Analysis Overview
SHA256
423348233dd82d76beba2aaa00887c732818b6de5463f1beb94e4de57f8631b8
Threat Level: Likely malicious
The file 0a3d8cab28c88ed9884e2c86d5ed5170_NeikiAnalytics.exe was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Executes dropped EXE
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-03 15:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 15:54
Reported
2024-06-03 15:57
Platform
win7-20240508-en
Max time kernel
128s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\0a3d8cab28c88ed9884e2c86d5ed5170_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a3d8cab28c88ed9884e2c86d5ed5170_NeikiAnalytics.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 15:54
Reported
2024-06-03 15:57
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\240603155449328.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\242603155453656.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\242603155504047.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\242603155514641.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\242603155536375.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\242603155546469.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\242603155557078.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\242603155607313.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\242603155618781.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\242603155629360.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\242603155642594.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\242603155653094.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\242603155703016.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a3d8cab28c88ed9884e2c86d5ed5170_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a3d8cab28c88ed9884e2c86d5ed5170_NeikiAnalytics.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240603155449328.exe 000001
C:\Users\Admin\AppData\Local\Temp\240603155449328.exe
C:\Users\Admin\AppData\Local\Temp\240603155449328.exe 000001
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603155453656.exe 000002
C:\Users\Admin\AppData\Local\Temp\242603155453656.exe
C:\Users\Admin\AppData\Local\Temp\242603155453656.exe 000002
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603155504047.exe 000003
C:\Users\Admin\AppData\Local\Temp\242603155504047.exe
C:\Users\Admin\AppData\Local\Temp\242603155504047.exe 000003
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603155514641.exe 000004
C:\Users\Admin\AppData\Local\Temp\242603155514641.exe
C:\Users\Admin\AppData\Local\Temp\242603155514641.exe 000004
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603155525516.exe 000005
C:\Users\Admin\AppData\Local\Temp\242603155525516.exe
C:\Users\Admin\AppData\Local\Temp\242603155525516.exe 000005
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603155536375.exe 000006
C:\Users\Admin\AppData\Local\Temp\242603155536375.exe
C:\Users\Admin\AppData\Local\Temp\242603155536375.exe 000006
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603155546469.exe 000007
C:\Users\Admin\AppData\Local\Temp\242603155546469.exe
C:\Users\Admin\AppData\Local\Temp\242603155546469.exe 000007
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603155557078.exe 000008
C:\Users\Admin\AppData\Local\Temp\242603155557078.exe
C:\Users\Admin\AppData\Local\Temp\242603155557078.exe 000008
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603155607313.exe 000009
C:\Users\Admin\AppData\Local\Temp\242603155607313.exe
C:\Users\Admin\AppData\Local\Temp\242603155607313.exe 000009
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603155618781.exe 00000a
C:\Users\Admin\AppData\Local\Temp\242603155618781.exe
C:\Users\Admin\AppData\Local\Temp\242603155618781.exe 00000a
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603155629360.exe 00000b
