Analysis Overview
SHA256
d9a80ccf03a5c2a2cfc478cce22fcfb876757f909536f1711b9bcfcdb41baf35
Threat Level: Shows suspicious behavior
The file 14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 00:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 00:03
Reported
2024-06-04 00:06
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe | N/A |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe
C:\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
Files
\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe
| MD5 | e97c622b03fb2a2598bf019fbbe29f2c |
| SHA1 | 32698bd1d3a0ff6cf441770d1b2b816285068d19 |
| SHA256 | 5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160 |
| SHA512 | db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d |
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Temp\ZPubSAGgeY56Vl7.exe
| MD5 | 43adfd9e2cb64bfaaa1f7dde6b2d8db4 |
| SHA1 | 64755e47beb78d60d62b2ce43133fd67d106fa69 |
| SHA256 | cfa38938cef31e9a3b72a854cfbe940f479479bbf836eebdde13d8931d9a2c73 |
| SHA512 | ed1ab3c86a93272d78a4c791c3616f41f1cfd60407e4382f26768180136139d6dcfa00dab45d270acb5c0d8578ed2f027a9d504a9503609f5a5c94475d02a4ca |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 00:03
Reported
2024-06-04 00:06
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vW28ZG7vkoMd7Ec.exe | N/A |
| N/A | N/A | C:\Windows\svhost.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" | C:\Windows\svhost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svhost.exe | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\svhost.exe | C:\Windows\svhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5076 wrote to memory of 3880 | N/A | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\vW28ZG7vkoMd7Ec.exe |
| PID 5076 wrote to memory of 3880 | N/A | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\vW28ZG7vkoMd7Ec.exe |
| PID 5076 wrote to memory of 3880 | N/A | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\vW28ZG7vkoMd7Ec.exe |
| PID 5076 wrote to memory of 388 | N/A | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | C:\Windows\svhost.exe |
| PID 5076 wrote to memory of 388 | N/A | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | C:\Windows\svhost.exe |
| PID 5076 wrote to memory of 388 | N/A | C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe | C:\Windows\svhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\14f4fc883efa6024842e67cc83459960_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\vW28ZG7vkoMd7Ec.exe
C:\Users\Admin\AppData\Local\Temp\vW28ZG7vkoMd7Ec.exe
C:\Windows\svhost.exe
"C:\Windows\svhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | app.csvhost.info | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\svhost.exe
| MD5 | 76fd02b48297edb28940bdfa3fa1c48a |
| SHA1 | bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce |
| SHA256 | 07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c |
| SHA512 | 28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0 |
C:\Users\Admin\AppData\Local\Temp\vW28ZG7vkoMd7Ec.exe
| MD5 | e97c622b03fb2a2598bf019fbbe29f2c |
| SHA1 | 32698bd1d3a0ff6cf441770d1b2b816285068d19 |
| SHA256 | 5c1af46c7300e87a73dacf6cf41ce397e3f05df6bd9c7e227b4ac59f85769160 |
| SHA512 | db70c62fb35a8e5b005f13b57c1ebbf6c465f6ff0524422294c43e27fb4aa79379dc1e300ad11dc2354405c43b192ae06b91c0f525a1f2617e4d14673651a87d |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | b248c7a7a9ffc2b4353db49aac4c391e |
| SHA1 | 322f9e0e3111eaa9b85b041d45d4cd4cab75172b |
| SHA256 | ffe03f51696ce1793242ec5b305a64e3e81d529688bdbb853e0d1d2246dcb572 |
| SHA512 | 82abf36513e5e469f5655998f7cd4013006191a602fefcb022db30633918005a8e2a914102033cfb7421cca5db13462fb93136879e0ce77fe71438ddcd1ab744 |