9aacb368376c3543b7cf9cedc8e76fae
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a69b8c96db4b68c72e103978877238ef9aacb368376c3543b7cf9cedc8e76fae

Threat Level: Shows suspicious behavior

The file 54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

Loads dropped DLL

UPX packed file

Deletes itself

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-07 11:48

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 11:48

Reported

2024-06-07 12:05

Platform

win7-20240508-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe

"C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 i3.tietuku.com udp

Files

memory/2176-0-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cpath.ini

MD5 f3c13a8491eacec21cb6e4e08275fc79
SHA1 f15617afa3611aa196fef7a11542038c8ed1f3d0
SHA256 3c55c82473198408f935a198c41592eb96be93e37c60919f42cf12b80cb0d1ec
SHA512 c5d3db45e8cc13559af69105a24acad9517769873c54aeb35c91516bb58a3ed9582fb9eebc92400a022d0956627cd44e2829920e1cb2c08f30c1bc4988c9d434

memory/2176-17-0x0000000003FE0000-0x000000000404D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe

MD5 4b7769ca5e4b980f5a3875f41c92a8c4
SHA1 7a562cc5e154edf5beec64b50c983a74f75ae213
SHA256 75796cc86050750cf40c3bf633c96a87285585aad44f04107a1e64af3acdb54a
SHA512 907b6ca9142d608c90b6ac4d688047d6f032f5bbd5de3d01f56bc8e2fd86b5e50228dfa4061c4cde446d739aa2b452e35674b062f5af8cb70151143f771d9682

memory/3012-19-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2176-18-0x0000000003FE0000-0x000000000404D000-memory.dmp

memory/2176-22-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3012-23-0x0000000000400000-0x000000000046D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 11:48

Reported

2024-06-07 12:05

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe

"C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 216.107.17.2.in-addr.arpa udp
NL 23.62.61.154:443 www.bing.com tcp
US 8.8.8.8:53 154.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 i3.tietuku.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4268-0-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sysceamgiqom.exe

MD5 48bec37ebcd4a2178e5f12c6aa61acfd
SHA1 bd138e62c285b9eac1e81253240fc70049ed84e1
SHA256 cc98784d9bbc919ddd5b3fb9f60448cd3cb1efd8217a2b63e040cc3fe8a00f30
SHA512 8a4c6b09dbbd0415e47e78efc2f3e05f700bb700129af481a72b422cb79ddd1614bec64d05df999da8dce0306e50d3c1f08e5f50cf8dbb0cbff417c777d60186

C:\Users\Admin\AppData\Local\Temp\cpath.ini

MD5 f3c13a8491eacec21cb6e4e08275fc79
SHA1 f15617afa3611aa196fef7a11542038c8ed1f3d0
SHA256 3c55c82473198408f935a198c41592eb96be93e37c60919f42cf12b80cb0d1ec
SHA512 c5d3db45e8cc13559af69105a24acad9517769873c54aeb35c91516bb58a3ed9582fb9eebc92400a022d0956627cd44e2829920e1cb2c08f30c1bc4988c9d434

memory/4268-41-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4068-42-0x0000000000400000-0x000000000046D000-memory.dmp