C:\Users\Admin\AppData\Local\Temp\242603155629360.exe
C:\Users\Admin\AppData\Local\Temp\242603155629360.exe 00000b
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603155642594.exe 00000c
C:\Users\Admin\AppData\Local\Temp\242603155642594.exe
C:\Users\Admin\AppData\Local\Temp\242603155642594.exe 00000c
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603155653094.exe 00000d
C:\Users\Admin\AppData\Local\Temp\242603155653094.exe
C:\Users\Admin\AppData\Local\Temp\242603155653094.exe 00000d
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603155703016.exe 00000e
C:\Users\Admin\AppData\Local\Temp\242603155703016.exe
C:\Users\Admin\AppData\Local\Temp\242603155703016.exe 00000e
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | htld.fwae.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | kvrt.vhas.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.94.70.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fyvf.tqvp.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | fyvf.tqvp.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| US | 8.8.8.8:53 | idgq.dyvo.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | idgq.dyvo.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| US | 8.8.8.8:53 | ripx.yfbt.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | ripx.yfbt.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fgdo.lgeg.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | fgdo.lgeg.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| US | 8.8.8.8:53 | wvwz.csum.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | wvwz.csum.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| US | 8.8.8.8:53 | xpdd.gert.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | xpdd.gert.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cafg.xbpw.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | cafg.xbpw.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| US | 8.8.8.8:53 | dvdr.xopp.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | dvdr.xopp.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pkjz.lzlj.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | pkjz.lzlj.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | xbfe.xwho.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | xbfe.xwho.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| US | 8.8.8.8:53 | fzet.owih.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | fzet.owih.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| US | 8.8.8.8:53 | kynw.bzwx.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | kynw.bzwx.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| US | 8.8.8.8:53 | fszn.upko.v5.mrmpzjjhn3sgtq5w.pro | udp |
| PL | 193.70.94.19:80 | fszn.upko.v5.mrmpzjjhn3sgtq5w.pro | tcp |
| PL | 193.70.94.19:80 | fszn.upko.v5.mrmpzjjhn3sgtq5w.pro | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\240603155449328.exe
| MD5 | 62d863abcc8546921627949ab7ebe705 |
| SHA1 | 331525c8bd8555a3c5caddb80ed60cc26a4107bc |
| SHA256 | 5afa9983101b2537d615d61208a21273a0de539d21adf324ae83a8247be97d95 |
| SHA512 | d4d5467ea4aee066184eea01408fc72b91332c7a2290462c1aafacd2d9135708885172da70780e54834b40dc13ea46adaad5bf070cabd79b7aca226c8f274828 |
C:\Users\Admin\AppData\Local\Temp\242603155453656.exe
| MD5 | 044a85609208e5ecae30a849fe7bf8ac |
| SHA1 | bcf0c3710f0078338cc26deb7d968325453f213f |
| SHA256 | e6eb0a227d76fadeb34482d02c39f0dcfb1a33eaab26a6229ba671cf9d5a8c7a |
| SHA512 | 37a4b59e82bd8ec698cf2285ff5f2d3fbfef35421224f4b1fb6f8e28a796639e5fbca374d916fb3ad819f622b2249aff9ad77542ce272849f8f11d4a8f61b0ce |
C:\Users\Admin\AppData\Local\Temp\242603155504047.exe
| MD5 | 33ffd61d7acad4937de9b84a7f45bef3 |
| SHA1 | d7bd5f9e7dda0316cdbf3006cc86b90d5dfb3183 |
| SHA256 | 175cf1d2afb3de60c8d6fe1da9890b39592dbe23f6bbc944c72b4302749c4906 |
