Analysis Overview
SHA256
d68796d07542a1557857fc528f63754241225db49d1197c5a5bf32ff649525e2
Threat Level: Shows suspicious behavior
The file 9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:36
Reported
2024-06-03 05:38
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GGAAAG_LOADER = "C:\\Windows\\system32\\GAAG.exe" | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FifefoxUpdater = "C:\\Windows\\system32\\FifefoxUpdater.scr" | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinSevenUpdater = "C:\\Windows\\system32\\AVSCANNER.EXE" | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\AVSCANNER.EXE | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\GAAG.exe | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GAAG.exe | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\FifefoxUpdater.scr | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\FifefoxUpdater.scr | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\AVSCANNER.EXE | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe"
Network
Files
memory/2292-0-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Windows\SysWOW64\AVSCANNER.EXE
| MD5 | 892caf6af305b40b051ed82ed28dccb6 |
| SHA1 | d9179d5accea45fd1bb58fec0e90e4a1be220f7b |
| SHA256 | 88af08bb6aa15e598b4108f3e73629215dbf353c90dd5e7ecb6b87a0768c88ce |
| SHA512 | 2310cae0cecf7b83c286e68465c5c9bc5ba9908b6db4c94d87a83499eed01497a9158a8d80c5ef67e4bd96e40ceaf6c57646a6a68702dc47f476ab5cbb1c0d10 |
memory/2292-7-0x0000000000400000-0x000000000044C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:36
Reported
2024-06-03 05:38
Platform
win10v2004-20240508-en
Max time kernel
130s
Max time network
151s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FifefoxUpdater = "C:\\Windows\\system32\\FifefoxUpdater.scr" | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinSevenUpdater = "C:\\Windows\\system32\\AVSCANNER.EXE" | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GGAAAG_LOADER = "C:\\Windows\\system32\\GAAG.exe" | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\GAAG.exe | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\FifefoxUpdater.scr | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\FifefoxUpdater.scr | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\AVSCANNER.EXE | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\AVSCANNER.EXE | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\SysWOW64\GAAG.exe | C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d528d9f73ad3a71dea5530bf9f5bac0_NeikiAnalytics.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
Files
memory/1908-0-0x0000000000400000-0x000000000044C000-memory.dmp
C:\Windows\SysWOW64\AVSCANNER.EXE
| MD5 | 13920c618f161ebb63df9d145b8dedda |
| SHA1 | 61c38853ef0fed4bf50464a8f185748f8de8c24d |
| SHA256 | b4cb47e89d4bbf70efdc7864e0fa2ac73955dd13fc992e9a5282049fa37a50b2 |
| SHA512 | 54a5ad8f2538bc7bb1168e1bb075a8d7db8091beee1786876a8da79c533c6c36dcbc4b7c8b6952904a95eca6ecc2cfb99894eaad239ea2bf9b70536e7114ce26 |
memory/1908-7-0x0000000000400000-0x000000000044C000-memory.dmp