Analysis Overview
SHA256
4f780492c9a8a825f7c259aae31d0a9f00b435d7f87e297390c8386c63f32769
Threat Level: Shows suspicious behavior
The file 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 14:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 14:17
Reported
2024-05-26 14:20
Platform
win7-20240221-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WG8D80.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1284 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\WG8D80.tmp |
| PID 1284 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\WG8D80.tmp |
| PID 1284 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\WG8D80.tmp |
| PID 1284 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\WG8D80.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\WG8D80.tmp
C:\Users\Admin\AppData\Local\Temp\WG8D80.tmp
Network
Files
C:\Users\Admin\Favorites\Íâ¹Ò×÷·»¹Ù·½Õ¾ [www.zuowg.com].url
| MD5 | 7c8c531ff6a158742da186b1fad6e00e |
| SHA1 | 98d4551e0d6ac034838a17437640f3335edfaa86 |
| SHA256 | 00ddbc71282fdbf74b8a02cc75b2c3d66529fe7664c148cc0ca79576a883c501 |
| SHA512 | 1788173da6e9cf7e5421c02854ca9122d0825927f33fc64bafb76377ee80c0e1a8112c36ee40b1cbce86e121f864777e8ddf9aecd282f3cc82b70e12cc904805 |
\Users\Admin\AppData\Local\Temp\WG8D80.tmp
| MD5 | e6b75a3573c1825d9827bf8720369010 |
| SHA1 | 1fb308d81358ca8db5e6f7609b9caf697477b415 |
| SHA256 | 8f55a211f420fcdae8ca894407f72e423997d054dbdab14c54568570a30daa03 |
| SHA512 | 4713e374786be79088b276b322b2aa2e747bb1adc4fe7de6612a433c64a917b63d9cdd0de3cdcc786e2b7b11da421b6f73e60b9db7ceaba4cfe5d0d11528608c |
memory/1284-29-0x0000000002AE0000-0x0000000002B03000-memory.dmp
memory/1284-34-0x0000000002AE0000-0x0000000002B03000-memory.dmp
memory/2528-36-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2528-38-0x0000000000400000-0x0000000000423000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 14:17
Reported
2024-05-26 14:20
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| CN | 103.21.140.207:5927 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kxsx.vicp.net | udp |
| CN | 47.111.82.157:5927 | kxsx.vicp.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
C:\Users\Admin\Favorites\Íâ¹Ò×÷·»¹Ù·½Õ¾ [www.zuowg.com].url
| MD5 | f9fc3e4f710ea6068eccca29ed784970 |
| SHA1 | eb6f961e7102e3aef227b204ff4dd9563f745812 |
| SHA256 | 1c12badabe490d7c3d63bb0187965344ce0ed923eab707e446900a9b98913fcb |
| SHA512 | b2d0db7a2c4b4d4e53a8daf2caff6a0ea826133038380e5dcf8c6493417f2884ecd61f047798189a3cff13cca3b9dbe99e5a501ce5de10488b2a337389b019ed |
C:\Users\Admin\Favorites\Íâ¹Ò×÷·»×ÊÔ´Õ¾ [42724920.ys168.com].url
| MD5 | 514d1b59ae8925c5edea3c446ce588dd |
| SHA1 | 60dd675b65c7ffaac6ca731dba265a6f316a6f75 |
| SHA256 | 6bbfe9e113e075b646ae49400657b8bb20cbab06854b38bf007ac6e15cd7b773 |
| SHA512 | 5bf3d0f1715b445852ad184907d2161967d51cb8fe9673330438d8705502bc63e263222c43839140c613a427b0b58b297e522b3953c2543453625e01b8017253 |
C:\Users\Admin\AppData\Local\Temp\e574934.tmp
| MD5 | 4f3387277ccbd6d1f21ac5c07fe4ca68 |
| SHA1 | e16506f662dc92023bf82def1d621497c8ab5890 |
| SHA256 | 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac |
| SHA512 | 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219 |
C:\Users\Admin\AppData\Local\Temp\e574954.tmp
| MD5 | 5870ea0d6ba8dd6e2008466bdd00e0f4 |
| SHA1 | d41bf60d0dedff90e3cfc1b41b7e1a73df39a7d5 |
| SHA256 | 5a7dac8c8b5d7cf1115246dfaf994e7f50e16a7eac1488642396f5e23fddfe0d |
| SHA512 | 0c620d5e7383adcf979feccc3b1bad584a5cec8b3d74d0ace8bb786f1f04ba87fa70d59d041dc3833977d44a75f2070181d4054c7c0b9c4ce2d66249b4b3c837 |
C:\Users\Admin\AppData\Local\Temp\e574955.tmp
| MD5 | f6b847a54cfb804a25b8842b45fd1d50 |
| SHA1 | bb22fef07ce1577c8a7fa057d8cf05502c013bfc |
| SHA256 | 5dd2f5a957946e0b6f63660ebd897851aad4795d4c847396c47ddbb647715583 |
| SHA512 | dd08a55f538e2a33e6a0c496dc97ae9045594cbbf62f7894ae8ded63f4dc0b2e89c5935269adfd1c19607b1d2474bddc49f6acb955e6dc53a55560663ca2137a |