Analysis Overview
SHA256
6097d17d5ede804d2ff1440582ba9e90344e5d9add0ade81688988569b87fa25
Threat Level: Known bad
The file 7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Deletes itself
VMProtect packed file
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-11 04:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-11 04:27
Reported
2024-05-11 04:30
Platform
win7-20240508-en
Max time kernel
119s
Max time network
139s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2164 created 1232 | N/A | C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe | C:\Windows\Explorer.EXE |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2164 set thread context of 2396 | N/A | C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe | C:\Windows\System32\svchost.exe |
| PID 2396 set thread context of 2636 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\SysWOW64\cleanmgr.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\mac.txt | C:\Windows\SysWOW64\cleanmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cleanmgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p
C:\Windows\SysWOW64\cleanmgr.exe
C:\Windows\SysWOW64\cleanmgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.845400.online | udp |
| US | 8.8.8.8:53 | gitee.com | udp |
| HK | 182.255.33.134:443 | gitee.com | tcp |
| US | 8.8.8.8:53 | ocsp.trust-provider.cn | udp |
| CN | 117.27.246.96:80 | ocsp.trust-provider.cn | tcp |
| HK | 182.255.33.134:443 | gitee.com | tcp |
| HK | 182.255.33.134:443 | gitee.com | tcp |
| CN | 183.201.243.154:80 | ocsp.trust-provider.cn | tcp |
| N/A | 255.255.255.255:23779 | udp | |
| N/A | 255.255.255.255:0 | udp | |
| N/A | 255.255.255.255:0 | udp | |
| CN | 36.248.38.100:80 | ocsp.trust-provider.cn | tcp |
| CN | 112.50.95.96:80 | ocsp.trust-provider.cn | tcp |
Files
memory/2396-0-0x0000000000060000-0x0000000000161000-memory.dmp
memory/2396-1-0x0000000000060000-0x0000000000161000-memory.dmp
memory/2396-2-0x0000000000060000-0x0000000000161000-memory.dmp
memory/2396-3-0x0000000000060000-0x0000000000161000-memory.dmp
memory/2396-13-0x0000000180000000-0x00000001800F4000-memory.dmp
memory/1232-15-0x0000000002540000-0x0000000002541000-memory.dmp
memory/1232-14-0x0000000002540000-0x0000000002541000-memory.dmp
memory/2396-7-0x0000000180000000-0x00000001800F4000-memory.dmp
memory/2396-5-0x0000000000060000-0x0000000000161000-memory.dmp
memory/2636-20-0x0000000000150000-0x0000000000220000-memory.dmp
memory/2636-21-0x0000000000150000-0x0000000000220000-memory.dmp
memory/2636-19-0x0000000000150000-0x0000000000220000-memory.dmp
memory/2636-17-0x0000000000150000-0x0000000000220000-memory.dmp
memory/2636-18-0x0000000000150000-0x0000000000220000-memory.dmp
memory/2636-23-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-31-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-35-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-37-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-36-0x0000000010000000-0x00000000102D7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab5218.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar523A.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
memory/2636-89-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-90-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-91-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-92-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2396-93-0x0000000180000000-0x00000001800F4000-memory.dmp
memory/2636-94-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-96-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-97-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-95-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-99-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-101-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-102-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2636-104-0x0000000010000000-0x00000000102D7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-11 04:27
Reported
2024-05-11 04:30
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
130s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2956 created 3508 | N/A | C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe | C:\Windows\Explorer.EXE |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2956 set thread context of 2988 | N/A | C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe | C:\Windows\System32\svchost.exe |
| PID 2988 set thread context of 4716 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\SysWOW64\ComputerDefaults.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\mac.txt | C:\Windows\SysWOW64\ComputerDefaults.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\ComputerDefaults.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7ce21e23096f7be6e7d68f316759d800_NeikiAnalytics.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p
C:\Windows\SysWOW64\ComputerDefaults.exe
C:\Windows\SysWOW64\ComputerDefaults.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.845400.online | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.98:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.98:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 98.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.845400.online | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.845400.online | udp |
| US | 8.8.8.8:53 | api.845400.online | udp |
| US | 8.8.8.8:53 | gitee.com | udp |
| HK | 182.255.33.134:443 | gitee.com | tcp |
| US | 8.8.8.8:53 | 134.33.255.182.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocsp.trust-provider.cn | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| CN | 112.50.95.96:80 | ocsp.trust-provider.cn | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.845400.online | udp |
| HK | 182.255.33.134:443 | gitee.com | tcp |
| CN | 117.27.246.96:80 | ocsp.trust-provider.cn | tcp |
| US | 8.8.8.8:53 | api.845400.online | udp |
| HK | 182.255.33.134:443 | gitee.com | tcp |
| US | 8.8.8.8:53 | api.845400.online | udp |
| N/A | 255.255.255.255:23779 | udp | |
| N/A | 255.255.255.255:0 | udp | |
| N/A | 255.255.255.255:0 | udp | |
| CN | 183.201.243.154:80 | ocsp.trust-provider.cn | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.845400.online | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| CN | 36.248.38.100:80 | ocsp.trust-provider.cn | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2988-1-0x000002B90CDA0000-0x000002B90CEA1000-memory.dmp
memory/2988-2-0x0000000180000000-0x00000001800F4000-memory.dmp
memory/2988-8-0x0000000180000000-0x00000001800F4000-memory.dmp
memory/3508-9-0x00000000007E0000-0x00000000007E1000-memory.dmp
memory/4716-11-0x0000000000C00000-0x0000000000CD0000-memory.dmp
memory/4716-13-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-21-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-25-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-27-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-26-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-35-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-36-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-37-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-38-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/2988-39-0x0000000180000000-0x00000001800F4000-memory.dmp
memory/4716-43-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-44-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-40-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-45-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-46-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-47-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-48-0x0000000010000000-0x00000000102D7000-memory.dmp
memory/4716-50-0x0000000010000000-0x00000000102D7000-memory.dmp