Analysis Overview
SHA256
4d39ce6b9300d9d25bfb6e359a608a759f1a1c7a03aa80d36ef07f919dd7e4fb
Threat Level: Shows suspicious behavior
The file a4fc2b9519492ecd7e73d901f2ef77e0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-03 13:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 13:29
Reported
2024-06-03 13:31
Platform
win7-20240221-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2424.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2424.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4fc2b9519492ecd7e73d901f2ef77e0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2156 wrote to memory of 2184 | N/A | C:\Users\Admin\AppData\Local\Temp\a4fc2b9519492ecd7e73d901f2ef77e0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\2424.tmp |
| PID 2156 wrote to memory of 2184 | N/A | C:\Users\Admin\AppData\Local\Temp\a4fc2b9519492ecd7e73d901f2ef77e0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\2424.tmp |
| PID 2156 wrote to memory of 2184 | N/A | C:\Users\Admin\AppData\Local\Temp\a4fc2b9519492ecd7e73d901f2ef77e0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\2424.tmp |
| PID 2156 wrote to memory of 2184 | N/A | C:\Users\Admin\AppData\Local\Temp\a4fc2b9519492ecd7e73d901f2ef77e0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\2424.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\a4fc2b9519492ecd7e73d901f2ef77e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a4fc2b9519492ecd7e73d901f2ef77e0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\2424.tmp
"C:\Users\Admin\AppData\Local\Temp\2424.tmp"
Network
Files
\Users\Admin\AppData\Local\Temp\2424.tmp
| MD5 | 5941bbbfbb2ece3759dc91e32081a7b9 |
| SHA1 | 1326b79a8600838219042cabece423a4cf947013 |
| SHA256 | ddad778cc1a8e44caaaba15d0cacba53b7cf6285019b32b7d8927dd6c9e1d765 |
| SHA512 | 461123c4a00a229cffffd099aa253f28f0197488ce1944d0d115ac0f509664ddd3e5eb74d782b88e29dcc68a8b642e1419b96144248bd6a0fc743dd069f5295a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 13:29
Reported
2024-06-03 13:31
Platform
win10v2004-20240508-en
Max time kernel
133s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E6B6.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3688 wrote to memory of 3864 | N/A | C:\Users\Admin\AppData\Local\Temp\a4fc2b9519492ecd7e73d901f2ef77e0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\E6B6.tmp |
| PID 3688 wrote to memory of 3864 | N/A | C:\Users\Admin\AppData\Local\Temp\a4fc2b9519492ecd7e73d901f2ef77e0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\E6B6.tmp |
| PID 3688 wrote to memory of 3864 | N/A | C:\Users\Admin\AppData\Local\Temp\a4fc2b9519492ecd7e73d901f2ef77e0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\E6B6.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\a4fc2b9519492ecd7e73d901f2ef77e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a4fc2b9519492ecd7e73d901f2ef77e0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\E6B6.tmp
"C:\Users\Admin\AppData\Local\Temp\E6B6.tmp"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4336,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\E6B6.tmp
| MD5 | e6df579659968cd682ec203047e3e3b7 |
| SHA1 | 0f62c4edf3aaec3a939eefb37c3c4a13346d311d |
| SHA256 | e5fa92914d0f8ac7aa06e58be38dc16ab3553c3d40e242c6961070902cd297d6 |
| SHA512 | d54066421c508c2143452cee2b9f4992c94b0d32fae3a73df6787bb6386cb6fe02c04e2b485c030cb61a2d9d419fb50761713835475a0867561b72536875ba79 |