Analysis Overview
SHA256
9e17b33c6818148a9d5e47f00b13c757c957d1fe808e6486f73bebcadf9a6cf1
Threat Level: Shows suspicious behavior
The file a4da2be393d3d21a7b899a14a1697ae0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 13:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 13:24
Reported
2024-06-03 13:26
Platform
win7-20240508-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4da2be393d3d21a7b899a14a1697ae0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4da2be393d3d21a7b899a14a1697ae0_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4da2be393d3d21a7b899a14a1697ae0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4da2be393d3d21a7b899a14a1697ae0_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4da2be393d3d21a7b899a14a1697ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a4da2be393d3d21a7b899a14a1697ae0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
"C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7-dhqf_f.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DAF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1DAE.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:1488 | tcp | |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
Files
memory/2392-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp
memory/2392-1-0x0000000000240000-0x0000000000256000-memory.dmp
memory/2392-2-0x0000000074E70000-0x000000007555E000-memory.dmp
memory/2392-3-0x0000000074E70000-0x000000007555E000-memory.dmp
\Users\Admin\AppData\Local\Microsoft\audiohd.exe
| MD5 | fa86327b169ea79ce1a656ef9e1938af |
| SHA1 | 619921ea991f857cbad0770bc70faa4016182dd6 |
| SHA256 | 8aa9ffb22b8124f479aa8968ea1f381bc0284b6f09b82a251e76d9df1c88bf28 |
| SHA512 | 2af2ad02123a3690b99bf5afb571a67df7d460d69ab02ecc1c6e57924db8b9d5313cf5cfae39244f87b1570f216295ce229e30671badb774aa5cfdda706b9caf |
memory/2568-14-0x0000000000340000-0x0000000000356000-memory.dmp
memory/2392-13-0x0000000074E70000-0x000000007555E000-memory.dmp
memory/2568-15-0x0000000074E70000-0x000000007555E000-memory.dmp
memory/2568-16-0x0000000074E70000-0x000000007555E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\local.cs
| MD5 | ff169c4274b91df68a1a0548b9186b29 |
| SHA1 | e2a406a1a49c5825d4f4279e82d1ca369433b244 |
| SHA256 | 6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc |
| SHA512 | 8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b |
\??\c:\Users\Admin\AppData\Local\Temp\7-dhqf_f.cmdline
| MD5 | 1a18d6d5c310d5d80ddbc36ad090f347 |
| SHA1 | 7a097036e62a7bb3e998f6e6f51b9fbacebb893f |
| SHA256 | d6434b4672ddee53e038f365927044a8f23655f2be6007105045eb2f7d362868 |
| SHA512 | a6e56e4fe8378558e194b5b6aacf6cb480e158a5d2075611e82b8f3b916b057233296f40b446e1db818c9a90146a08be9b9cec5dcc927c70f028ee9b82d6f067 |
C:\Users\Admin\AppData\Local\Temp\RES1DAF.tmp
| MD5 | 720c9f915d2d90f074bed04c81de3da5 |
| SHA1 | b57da42ef026cfe051af50dfcb06ed4aade3d620 |
| SHA256 | a391e0831866f8642360734fc05e281f1192689b4e02859c20ba0dd37a74c79a |
| SHA512 | c697dc8b5b5ca79ac222bb80cf6b9be282afdd32ed5fef6d41ab3e220b6ddc265802767cbb32c3a0c3df5c222354c8c9073d9edba33de07f8bb67357764198f9 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC1DAE.tmp
| MD5 | 68d2c25cf6caf3766ce062601c41705f |
| SHA1 | 6fdd95565a3bef277fb1f375cb3d2b88b269f0aa |
| SHA256 | 336e71053f99c90d1636fee4ac650946eeac96e55e390382ccd167f473b562e0 |
| SHA512 | b2d044b2853e3fe3c6ec1daa786bccb43dd9f7b8cac16cf06582931b29f7b114be2464780395b485e6d536da1ed48bba1078fd0f5f8614bf44f37d3df503ec64 |
C:\Users\Admin\AppData\Local\Temp\7-dhqf_f.dll
| MD5 | d3de2070a680cf7a04d8ce49be437cfd |
| SHA1 | c108c2eb9229632a70fb2b1f96f1be896183d4cd |
| SHA256 | c5e61063452ae2d2a8801887e0d7fbb10a1a09e4a0d9cecc8dbf841984eb8776 |
| SHA512 | 9c8eabd964d360d2de61020d1299850feeeffe3732ccda3ef3fdb216d314781ba44818d4e5f29f9962788d0d4c356372e12416f9303bfde9f766e8ef58a9a65a |
C:\Users\Admin\AppData\Local\Temp\7-dhqf_f.pdb
| MD5 | 9130224ea33d87d7bb95c8d5a0b0d455 |
| SHA1 | 073a6ea575557f99770c43086bab38403c48a1bd |
| SHA256 | 84b7737b6f4ecab5acbb385e7b6816773e1a1c79474b698d35dbd7ff48b2eb85 |
| SHA512 | a221ea944b0e6af877c93b05f64855f3a384cba9ca0c4f765c36f710f288dfed33917e2e41b9881e7ecd74b574ee5d905fc9222c6c6aac4763babc6ef3b006ce |
memory/2568-34-0x0000000074E70000-0x000000007555E000-memory.dmp
memory/2568-36-0x0000000074E70000-0x000000007555E000-memory.dmp
memory/2568-37-0x0000000074E70000-0x000000007555E000-memory.dmp
memory/2568-35-0x0000000074E70000-0x000000007555E000-memory.dmp
memory/2568-38-0x0000000074E70000-0x000000007555E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 13:24
Reported
2024-06-03 13:26
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a4da2be393d3d21a7b899a14a1697ae0_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4da2be393d3d21a7b899a14a1697ae0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4da2be393d3d21a7b899a14a1697ae0_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4da2be393d3d21a7b899a14a1697ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a4da2be393d3d21a7b899a14a1697ae0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
