Analysis Overview
SHA256
70163b0aae029948428e5a76e5aadbfd6a9abea33278ed076c512b79cdebb184
Threat Level: Shows suspicious behavior
The file 9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:10
Reported
2024-06-03 05:12
Platform
win7-20240221-en
Max time kernel
19s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9C9D97287EE25FC3DA5623ED1C031320_NEIKIANALYTICS.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\dev21D3.tmp | C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\dev21D3.tmp | C:\WINDOWS\MSWDM.EXE | N/A |
| File created | C:\WINDOWS\MSWDM.EXE | C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe"
C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev21D3.tmp!C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe! !
C:\Users\Admin\AppData\Local\Temp\9C9D97287EE25FC3DA5623ED1C031320_NEIKIANALYTICS.EXE
C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev21D3.tmp!C:\Users\Admin\AppData\Local\Temp\9C9D97287EE25FC3DA5623ED1C031320_NEIKIANALYTICS.EXE!
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:78 | udp | |
| N/A | 10.255.255.255:78 | udp | |
| N/A | 10.127.0.255:78 | udp |
Files
memory/2924-0-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2924-3-0x0000000000250000-0x000000000026B000-memory.dmp
C:\Windows\MSWDM.EXE
| MD5 | 1e3f1a37d6507bf20172df8e2b7c1cfa |
| SHA1 | dadccd6e193266ef67bdd26755ddf6b4fca5c972 |
| SHA256 | 358b67a4e4e2e85088727bb92e5d60fefba25e66db1e39f563067b1d102d684d |
| SHA512 | dab264a506fa195bb5dd91622ba7a79a0f4564e2b34a16a2367ce352d3a4b254934c3c932aea1751ad85ff3618aadd8dc4708d29a058f65764460662befb319f |
C:\Windows\dev21D3.tmp
| MD5 | 977e405c109268909fd24a94cc23d4f0 |
| SHA1 | af5d032c2b6caa2164cf298e95b09060665c4188 |
| SHA256 | cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f |
| SHA512 | 12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5 |
memory/2924-14-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3008-17-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2704-16-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2704-32-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9C9D97287EE25FC3DA5623ED1C031320_NEIKIANALYTICS.EXE
| MD5 | c3ad8f41711821f463ccac4ac773e23b |
| SHA1 | a6b15a9378979a68efb06c46677c2b8e3c8bd9cf |
| SHA256 | 153fb3735dd4884df55c97b168ad02b61bebc7e7c8b2dfcbbbc6b08ebda1ec76 |
| SHA512 | f075253f1ed890ba0b8542d147c8395be42b9e10ccc3ff7fddb10abc21158a0e65dffd4fef965c4ce86baeefa49f33b188f5dd22a9589f5bcd2107331c11b056 |
memory/2760-29-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3008-33-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:10
Reported
2024-06-03 05:12
Platform
win10v2004-20240508-en
Max time kernel
22s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9C9D97287EE25FC3DA5623ED1C031320_NEIKIANALYTICS.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\MSWDM.EXE | C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\dev5052.tmp | C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\dev5052.tmp | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe"
C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev5052.tmp!C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe! !
C:\Users\Admin\AppData\Local\Temp\9C9D97287EE25FC3DA5623ED1C031320_NEIKIANALYTICS.EXE
C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev5052.tmp!C:\Users\Admin\AppData\Local\Temp\9C9D97287EE25FC3DA5623ED1C031320_NEIKIANALYTICS.EXE!
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:78 | udp | |
| N/A | 10.255.255.255:78 | udp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 10.127.0.255:78 | udp | |
| US | 8.8.8.8:53 | 255.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.255.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/3960-0-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\MSWDM.EXE
| MD5 | 1e3f1a37d6507bf20172df8e2b7c1cfa |
| SHA1 | dadccd6e193266ef67bdd26755ddf6b4fca5c972 |
| SHA256 | 358b67a4e4e2e85088727bb92e5d60fefba25e66db1e39f563067b1d102d684d |
| SHA512 | dab264a506fa195bb5dd91622ba7a79a0f4564e2b34a16a2367ce352d3a4b254934c3c932aea1751ad85ff3618aadd8dc4708d29a058f65764460662befb319f |
memory/4220-13-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe
| MD5 | 977e405c109268909fd24a94cc23d4f0 |
| SHA1 | af5d032c2b6caa2164cf298e95b09060665c4188 |
| SHA256 | cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f |
| SHA512 | 12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5 |
memory/2024-12-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3960-7-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9c9d97287ee25fc3da5623ed1c031320_NeikiAnalytics.exe
| MD5 | c3ad8f41711821f463ccac4ac773e23b |
| SHA1 | a6b15a9378979a68efb06c46677c2b8e3c8bd9cf |
| SHA256 | 153fb3735dd4884df55c97b168ad02b61bebc7e7c8b2dfcbbbc6b08ebda1ec76 |
| SHA512 | f075253f1ed890ba0b8542d147c8395be42b9e10ccc3ff7fddb10abc21158a0e65dffd4fef965c4ce86baeefa49f33b188f5dd22a9589f5bcd2107331c11b056 |
memory/2024-24-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3508-20-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4220-25-0x0000000000400000-0x000000000041B000-memory.dmp