Analysis Overview
SHA256
1a7b18e4e336abe72f64a9a232b0b79e6b13a71e77eb7266885447b7da0e0695
Threat Level: Likely malicious
The file b2b26a00029aa1306e0a472f22263550_NeikiAnalytics was found to be: Likely malicious.
Malicious Activity Summary
Sets file to hidden
Checks computer location settings
Executes dropped EXE
Deletes itself
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-13 10:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-13 10:30
Reported
2024-05-13 10:33
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\wkmhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Debug\wkmhost.exe | C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\Debug\wkmhost.exe | C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\Debug\wkmhost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3836 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe | C:\Windows\SysWOW64\attrib.exe |
| PID 3836 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe | C:\Windows\SysWOW64\attrib.exe |
| PID 3836 wrote to memory of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe | C:\Windows\SysWOW64\attrib.exe |
| PID 3836 wrote to memory of 3380 | N/A | C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3836 wrote to memory of 3380 | N/A | C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3836 wrote to memory of 3380 | N/A | C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\wkmhost.exe
C:\Windows\Debug\wkmhost.exe
C:\Windows\Debug\wkmhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B2B26A~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | wwdorL62c4.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Wcoz8pZdMl.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9femG7FYPp.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | jLpxX5jgd3.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | J1W9IZCHNl.nnnn.eu.org | udp |
Files
C:\Windows\debug\wkmhost.exe
| MD5 | b6b831c86307d99fade6a989e89a1421 |
| SHA1 | fc6d79c43fb04e91752c92f3596b71c483242005 |
| SHA256 | a5eace26fe58bebdd961a4217f9abbf890025f7891b66483738bd0e99c182195 |
| SHA512 | 635e15c4cbf5abbfa88477dd916a7c7e791251cb7d09242015825f98b8cd812d9cb00390cfdadc445e2c1eeb931f95d8d35835ddbb9d292021e38036117e8a4e |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-13 10:30
Reported
2024-05-13 10:33
Platform
win7-20240221-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Debug\zskhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Debug\zskhost.exe | C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\Debug\zskhost.exe | C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\Debug\zskhost.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b2b26a00029aa1306e0a472f22263550_NeikiAnalytics.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +a +s +h +r C:\Windows\Debug\zskhost.exe
C:\Windows\Debug\zskhost.exe
C:\Windows\Debug\zskhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B2B26A~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wwdorL62c4.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | Wcoz8pZdMl.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | 6IVtm3l6z.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | gzDMkWtpD.nnnn.eu.org | udp |
| US | 8.8.8.8:53 | GOXSE0VZv.nnnn.eu.org | udp |
Files
C:\Windows\Debug\zskhost.exe
| MD5 | a19b178c9c39ed649b13fe223b76e483 |
| SHA1 | 23c7a05d64563af5e5e59d0d1f8f4662e8ac4be0 |
| SHA256 | 5b9a64f8fe4e239c383291297dbce0c8a889f31cb0b3f1559171da16a4f3c277 |
| SHA512 | ce0c2b2b85aea4e2f24195767a395142efbe0c57f418ae8139164735a105c863a8f505564e61c0c1d1ac80b4fb5f5d6c311cbc693e20adfc8e7324776b6441d6 |