Analysis Overview
SHA256
59bc4e65a020ac9c2aa796197011e5d2e66480a270346cb8f37fed09b357ce15
Threat Level: Shows suspicious behavior
The file e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 14:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 14:15
Reported
2024-05-30 14:18
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3016 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe |
| PID 3016 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe |
| PID 3016 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe |
| PID 3016 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe
Network
Files
memory/3016-0-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3016-1-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe
| MD5 | 4bf87fb939a03a58d1363a3ca8eb1a48 |
| SHA1 | 10e41bd64620529deb19b570f58efc6005382c79 |
| SHA256 | f273b1296c6ba4ec89beeb2c95d8624645a6e41fba4adf56138cec1393eb3f6d |
| SHA512 | 6da4a9136249830337d6f391596e37956a861905afad4369ef9ee840f772d3711a4e436fca06dcf472b015a029e3536bfdead82b6b2b6db3b19186870fa50f8f |
memory/3016-14-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3016-15-0x0000000000190000-0x00000000001BF000-memory.dmp
memory/2992-17-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3016-9-0x0000000000140000-0x000000000016F000-memory.dmp
memory/2992-29-0x00000000001A0000-0x00000000001BB000-memory.dmp
memory/2992-28-0x0000000000140000-0x000000000016F000-memory.dmp
memory/2992-23-0x0000000000400000-0x000000000040E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 14:15
Reported
2024-05-30 14:18
Platform
win10v2004-20240508-en
Max time kernel
133s
Max time network
102s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2740 wrote to memory of 228 | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe |
| PID 2740 wrote to memory of 228 | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe |
| PID 2740 wrote to memory of 228 | N/A | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.98:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.107.17.2.in-addr.arpa | udp |
| BE | 2.17.107.98:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/2740-0-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2740-1-0x00000000000F0000-0x000000000011F000-memory.dmp
memory/2740-2-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2740-13-0x0000000000400000-0x000000000041B000-memory.dmp
memory/228-14-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e1e68eaf707b6522fcbec1a74a4de7d0_NeikiAnalytics.exe
| MD5 | b10a28c44a9c25782d6f2f8eda215af0 |
| SHA1 | eed3bb4811aa457a94c306f8154b9085ecb8cd2d |
| SHA256 | 0d59b49d427d731830a839d6ae8ccb37b63ffcdf9712aa156f12312f6e73847f |
| SHA512 | a6d99fd132a568e6180713288c765196195caa14ce3735d22abaa56629e1bee6910c1d11aa0adc83b024548a579cb42ae83e72403b270e86244fd67d224679fb |
memory/228-20-0x0000000001430000-0x000000000145F000-memory.dmp
memory/228-21-0x0000000000400000-0x000000000040E000-memory.dmp
memory/228-26-0x00000000014F0000-0x000000000150B000-memory.dmp