Analysis Overview
SHA256
874146c65825150d843ef1bf43795c21a29e489a497c03ddcad24d4f2510fcf5
Threat Level: Shows suspicious behavior
The file 4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-29 09:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 09:31
Reported
2024-05-29 09:34
Platform
win7-20240508-en
Max time kernel
148s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\uykes.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\uykes.exe" | C:\ProgramData\uykes.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1700 wrote to memory of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe | C:\ProgramData\uykes.exe |
| PID 1700 wrote to memory of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe | C:\ProgramData\uykes.exe |
| PID 1700 wrote to memory of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe | C:\ProgramData\uykes.exe |
| PID 1700 wrote to memory of 1828 | N/A | C:\Users\Admin\AppData\Local\Temp\4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe | C:\ProgramData\uykes.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe"
C:\ProgramData\uykes.exe
"C:\ProgramData\uykes.exe"
Network
Files
memory/1700-0-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1700-1-0x0000000000400000-0x0000000000474000-memory.dmp
\ProgramData\uykes.exe
| MD5 | 78e6bfeac4dd51e653d1ef0af2807c75 |
| SHA1 | b61bad66adedb8d15d5368bc3aa7d226228f3687 |
| SHA256 | d072a1575367d3eaa219f17bc469faf8d40926b135bceaa1f43b3a15a2b8b34b |
| SHA512 | 90ae7e7e3a41f7ea8fca5b6a879211320eccee838e6e037935684c3c5e739f89639dbda5f8c9c2f241b76b3ac0e36bf4908dec298fa238615c57e6feefe354fc |
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | cb4c442a26bb46671c638c794bf535af |
| SHA1 | 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf |
| SHA256 | f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25 |
| SHA512 | 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3 |
C:\Documents and Settings .exe
| MD5 | a608c447e38b17a72506e71f8add97ce |
| SHA1 | e4ef8cbe0c34b420d7fb4fcc97efa1a7deec8921 |
| SHA256 | 296c5b24fb2ffbc60ecbf881150caaeb02d665880dec83fd36901aca028a0c09 |
| SHA512 | 700c823c0013eb78538a69fb5d8363615f1256e27163bf40b24ac5f20f652c08e852c0ddd51b39cf081162a749eabee34f5fa89fe558d4613ca5b29a83d56363 |
memory/1700-14-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1828-133-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 09:31
Reported
2024-05-29 09:34
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
103s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\tufsta.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\tufsta.exe" | C:\ProgramData\tufsta.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 216 wrote to memory of 4520 | N/A | C:\Users\Admin\AppData\Local\Temp\4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe | C:\ProgramData\tufsta.exe |
| PID 216 wrote to memory of 4520 | N/A | C:\Users\Admin\AppData\Local\Temp\4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe | C:\ProgramData\tufsta.exe |
| PID 216 wrote to memory of 4520 | N/A | C:\Users\Admin\AppData\Local\Temp\4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe | C:\ProgramData\tufsta.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4f4829ec2a13137c4129debdaf8d1bc0_NeikiAnalytics.exe"
C:\ProgramData\tufsta.exe
"C:\ProgramData\tufsta.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/216-0-0x0000000000400000-0x0000000000474000-memory.dmp
memory/216-1-0x0000000000400000-0x0000000000474000-memory.dmp
C:\ProgramData\tufsta.exe
| MD5 | 78e6bfeac4dd51e653d1ef0af2807c75 |
| SHA1 | b61bad66adedb8d15d5368bc3aa7d226228f3687 |
| SHA256 | d072a1575367d3eaa219f17bc469faf8d40926b135bceaa1f43b3a15a2b8b34b |
| SHA512 | 90ae7e7e3a41f7ea8fca5b6a879211320eccee838e6e037935684c3c5e739f89639dbda5f8c9c2f241b76b3ac0e36bf4908dec298fa238615c57e6feefe354fc |
memory/216-8-0x0000000000400000-0x0000000000474000-memory.dmp
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | cb4c442a26bb46671c638c794bf535af |
| SHA1 | 8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf |
| SHA256 | f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25 |
| SHA512 | 074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3 |
C:\Documents and Settings .exe
| MD5 | 695562a4e693b185b0d6c5cb45a5631b |
| SHA1 | 501d9a513ea6f55d90c2fe5e432f838ec18155ea |
| SHA256 | 60750d2a54f9ec0b6904be52e2fbcaade425ee66c3bfe605716cb8a48e5ba312 |
| SHA512 | 898fa421493e6c7c0e09624be47608a2596b8626f60e5af88444c147bc07f95477eb0436be25ffa5e3444c1fe149dfc0dea104a2daf6a68d66d3c74c53cfee54 |
memory/4520-130-0x0000000000400000-0x0000000000448000-memory.dmp