Analysis Overview
SHA256
46baa6f42912382af55e1ba6ed01a54acb191b5279fcd7e7f852c4d7b29ea9f2
Threat Level: Likely malicious
The file b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Deletes itself
Reads user/profile data of web browsers
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Enumerates connected drives
Unsigned PE
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 18:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 18:02
Reported
2024-06-04 18:05
Platform
win7-20240215-en
Max time kernel
144s
Max time network
144s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\qhehi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\qhehi.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\dbedvdx\\ugqig.dll\",init" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\qhehi.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\qhehi.exe "C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\qhehi.exe
c:\qhehi.exe "C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\dbedvdx\ugqig.dll",init c:\qhehi.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp | |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 107.163.241.232:12354 | tcp | |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 107.163.241.232:12354 | tcp | |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
Files
memory/2972-0-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2972-1-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2972-3-0x0000000000400000-0x0000000000425000-memory.dmp
\??\c:\qhehi.exe
| MD5 | 92006b3f249c13df606af0c3d15b8235 |
| SHA1 | 128fefce7ba171b8fe9fe16a527a1eae42d01027 |
| SHA256 | 3ddafceffccde170fa09d2744c013ba9b5f5e0d1216142fa44b26c9b43d74a9a |
| SHA512 | e72f28eb5e61144c8202cacc0e4d648f046ce5966130ae701991b07a90cc9ca078f1a8345dd12ccb0fe238a42122eb8c6dfcafd1d284e44e0cbf241e3393158c |
memory/2496-7-0x0000000000180000-0x00000000001A5000-memory.dmp
memory/2496-6-0x0000000000180000-0x00000000001A5000-memory.dmp
memory/2600-8-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2600-10-0x0000000000400000-0x0000000000425000-memory.dmp
\??\c:\dbedvdx\ugqig.dll
| MD5 | 36e3fb5964d663272cf1169e1e1ca478 |
| SHA1 | 58115e08b49505bcbbb5c88a28a86222ba18d5d4 |
| SHA256 | c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7 |
| SHA512 | daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442 |
memory/2556-16-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2556-17-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2556-18-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2556-19-0x0000000010021000-0x0000000010022000-memory.dmp
memory/2556-20-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2556-21-0x0000000010000000-0x000000001002E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 18:02
Reported
2024-06-04 18:05
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\shtttiepb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\shtttiepb.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\ohdxr\\xjoiq.dll\",init" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\shtttiepb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\shtttiepb.exe "C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\shtttiepb.exe
c:\shtttiepb.exe "C:\Users\Admin\AppData\Local\Temp\b2e0914878ccdb317a3cc77b692e2980_NeikiAnalytics.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\ohdxr\xjoiq.dll",init c:\shtttiepb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 107.163.241.232:12354 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 114.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
Files
memory/2988-0-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2988-1-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/2988-3-0x0000000000400000-0x0000000000425000-memory.dmp
C:\shtttiepb.exe
| MD5 | b8a83adca9bd6feb67aaa5bc681bbcbb |
| SHA1 | 8850db35058a34bdacf26b59e6b788610aee7824 |
| SHA256 | ce26ffd61dd52dc9ed9f8de4e307387babec59f6f274ad47cd3f380a208b9005 |
| SHA512 | f0e59b8bc27934153e6e076619e3a858118180818f3157c1ac5c2bfcbbde997f0caff9c52c5eec027c8a13a8aacd08991cc554cc08734f4243390c236ecce06f |
memory/3868-7-0x0000000000930000-0x0000000000931000-memory.dmp
memory/3868-9-0x0000000000400000-0x0000000000425000-memory.dmp
\??\c:\ohdxr\xjoiq.dll
| MD5 | 36e3fb5964d663272cf1169e1e1ca478 |
| SHA1 | 58115e08b49505bcbbb5c88a28a86222ba18d5d4 |
| SHA256 | c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7 |
| SHA512 | daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442 |
memory/2664-12-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2664-14-0x0000000001130000-0x0000000001131000-memory.dmp
memory/2664-13-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2664-15-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2664-16-0x0000000001130000-0x0000000001131000-memory.dmp