Analysis Overview
SHA256
7a5abeae5309ceb0c7c8b730103ef2a7432a9951c46586a75df7cfcbdea2d49f
Threat Level: Known bad
The file 8d8855e0cea34014cda2fd1c1d363ac0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 04:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 04:29
Reported
2024-06-01 04:32
Platform
win7-20240419-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\janed.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\janed.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d8855e0cea34014cda2fd1c1d363ac0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d8855e0cea34014cda2fd1c1d363ac0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\janed = "C:\\Users\\Admin\\janed.exe" | C:\Users\Admin\janed.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d8855e0cea34014cda2fd1c1d363ac0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\janed.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8d8855e0cea34014cda2fd1c1d363ac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d8855e0cea34014cda2fd1c1d363ac0_NeikiAnalytics.exe"
C:\Users\Admin\janed.exe
"C:\Users\Admin\janed.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns4.theimageparlour.net | udp |
| US | 206.189.185.75:8000 | ns4.theimageparlour.net | tcp |
Files
\Users\Admin\janed.exe
| MD5 | 8ca42edac06e1fa4947637ade7b9fd10 |
| SHA1 | 598649d3e3a9aceb4215b824ab151faf284b00c1 |
| SHA256 | 229f61d750fabcce66d42c3bb8f134769203b53f5957499a49b2b3d615dc5fcb |
| SHA512 | f399055aab31e2ec2e19b268562b22d19edf90859249546e689c2e3dac895d3bed556d022bf9f6b977f46856539fa656c9b1806bb7b58df834f05fe09196971e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 04:29
Reported
2024-06-01 04:32
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
135s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\siuon.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8d8855e0cea34014cda2fd1c1d363ac0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\siuon.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\siuon = "C:\\Users\\Admin\\siuon.exe" | C:\Users\Admin\siuon.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8d8855e0cea34014cda2fd1c1d363ac0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\siuon.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8d8855e0cea34014cda2fd1c1d363ac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d8855e0cea34014cda2fd1c1d363ac0_NeikiAnalytics.exe"
C:\Users\Admin\siuon.exe
"C:\Users\Admin\siuon.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ns1.theimageparlour.net | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\siuon.exe
| MD5 | a8ec367e5dc83a51ae724203fff96697 |
| SHA1 | dfaf52c4ceab0706d2d6f8c0c541431c896a9af5 |
| SHA256 | f5dd2dd5b60be85d9897bd53cd00ce8ab883ee47bf2daa7e7e45c179da7489b8 |
| SHA512 | 2fd155abcda5862e34e367c9dfdd955372621708985691ca03fa624f51cf43de39c193d929ae48c76185cd556f51cd1a2d99e1485e313dcc1fb144f916311bd0 |