| SHA512 | 25b1912f38c80deefd300904b37355ea019ed332127ba98e816f370e38e5ef823b0d29a91bbe0223b713a5ad6ef263e39755c8d77767cfb3b78df90a49bcd3a0 |
C:\Users\Admin\AppData\Local\Temp\242603155514641.exe
| MD5 | 20876e0b756c642005f2a6c30fe9027f |
| SHA1 | 6fcf9cb311d59ce69071a8e1d4a1a8ff8a6a445b |
| SHA256 | 4b3d2967dfa06717c93d347569855e223f5a6a41418db5d7f05da7f7fa18c91a |
| SHA512 | ddefb01046f51ba81866e14de44b5fa4350ad99b5ec564d58dfdc1ddb994972f8a08b565ffa9f0671026ab891e0fe633d201b72c13df7c28c0d4764628ee853f |
C:\Users\Admin\AppData\Local\Temp\242603155536375.exe
| MD5 | d9eed04d083ce0a7425dee0d702b67d9 |
| SHA1 | 6f41599748adb69f07ddc7319fdae077be3c1009 |
| SHA256 | ec1f20f4bd6b6ab8a09ca6d621ac37aa1b9dfe405401ea7d4fe3fbb6efec3c66 |
| SHA512 | 2e777baf314d773983045366a29da13ea5807229cf678fbb4dd46bba82ca17aef120029f27e7857a491745931caddf103fa64fe6520aba8125a0ade37fdcfa0f |
C:\Users\Admin\AppData\Local\Temp\242603155546469.exe
| MD5 | b752ebda8c6dd7e22d0577e23d48a8f2 |
| SHA1 | 3e3ef16620eea95478c538093e5dbf44985436df |
| SHA256 | 276f4b82b417e7c9a75c7fff86f7335cea53ffa0b2ff9ec6dca889cd0a58b0e4 |
| SHA512 | 971e3bf70366e53fe260a57d1abb9d8206a093c3e87c2921ccc4c061910f773e8553d097e5e48e40ac6ef1624ff948ed6fa3cbe889a0042f8859883a49412cfc |
C:\Users\Admin\AppData\Local\Temp\242603155557078.exe
| MD5 | e068fb44b698a563f026989ba0cd57a7 |
| SHA1 | 69b80b3c9e0ff692400289af8adaa2b515593919 |
| SHA256 | d7da40136b6a5cacb6b0536b004b1f4c67eed28e9b15aaba51e95cc7f1713809 |
| SHA512 | 887f30e1e802f25a2f2ed0b89d9dd7e91cc80e166b1c8254cca8a03d033d5525fbeff71cbeb3efe4358aa45a051bc7714fe58925324356391f1d9f124e1291cd |
C:\Users\Admin\AppData\Local\Temp\242603155607313.exe
| MD5 | a3c3b0ed6467c83ee741352c361361b8 |
| SHA1 | 866eee0a86d1fe8e30cd68ed6b58840c54e204dd |
| SHA256 | 45cc8930eb6b78beede2a156a0708a56586e2bafd227ac7dec343516aee472e3 |
| SHA512 | 9ed858d821d82d7aa68881abf909d428ef1dd599315c00d8911524c088a18a90c821c0d38660bd2f63cf27e0ea39217af23259a9237ee1bb96e70ae6795b3e44 |
C:\Users\Admin\AppData\Local\Temp\242603155618781.exe
| MD5 | 546c1524fdd522628c7b0fdd96e02289 |
| SHA1 | 7d7d2b06315bc19d81d89c8c258ec7c9b142df6c |
| SHA256 | 724b5003f24cfc651b41388b53ed39512e8d741750de5f6415905d978156e28e |
| SHA512 | e120c47330ec7cfe39c24e8d85358e7dee18a2884921310070738eefdfab1b8b9cfca486e0a7976fec7f28fc337f4e10a341aa0471336f7281737297d9fd94fc |
C:\Users\Admin\AppData\Local\Temp\242603155629360.exe
| MD5 | f3f8efe697d376f6a6803a7744daa24b |
| SHA1 | fc5f748a59f2243f5bec44c933bc284abdd4a2ed |
| SHA256 | 2ab339ce4dbc8c3d2b6bea9f5bf49ddb153a53508723dc4708bcc9cbfa9c4381 |
| SHA512 | 4a0ada60321ab14cb88209e9cb94b9369dba053cbc7b3151c4e5f02368fa37601c08499efce9a2d3e32092911016b0945aa59adced3a68b4946960cebf4b686e |
C:\Users\Admin\AppData\Local\Temp\242603155642594.exe
| MD5 | e8b21968472f38ffb40b1d193c56a3b7 |
| SHA1 | 8855f1b5ce1d6c9a907c3a3df70b466a8ecc53ea |
| SHA256 | c5bbf9bf79e1c8db37da0ed0ccbdf7e447a6205ed01fab6cca663cd1b7916e61 |
| SHA512 | 91c6214083bd253583cbaaf624a6fd94c693bf047ec9617ebe79de3e376fcec682f9f3edc2f77d5d31287624704c941f009afec7a952f551861be393257e4ac7 |
C:\Users\Admin\AppData\Local\Temp\242603155653094.exe
| MD5 | 32e423df2d152a5c9918274707896f9b |
| SHA1 | 913aab412ac4026ffc8a2e420fef90a7efeed2f8 |
| SHA256 | e87402df203f139b027316c4099bc1606502cfeb47f07fce19793cc9baeb38e9 |
| SHA512 | 331838cf62c82c7068b6faa7e503769b1725df59d3cf1d426f294e1d7d4f0550ebd9103c4be357b582e7d30497968d03c892dff13736b7ef8eed49f65977f840 |
C:\Users\Admin\AppData\Local\Temp\242603155703016.exe
| MD5 | 06667f64680b36f05165e291c56be78e |
| SHA1 | 252cfc4a7b2e67bfcf2a8cbee2aa85b6cb5cb5b3 |
| SHA256 | bf3b5599e648c722f8ff59574df6bf828bed98821cabb222f5bca532f9a546c0 |
| SHA512 | 6b2648631cd486bbf1b80e86dc081f2449ff2095361bb1955be49cade54d7fc422db8fedc05a3404bdbd57953b9d70c53cf2f6d69beae8139950b5a45b27c370 |