Malware Analysis Report

2025-08-10 21:49

Sample ID 240608-h1wj7sba82
Target 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe
SHA256 5a0e0ffda4d8ddeed62772838878b03af6064e78635fb4ec6f440ec4818dbc1d
Tags
persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5a0e0ffda4d8ddeed62772838878b03af6064e78635fb4ec6f440ec4818dbc1d

Threat Level: Shows suspicious behavior

The file 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence upx

Drops startup file

UPX packed file

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-08 07:12

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 07:12

Reported

2024-06-08 07:15

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
CN 123.249.45.239:9900 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
CN 123.249.45.239:9900 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CN 123.249.45.239:9900 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
CN 123.249.45.239:9900 tcp
CN 123.249.45.239:9900 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
CN 123.249.45.239:9900 tcp
CN 123.249.45.239:9900 tcp
CN 123.249.45.239:9900 tcp

Files

memory/3952-0-0x0000000000400000-0x000000000054E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 a3a80cb62fc315de1924f165c1c95721
SHA1 214f2f997b96adf2d832d04c004100442898502c
SHA256 c5779c61b7bec592d5601c42cdd9952b2ea57c4c1ba4eda9758bcc52243fde50
SHA512 bebac64d89e118cf24f1ebf401642820f4d63149af23e099119e495cdc1ed2b5b3fb9408e67ae8e6e98978007938683a2202c741c1ce4a1c5d403354f592b723

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 074f0f20b1af231ab4562985077c682f
SHA1 647e5d0ff032c7aaf1fd5dbb20537f5831cc4b18
SHA256 be7abb4d820f9c15accf03c551469e0e088a851f9bb4770aba961713cb7d4454
SHA512 a48d7e9154fb82f628d58d6ea440c2628cf33b47cd8e63848ce5af6bdfade53c23b9cc9d789499331e101db722860269529a3a6cb06f97d86b0e68869b62f60b

memory/3952-14-0x0000000000400000-0x000000000054E000-memory.dmp

memory/3952-17-0x0000000000400000-0x000000000054E000-memory.dmp

memory/3952-20-0x0000000000400000-0x000000000054E000-memory.dmp

memory/3952-24-0x0000000000400000-0x000000000054E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 0a09f354748324840a98a09a15172fb8
SHA1 41dc1d5cb5f99590ea7b83516be4ca616707932a
SHA256 31a81ee87f0c6987d56d48ccac000d92e2a4efdb6b2f84787e9ef420d9f91c7d
SHA512 f21a7c0f5f13285b5faa1fdaca04d15460d9b436eda4bb98a761bdb02b802f00c1c5727d84c97565891d317cd2dbc92ac370ecb8c248082a83a51558cd63bda8

memory/3952-27-0x0000000000400000-0x000000000054E000-memory.dmp

memory/3952-30-0x0000000000400000-0x000000000054E000-memory.dmp

memory/3952-33-0x0000000000400000-0x000000000054E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 07:12

Reported

2024-06-08 07:15

Platform

win7-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

Network

Country Destination Domain Proto
CN 123.249.45.239:9900 tcp
CN 123.249.45.239:9900 tcp
CN 123.249.45.239:9900 tcp
CN 123.249.45.239:9900 tcp
CN 123.249.45.239:9900 tcp
CN 123.249.45.239:9900 tcp
CN 123.249.45.239:9900 tcp
CN 123.249.45.239:9900 tcp

Files

memory/2368-0-0x0000000000400000-0x000000000054E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 d0bdcafbec62b21f02b2da1861fde3d0
SHA1 76db0e03d3ee996335ee9708c41a8d8b1b58d649
SHA256 4d273a9b64cc53928a08b4edc2d3359be2746761c3d72941f78a716774dc6c81
SHA512 2f979ee5ad1812f25d2f5eff51da0295cf2053a05d042c35c86b1c73e6758358256129909a494ea05b4c8a25ba4d5c0447dd34bc55be95973b466bea46da0fa7

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 de6eebab6b36f9ae12b5b01429bb54aa
SHA1 d688b459ede876ae63c50ab26ef6204101c590fd
SHA256 4599607c660eee2c763fdef2950961c6bd6fe014f71f7ce88d69cb50e2cf2c0a
SHA512 0c2bb364ca266929ca3ffc325d1a51b8e0441c4bdab8550a838dfa5852805f8355223d0980bb23fdf700077cf018416eca0d5ef269cb4cdfe031e873535b7a9b

memory/2368-14-0x0000000000400000-0x000000000054E000-memory.dmp

memory/2368-17-0x0000000000400000-0x000000000054E000-memory.dmp

memory/2368-20-0x0000000000400000-0x000000000054E000-memory.dmp

memory/2368-24-0x0000000000400000-0x000000000054E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 0a09f354748324840a98a09a15172fb8
SHA1 41dc1d5cb5f99590ea7b83516be4ca616707932a
SHA256 31a81ee87f0c6987d56d48ccac000d92e2a4efdb6b2f84787e9ef420d9f91c7d
SHA512 f21a7c0f5f13285b5faa1fdaca04d15460d9b436eda4bb98a761bdb02b802f00c1c5727d84c97565891d317cd2dbc92ac370ecb8c248082a83a51558cd63bda8

memory/2368-27-0x0000000000400000-0x000000000054E000-memory.dmp

memory/2368-30-0x0000000000400000-0x000000000054E000-memory.dmp

memory/2368-33-0x0000000000400000-0x000000000054E000-memory.dmp