Malware Analysis Report

2025-04-14 02:55

Sample ID 240613-d9ln5stajh
Target 5ba1a12a7cbea83dbf762ff77df30d10_NeikiAnalytics.exe
SHA256 76257cf198f03b92111dd8ca6024f96a95e67ac4359c479bf0adf30312513ba3
Tags
score
1/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
1/10

SHA256

76257cf198f03b92111dd8ca6024f96a95e67ac4359c479bf0adf30312513ba3

Threat Level: No (potentially) malicious behavior was detected

The file 5ba1a12a7cbea83dbf762ff77df30d10_NeikiAnalytics.exe was found to be: No (potentially) malicious behavior was detected.

Malicious Activity Summary


Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:42

Reported

2024-06-13 03:45

Platform

win7-20240611-en

Max time kernel

119s

Max time network

120s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5ba1a12a7cbea83dbf762ff77df30d10_NeikiAnalytics.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BC7E141-912D-11D3-B1AD-0080C84E9C15} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9BC7E140-912D-11D3-B1AD-0080C84E9C15} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\FriendlyName = "Cyberlink Dump Filter" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\CLSID = "{9BC7E140-912D-11D3-B1AD-0080C84E9C15}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BC7E140-912D-11D3-B1AD-0080C84E9C15} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\ = "Cyberlink Dump Filter" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5ba1a12a7cbea83dbf762ff77df30d10_NeikiAnalytics.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BC7E141-912D-11D3-B1AD-0080C84E9C15}\ = "CyberLink Dump Filter Property" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BC7E141-912D-11D3-B1AD-0080C84E9C15}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5ba1a12a7cbea83dbf762ff77df30d10_NeikiAnalytics.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BC7E141-912D-11D3-B1AD-0080C84E9C15}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BC7E141-912D-11D3-B1AD-0080C84E9C15}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\FilterData = 020000000000200001000000000000003070693302000000000000000100000000000000000000003074793300000000380000003800000000000000000000000000000000000000 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2632 wrote to memory of 2208 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5ba1a12a7cbea83dbf762ff77df30d10_NeikiAnalytics.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\5ba1a12a7cbea83dbf762ff77df30d10_NeikiAnalytics.dll

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:42

Reported

2024-06-13 03:45

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5ba1a12a7cbea83dbf762ff77df30d10_NeikiAnalytics.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\FilterData = 020000000000200001000000000000003070693302000000000000000100000000000000000000003074793300000000380000003800000000000000000000000000000000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5ba1a12a7cbea83dbf762ff77df30d10_NeikiAnalytics.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BC7E141-912D-11D3-B1AD-0080C84E9C15}\ = "CyberLink Dump Filter Property" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9BC7E140-912D-11D3-B1AD-0080C84E9C15} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\FriendlyName = "Cyberlink Dump Filter" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\CLSID = "{9BC7E140-912D-11D3-B1AD-0080C84E9C15}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BC7E140-912D-11D3-B1AD-0080C84E9C15} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BC7E141-912D-11D3-B1AD-0080C84E9C15}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BC7E140-912D-11D3-B1AD-0080C84E9C15}\ = "Cyberlink Dump Filter" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BC7E141-912D-11D3-B1AD-0080C84E9C15} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BC7E141-912D-11D3-B1AD-0080C84E9C15}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5ba1a12a7cbea83dbf762ff77df30d10_NeikiAnalytics.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9BC7E141-912D-11D3-B1AD-0080C84E9C15}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 1564 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 916 wrote to memory of 1564 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 916 wrote to memory of 1564 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5ba1a12a7cbea83dbf762ff77df30d10_NeikiAnalytics.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\5ba1a12a7cbea83dbf762ff77df30d10_NeikiAnalytics.dll

Network

Files

N/A