"C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sntaonvt\sntaonvt.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CCF.tmp" "c:\Users\Admin\AppData\Local\Temp\sntaonvt\CSC7F1F8639741D4D0FA84096C5A3F9E10.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:1488 | tcp | |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
| US | 8.8.8.8:53 | dns2.soprodns.ru | udp |
Files
memory/3412-0-0x00000000744BE000-0x00000000744BF000-memory.dmp
memory/3412-1-0x0000000004940000-0x0000000004956000-memory.dmp
memory/3412-3-0x0000000004F10000-0x00000000054B4000-memory.dmp
memory/3412-2-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3412-4-0x0000000004A60000-0x0000000004AFC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
| MD5 | 7b905ce066688405593b594b6a5022b3 |
| SHA1 | cedc09ffb6b4d796040f8286c4a2e8b3128d5694 |
| SHA256 | 51ab1be8a8d2833d77027e1753f6e4f6b39e77770395ab11fc2f6154b9be643f |
| SHA512 | cc6f6538e739131403132322cbfedae765c9321b8f1b1abe102e3c2ac0c563b9c864eb02fd0e8b8a63ccbd9dec1bc025605b548bf9a39d8828fbfc9dc644705c |
memory/3412-13-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3572-19-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3412-18-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3572-20-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3572-21-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3572-22-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3572-23-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/2088-25-0x00000000044F0000-0x0000000004526000-memory.dmp
memory/2088-26-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/2088-27-0x0000000004CD0000-0x00000000052F8000-memory.dmp
memory/2088-28-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/2088-29-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/2088-30-0x00000000049F0000-0x0000000004A12000-memory.dmp
memory/2088-31-0x0000000004B90000-0x0000000004BF6000-memory.dmp
memory/2088-32-0x0000000004C00000-0x0000000004C66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2heh205.2af.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2088-42-0x0000000005480000-0x00000000057D4000-memory.dmp
memory/2088-43-0x0000000005AA0000-0x0000000005ABE000-memory.dmp
memory/2088-44-0x0000000005AE0000-0x0000000005B2C000-memory.dmp
memory/2088-45-0x0000000007110000-0x000000000778A000-memory.dmp
memory/2088-46-0x0000000005FB0000-0x0000000005FCA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\local.cs
| MD5 | ff169c4274b91df68a1a0548b9186b29 |
| SHA1 | e2a406a1a49c5825d4f4279e82d1ca369433b244 |
| SHA256 | 6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc |
| SHA512 | 8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b |
\??\c:\Users\Admin\AppData\Local\Temp\sntaonvt\sntaonvt.cmdline
| MD5 | aa92d065d3ff2299fbeb4d41cf47c91e |
| SHA1 | f9c5bbdbfb3bb3af3f0b7a27b515860f23df536d |
| SHA256 | e163778bb61035ef817a52d66cf7c2689b61d6a2eff0fc808ecb23093ec86404 |
| SHA512 | 04f5df24a27fee72691bb1811f57f981f6bd27bec22cddfa38b83d8b7358b8d3fb8ee9fbdfed78a96f01186ecc5e0869691d827c63ee532b3b033d24bb9a209d |
\??\c:\Users\Admin\AppData\Local\Temp\sntaonvt\CSC7F1F8639741D4D0FA84096C5A3F9E10.TMP
| MD5 | af6e4b0918cfced2620cce421d60b84c |
| SHA1 | 702dcab8695799b2fbaf85a86a5e115d03aa49c5 |
| SHA256 | a0a4154e0dc2b3891a709128aca03013d79cd552b46a1defb4b12f8ec0068c98 |
| SHA512 | fc02b9531a1e54319a561d1d4990092914df2255204bed8fbcd023367986db6cddfdba332c109e0df554648cdfffed37f9cc5299bf582278ffc89e50666d6701 |
C:\Users\Admin\AppData\Local\Temp\RES8CCF.tmp
| MD5 | 000c706cd29eb0ddbe7f1add0e856846 |
| SHA1 | 4bd0d692e087e763cddaf318dd71371b3abaccb6 |
| SHA256 | a85e87cdb84b64e1c64187f4b466107a32303a06a51268bce4a66a25779d31fc |
| SHA512 | 9cfa345f0de4c02cb0e5a1e768ef487b9472e0bacbe7ec1298ca8c7dab2d15b08dc0b228856593e983721a392abaf7218f2b86b2926f4bf1e7404efd10e7d581 |
C:\Users\Admin\AppData\Local\Temp\sntaonvt\sntaonvt.dll
| MD5 | c1bc22e68dcaf1f106e143f74f80486c |
| SHA1 | 52fe88f4738498145ee60511991b26e14977f70f |
| SHA256 | bad013e6e22ea1218d89d16fe949514cb1c1b17f8ef5d15d76e795da9ba3567d |
| SHA512 | 17778f142fd74454e987bb78805e36537aa3a3ef9ebbedf3caab9f3218539eae79394d45db71dc6721dd46bdd5e8808bc034d0b4959b5339b1fd7d769dc2d62a |
memory/2088-58-0x0000000006070000-0x0000000006078000-memory.dmp
memory/3572-60-0x0000000006600000-0x0000000006692000-memory.dmp
memory/3572-61-0x0000000005B60000-0x0000000005B6A000-memory.dmp
memory/3572-63-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3572-65-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3572-64-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3572-66-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/2088-67-0x00000000744B0000-0x0000000074C60000-memory.dmp