Analysis Overview
SHA256
3c621489d42f95481cd99461ba5d9d88eb6767f3fbdd0481001aaa81bd4ce196
Threat Level: Shows suspicious behavior
The file 58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 11:39
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 11:39
Reported
2024-05-27 11:41
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\wuauclt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe"
C:\ProgramData\Update\wuauclt.exe
"C:\ProgramData\Update\wuauclt.exe" /run
C:\windows\SysWOW64\cmd.exe
"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe" >> NUL
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp |
Files
memory/1688-0-0x00000000000E0000-0x0000000000108000-memory.dmp
\ProgramData\Update\wuauclt.exe
| MD5 | 3e83afc4c793c0e7284cae4d2cecb15c |
| SHA1 | a4195af9d36fee4457ebf13902fc0496713ff632 |
| SHA256 | 88521442944a61003028ff638fb4ba395ef7017e863beb12fd70b0ee19ee2168 |
| SHA512 | e1570446e36dbe48f0ff3b4815817988e2646c629f305a28de352a0505478b2bc32527610a1d3a58edbf06f1b8b9874a379ccb3c2d24f321703b2ef2cc9261b9 |
memory/1688-6-0x0000000000080000-0x00000000000A8000-memory.dmp
memory/2852-7-0x00000000012C0000-0x00000000012E8000-memory.dmp
memory/1688-8-0x00000000000E0000-0x0000000000108000-memory.dmp
memory/1688-9-0x0000000000080000-0x00000000000A8000-memory.dmp
memory/2852-10-0x00000000012C0000-0x00000000012E8000-memory.dmp
memory/1688-11-0x00000000000E0000-0x0000000000108000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 11:39
Reported
2024-05-27 11:41
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
96s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Update\wuauclt.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run" | C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4760 wrote to memory of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe | C:\ProgramData\Update\wuauclt.exe |
| PID 4760 wrote to memory of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe | C:\ProgramData\Update\wuauclt.exe |
| PID 4760 wrote to memory of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe | C:\ProgramData\Update\wuauclt.exe |
| PID 4760 wrote to memory of 752 | N/A | C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe | C:\windows\SysWOW64\cmd.exe |
| PID 4760 wrote to memory of 752 | N/A | C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe | C:\windows\SysWOW64\cmd.exe |
| PID 4760 wrote to memory of 752 | N/A | C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe | C:\windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe"
C:\ProgramData\Update\wuauclt.exe
"C:\ProgramData\Update\wuauclt.exe" /run
C:\windows\SysWOW64\cmd.exe
"C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\58b672f36e71251b2192f2e19baec830_NeikiAnalytics.exe" >> NUL
Network
| Country | Destination | Domain | Proto |
| CA | 158.69.115.115:443 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4760-0-0x0000000000A30000-0x0000000000A58000-memory.dmp
C:\ProgramData\Update\wuauclt.exe
| MD5 | 1c1e8bb0e454079e1e4679975d4c6964 |
| SHA1 | 184838517d5feff5975cbaeb1ab1c1d53c1301d7 |
| SHA256 | 0961e8b6b392f2af1a7205388d536d091139d4bd9a1b79659d6eb1dd67ca72b4 |
| SHA512 | e8f1ba10c598266da9ed5b4450691881fd6f8cb906009b113d01faaca8d3e287c77e4d879fe6dea6dc0071a7f16a8250e2906f305428156da9a41d59ecac045d |
memory/4140-5-0x0000000000910000-0x0000000000938000-memory.dmp
memory/4760-6-0x0000000000A30000-0x0000000000A58000-memory.dmp
memory/4140-7-0x0000000000910000-0x0000000000938000-memory.dmp
memory/4760-8-0x0000000000A30000-0x0000000000A58000-memory.dmp