Analysis Overview
SHA256
0b40b8fb59834f4cf3a5a3a21b3cfbc1154edbd61164f99ff07c2a39433771d9
Threat Level: Known bad
The file c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 12:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 12:11
Reported
2024-05-27 12:14
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\165ef51d\jusched.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\165ef51d\jusched.exe | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\165ef51d\165ef51d | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3856 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | C:\Program Files (x86)\165ef51d\jusched.exe |
| PID 3856 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | C:\Program Files (x86)\165ef51d\jusched.exe |
| PID 3856 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | C:\Program Files (x86)\165ef51d\jusched.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe"
C:\Program Files (x86)\165ef51d\jusched.exe
"C:\Program Files (x86)\165ef51d\jusched.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | elegan_786444.el.funpic.org | udp |
| US | 8.8.8.8:53 | griptoloji.host-ed.net | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.tripod.com | udp |
| US | 209.202.252.54:21 | ftp.tripod.com | tcp |
| US | 8.8.8.8:53 | 54.252.202.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | elegan_786444.el.funpic.org | udp |
| US | 8.8.8.8:53 | griptoloji.host-ed.net | udp |
| US | 209.202.252.54:21 | ftp.tripod.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/3856-0-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Program Files (x86)\165ef51d\jusched.exe
| MD5 | ff139e0b4ce49ca2b801b3922b24af1c |
| SHA1 | c420f25c25ccd9c59eff28e5815528363707f8e0 |
| SHA256 | 27c0beb666b837c7e27503084e490095c9fec115214f6902bf5c283f8c4efbcb |
| SHA512 | b345b29702f69b16779a327909f8600535868fe4ce848c221e6e7e94c534bbacd8790b43b479c66e96663fa67c1947ec32e8d81af6de22cb1cda940d51c332e1 |
memory/3856-9-0x0000000000400000-0x0000000000421000-memory.dmp
memory/2748-11-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Program Files (x86)\165ef51d\165ef51d
| MD5 | f253efe302d32ab264a76e0ce65be769 |
| SHA1 | 768685ca582abd0af2fbb57ca37752aa98c9372b |
| SHA256 | 49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd |
| SHA512 | 1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 12:11
Reported
2024-05-27 12:14
Platform
win7-20240508-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\18739b51\jusched.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\18739b51\jusched.exe | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | N/A |
| File created | C:\Program Files (x86)\18739b51\18739b51 | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2416 wrote to memory of 2080 | N/A | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | C:\Program Files (x86)\18739b51\jusched.exe |
| PID 2416 wrote to memory of 2080 | N/A | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | C:\Program Files (x86)\18739b51\jusched.exe |
| PID 2416 wrote to memory of 2080 | N/A | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | C:\Program Files (x86)\18739b51\jusched.exe |
| PID 2416 wrote to memory of 2080 | N/A | C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe | C:\Program Files (x86)\18739b51\jusched.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe"
C:\Program Files (x86)\18739b51\jusched.exe
"C:\Program Files (x86)\18739b51\jusched.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | elegan_786444.el.funpic.org | udp |
| US | 8.8.8.8:53 | griptoloji.host-ed.net | udp |
| US | 8.8.8.8:53 | ftp.tripod.com | udp |
| US | 209.202.252.54:21 | ftp.tripod.com | tcp |
| US | 209.202.252.54:21 | ftp.tripod.com | tcp |
Files
memory/2416-0-0x0000000000400000-0x0000000000421000-memory.dmp
\Program Files (x86)\18739b51\jusched.exe
| MD5 | 6dbbc9d087581a566e416fa95d92a46c |
| SHA1 | b074e55c5410353d3afd65f55323d9688c0edee9 |
| SHA256 | cc6ae326cac6e1df7011e7db60e4d9a2cf2d23544453e874295976159be405cc |
| SHA512 | 4f833581c05cd20de18f9b6d44ca209d38eaf6154fa57a1c5e49c0d8b516aa6855a51ff41856e51aa678d3d5a20218362090a491a3c94ac92fad20dc2803ec43 |
memory/2416-6-0x0000000000390000-0x00000000003B1000-memory.dmp
memory/2416-10-0x0000000000390000-0x00000000003B1000-memory.dmp
memory/2416-13-0x0000000000400000-0x0000000000421000-memory.dmp
C:\Program Files (x86)\18739b51\18739b51
| MD5 | f253efe302d32ab264a76e0ce65be769 |
| SHA1 | 768685ca582abd0af2fbb57ca37752aa98c9372b |
| SHA256 | 49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd |
| SHA512 | 1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4 |