Analysis Overview
SHA256
e314bbd9f2ab114b8184a6d7dfd1b0256af86ac6c47bfc958e088df0f76677f8
Threat Level: Shows suspicious behavior
The file a9684e4a138c1ce74372fc719043c220_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-26 10:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 10:41
Reported
2024-05-26 10:44
Platform
win7-20240508-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9684e4a138c1ce74372fc719043c220_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a9684e4a138c1ce74372fc719043c220_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c [email protected]
C:\Users\Admin\AppData\Local\Temp\[email protected]
Network
Files
\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | a8bfedbf435b165d80ff5fdfde1df9de |
| SHA1 | fa0777769e69c6576dde6823ba5881888f239be5 |
| SHA256 | a11ccbe8ca58b88eb3a727763c63858fea7cfa0bf3c69bf5262f672417600096 |
| SHA512 | 751916b87c7efb038d557e2688b0e33d498517bdb27fd5a7ded34cfb60605cc115df3cf66379fc9446597c783a023cc53fc2d321ddf9460612945ece1540f83b |
memory/2088-7-0x0000000000400000-0x000000000041B000-memory.dmp
memory/848-8-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 10:41
Reported
2024-05-26 10:44
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4664 wrote to memory of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\a9684e4a138c1ce74372fc719043c220_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4664 wrote to memory of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\a9684e4a138c1ce74372fc719043c220_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4664 wrote to memory of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\a9684e4a138c1ce74372fc719043c220_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4672 wrote to memory of 4192 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] |
| PID 4672 wrote to memory of 4192 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] |
| PID 4672 wrote to memory of 4192 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] |
Processes
C:\Users\Admin\AppData\Local\Temp\a9684e4a138c1ce74372fc719043c220_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a9684e4a138c1ce74372fc719043c220_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c [email protected]
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.180.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | a8bfedbf435b165d80ff5fdfde1df9de |
| SHA1 | fa0777769e69c6576dde6823ba5881888f239be5 |
| SHA256 | a11ccbe8ca58b88eb3a727763c63858fea7cfa0bf3c69bf5262f672417600096 |
| SHA512 | 751916b87c7efb038d557e2688b0e33d498517bdb27fd5a7ded34cfb60605cc115df3cf66379fc9446597c783a023cc53fc2d321ddf9460612945ece1540f83b |
memory/4192-5-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4664-6-0x0000000000400000-0x000000000041B000-memory.dmp