Analysis Overview
SHA256
12d002845d95604d1b26caa65de20bc799daf239bdd3a796c187b752cab7d010
Threat Level: Shows suspicious behavior
The file a431df978d27bb4b627bcfb412b25c70_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-03 12:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 12:57
Reported
2024-06-03 12:59
Platform
win7-20240508-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a431df978d27bb4b627bcfb412b25c70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a431df978d27bb4b627bcfb412b25c70_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c [email protected]
C:\Users\Admin\AppData\Local\Temp\[email protected]
Network
Files
\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 65b4652c2300b626d6ff1561ba52ec89 |
| SHA1 | 2262dee1193f657401b01b99ee8c29d94daebe64 |
| SHA256 | 6ba01faae5505f7baf5e6e1e8acc5ab7da2cb1644050c6009954fae7b819b9a4 |
| SHA512 | 2f0682e9c32d0e3d125ecffe2a73e54a5e0106205f21f41c8d043ada7ce251f5450b075e1e0f0a4381b64e4452c64a389716f15aa1eeeae23325eb0e8695ee05 |
memory/1452-8-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2064-7-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 12:57
Reported
2024-06-03 12:59
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2744 wrote to memory of 232 | N/A | C:\Users\Admin\AppData\Local\Temp\a431df978d27bb4b627bcfb412b25c70_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2744 wrote to memory of 232 | N/A | C:\Users\Admin\AppData\Local\Temp\a431df978d27bb4b627bcfb412b25c70_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2744 wrote to memory of 232 | N/A | C:\Users\Admin\AppData\Local\Temp\a431df978d27bb4b627bcfb412b25c70_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 232 wrote to memory of 2652 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] |
| PID 232 wrote to memory of 2652 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] |
| PID 232 wrote to memory of 2652 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\[email protected] |
Processes
C:\Users\Admin\AppData\Local\Temp\a431df978d27bb4b627bcfb412b25c70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a431df978d27bb4b627bcfb412b25c70_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c [email protected]
C:\Users\Admin\AppData\Local\Temp\[email protected]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.73.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 65b4652c2300b626d6ff1561ba52ec89 |
| SHA1 | 2262dee1193f657401b01b99ee8c29d94daebe64 |
| SHA256 | 6ba01faae5505f7baf5e6e1e8acc5ab7da2cb1644050c6009954fae7b819b9a4 |
| SHA512 | 2f0682e9c32d0e3d125ecffe2a73e54a5e0106205f21f41c8d043ada7ce251f5450b075e1e0f0a4381b64e4452c64a389716f15aa1eeeae23325eb0e8695ee05 |
memory/2652-5-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2744-6-0x0000000000400000-0x000000000041B000-memory.dmp