Analysis Overview
SHA256
66d7b8fb9b80db6290c427884cb409d95918a0bf64f3269420b17ad16fbce87e
Threat Level: Shows suspicious behavior
The file 9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:17
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:17
Reported
2024-06-03 05:19
Platform
win7-20240508-en
Max time kernel
19s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\MSWDM.EXE | C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\dev1842.tmp | C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\dev1842.tmp | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe"
C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev1842.tmp!C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe! !
C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE
C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev1842.tmp!C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE!
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:78 | udp | |
| N/A | 10.255.255.255:78 | udp | |
| N/A | 10.127.0.255:78 | udp |
Files
memory/1936-1-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\MSWDM.EXE
| MD5 | 36b594ef79ea6d5f2ae23b4dbd940245 |
| SHA1 | 7f016dde472df1dc3e0377d88c05475207bc44b3 |
| SHA256 | af3eb1fff772cba996abad554c8b9b73d92706b8f8a40cd7d07a170d41bed0d9 |
| SHA512 | d48a9b0d23d97afe6deb4a6f26174b1d812d0069bb5ec2496f6ec4d22ce070564f5e4d465394b63328bc8dc857a4462e6aea57bbde2c607d51c9e1d0addf673e |
\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe
| MD5 | 04fb3ae7f05c8bc333125972ba907398 |
| SHA1 | df22612647e9404a515d48ebad490349685250de |
| SHA256 | 2fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef |
| SHA512 | 94c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2 |
memory/2092-19-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3040-18-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1936-12-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE
| MD5 | 678ca650ce6f4849bd4a8317e07655fd |
| SHA1 | c0a47ecd684c4b1e8d4709926d175345ca250c76 |
| SHA256 | 99e55d1fc3fe376f762f5f23995307a81f4dbe750d4b4570da1f6fe06abf901a |
| SHA512 | 4807b6dccb0638a06306ff4b3549bafe4edef8576a5a5312a060cc7de35953a486e639f25ddcf31b216bde716991ae494de0b248f2ca217212c165a92c2dc612 |
memory/3040-36-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2768-33-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2092-37-0x0000000000400000-0x0000000000418000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:17
Reported
2024-06-03 05:19
Platform
win10v2004-20240226-en
Max time kernel
48s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\MSWDM.EXE | C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\dev162.tmp | C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\dev162.tmp | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe"
C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev162.tmp!C:\Users\Admin\AppData\Local\Temp\9cc059af09252ed2a7c8cfc7d1e5c990_NeikiAnalytics.exe! !
C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE
C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev162.tmp!C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE!
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:78 | udp | |
| N/A | 10.255.255.255:78 | udp | |
| N/A | 10.127.0.255:78 | udp | |
| US | 8.8.8.8:53 | 255.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.255.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/2132-0-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\MSWDM.EXE
| MD5 | 36b594ef79ea6d5f2ae23b4dbd940245 |
| SHA1 | 7f016dde472df1dc3e0377d88c05475207bc44b3 |
| SHA256 | af3eb1fff772cba996abad554c8b9b73d92706b8f8a40cd7d07a170d41bed0d9 |
| SHA512 | d48a9b0d23d97afe6deb4a6f26174b1d812d0069bb5ec2496f6ec4d22ce070564f5e4d465394b63328bc8dc857a4462e6aea57bbde2c607d51c9e1d0addf673e |
memory/1032-7-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Windows\dev162.tmp
| MD5 | 04fb3ae7f05c8bc333125972ba907398 |
| SHA1 | df22612647e9404a515d48ebad490349685250de |
| SHA256 | 2fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef |
| SHA512 | 94c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2 |
memory/2132-10-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3624-17-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9CC059AF09252ED2A7C8CFC7D1E5C990_NEIKIANALYTICS.EXE
| MD5 | 4418728dcb9aa000a6bbbeda2ddebcba |
| SHA1 | a76e262c9b0f8097839d58942c0f0a556c61d051 |
| SHA256 | ea05bb131d0d8c2fa4049002990ca40f451ef0c073fb94b56f28a2d73c1f8969 |
| SHA512 | 9eeb3f67c3bb6a2bb0d9de7497fe6f53d4eaf49ea9b4a42c8c6ef60be8ba07386de3a5487d891aa50de95f1f10289d6f9adcf1bc9c9fabfd170329d1ba5ccdfa |
memory/3624-20-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1032-23-0x0000000000400000-0x0000000000418000-memory.dmp
memory/3792-24-0x0000000000400000-0x0000000000418000-memory.dmp