Analysis Overview
SHA256
d74df87f2e60774c97fbbbcab14dcdc8d61211713df37774b181d38577c192db
Threat Level: Shows suspicious behavior
The file a46ae228af8238162084801f03b0e100_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-03 13:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 13:07
Reported
2024-06-03 13:09
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a46ae228af8238162084801f03b0e100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a46ae228af8238162084801f03b0e100_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c [email protected]
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 15225.exe
Network
Files
\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 9b4e1d6de11dd4672b0723a9bb3ef9b6 |
| SHA1 | 4e628da29bb213a60f106de5bebbd0e9f3c26b32 |
| SHA256 | eaa48aa237febe36f8f0bb998a6f61ca4b79660176ebbdb33d3b815df062756d |
| SHA512 | 428ca9f3c4839cffb29b65abeb71e257bc4d2c5f4fe7d8e22e167393c0da2938b7f75a5ba0dbccc522eb218f9c33f6a8b3c2bbee1981825e5863cfc7e9ac04d4 |
memory/2344-10-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2196-11-0x0000000000400000-0x0000000000419000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 13:07
Reported
2024-06-03 13:10
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
157s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\[email protected] | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a46ae228af8238162084801f03b0e100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a46ae228af8238162084801f03b0e100_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c [email protected]
C:\Users\Admin\AppData\Local\Temp\[email protected]
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 15225.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2220 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 9b4e1d6de11dd4672b0723a9bb3ef9b6 |
| SHA1 | 4e628da29bb213a60f106de5bebbd0e9f3c26b32 |
| SHA256 | eaa48aa237febe36f8f0bb998a6f61ca4b79660176ebbdb33d3b815df062756d |
| SHA512 | 428ca9f3c4839cffb29b65abeb71e257bc4d2c5f4fe7d8e22e167393c0da2938b7f75a5ba0dbccc522eb218f9c33f6a8b3c2bbee1981825e5863cfc7e9ac04d4 |
memory/3932-6-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\15225.exe
| MD5 | 7b621943a35e7f39cf89f50cc48d7b94 |
| SHA1 | 2858a28cf60f38025fffcd0ba2ecfec8511c197d |
| SHA256 | bef04c2f89dc115ce2763558933dba1767bf30cda6856d335ae68955923f9991 |
| SHA512 | 4169e664ad4e7e6891a05ceed78465e0ec44879b37fc0de97c014945e10c161f6bfb040efc24edc136e69bb115b2a1327b04cefb58141f712da856129872e8f1 |
memory/2688-8-0x0000000000400000-0x0000000000419000-memory.dmp
memory/3932-9-0x0000000000400000-0x0000000000419000-memory.dmp