Analysis Overview
SHA256
f425c0e4f5fc046e276dfb8bae7b7e471652764168f070607496eed884e37952
Threat Level: Shows suspicious behavior
The file a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 12:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 12:58
Reported
2024-06-03 13:01
Platform
win7-20240508-en
Max time kernel
132s
Max time network
132s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\codecupdater.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\codecupdater.exe
"C:\Users\Admin\AppData\Local\Temp\codecupdater.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pakmailbarrie.com | udp |
| CA | 65.39.133.140:80 | pakmailbarrie.com | tcp |
| CA | 65.39.133.140:80 | pakmailbarrie.com | tcp |
| US | 8.8.8.8:53 | amy-escort.com | udp |
| US | 104.21.93.8:80 | amy-escort.com | tcp |
| US | 104.21.93.8:443 | amy-escort.com | tcp |
| US | 8.8.8.8:53 | www.amy-escort.com | udp |
| US | 188.114.96.2:80 | www.amy-escort.com | tcp |
| US | 188.114.96.2:443 | www.amy-escort.com | tcp |
| CA | 65.39.133.140:80 | pakmailbarrie.com | tcp |
| CA | 65.39.133.140:80 | pakmailbarrie.com | tcp |
| US | 188.114.96.2:443 | www.amy-escort.com | tcp |
| CA | 65.39.133.140:80 | pakmailbarrie.com | tcp |
| CA | 65.39.133.140:80 | pakmailbarrie.com | tcp |
Files
memory/2424-1-0x0000000000401000-0x0000000000402000-memory.dmp
\Users\Admin\AppData\Local\Temp\codecupdater.exe
| MD5 | f51db72f9bdab50ce46872171934662e |
| SHA1 | 6efbb51326cdb3e23424f823e6757d24f7aa39e0 |
| SHA256 | dba8adc1854432c0176f009c002c1ceb998671368335beed6a4f7d3b580da336 |
| SHA512 | 0350c1e68b519e85577607b21fc59a20e9a8daeb755aa9bbccbf8af6b6f3bd4dfdf96b66fc5c2265709219d0d388c27ee97547a9277076780e7b78c5d0d33c01 |
memory/2936-8-0x0000000000400000-0x0000000000407000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\pdf[1].htm
| MD5 | 0104c301c5e02bd6148b8703d19b3a73 |
| SHA1 | 7436e0b4b1f8c222c38069890b75fa2baf9ca620 |
| SHA256 | 446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f |
| SHA512 | 84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 12:58
Reported
2024-06-03 13:01
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
133s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\codecupdater.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3012 wrote to memory of 3596 | N/A | C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\codecupdater.exe |
| PID 3012 wrote to memory of 3596 | N/A | C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\codecupdater.exe |
| PID 3012 wrote to memory of 3596 | N/A | C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\codecupdater.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a43d5c91b70baf3666a86c91ff0673a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\codecupdater.exe
"C:\Users\Admin\AppData\Local\Temp\codecupdater.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pakmailbarrie.com | udp |
| CA | 65.39.133.140:80 | pakmailbarrie.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| CA | 65.39.133.140:80 | pakmailbarrie.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amy-escort.com | udp |
| US | 104.21.93.8:80 | amy-escort.com | tcp |
| US | 104.21.93.8:443 | amy-escort.com | tcp |
| US | 8.8.8.8:53 | www.amy-escort.com | udp |
| US | 104.21.93.8:80 | www.amy-escort.com | tcp |
| US | 8.8.8.8:53 | 8.93.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 104.21.93.8:443 | www.amy-escort.com | tcp |
| CA | 65.39.133.140:80 | pakmailbarrie.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| CA | 65.39.133.140:80 | pakmailbarrie.com | tcp |
| US | 104.21.93.8:443 | www.amy-escort.com | tcp |
| CA | 65.39.133.140:80 | pakmailbarrie.com | tcp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| CA | 65.39.133.140:80 | pakmailbarrie.com | tcp |
Files
memory/3012-1-0x0000000000401000-0x0000000000402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\codecupdater.exe
| MD5 | f51db72f9bdab50ce46872171934662e |
| SHA1 | 6efbb51326cdb3e23424f823e6757d24f7aa39e0 |
| SHA256 | dba8adc1854432c0176f009c002c1ceb998671368335beed6a4f7d3b580da336 |
| SHA512 | 0350c1e68b519e85577607b21fc59a20e9a8daeb755aa9bbccbf8af6b6f3bd4dfdf96b66fc5c2265709219d0d388c27ee97547a9277076780e7b78c5d0d33c01 |
memory/3596-9-0x0000000000400000-0x0000000000407000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\pdf[1].htm
| MD5 | 0104c301c5e02bd6148b8703d19b3a73 |
| SHA1 | 7436e0b4b1f8c222c38069890b75fa2baf9ca620 |
| SHA256 | 446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f |
| SHA512 | 84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf |