Analysis Overview
SHA256
4652ad8a55ece39c31572dba4cd06dd32a120cf1707322076e4908aac852e653
Threat Level: Shows suspicious behavior
The file a598c90eebe70028f52eb33aeeb83ba0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-06 20:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 20:36
Reported
2024-06-06 20:39
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a598c90eebe70028f52eb33aeeb83ba0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1012 wrote to memory of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\a598c90eebe70028f52eb33aeeb83ba0_NeikiAnalytics.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 1012 wrote to memory of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\a598c90eebe70028f52eb33aeeb83ba0_NeikiAnalytics.exe | C:\Windows\SYSTEM32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a598c90eebe70028f52eb33aeeb83ba0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a598c90eebe70028f52eb33aeeb83ba0_NeikiAnalytics.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd /c "GTA.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GTA.bat
| MD5 | df4661aeff8046fdd5b3d37f3f5cd870 |
| SHA1 | 281d79c197c2a07b230a97591a9a3af6416abff7 |
| SHA256 | 0adf868af56f894ac8c7ee4a1543128a7a5f1076c4d825f1e56cb44d2ac151cf |
| SHA512 | cd29e1b902fa8a360b013b8bd2ea899ef08564480e090e1b1a2455850f386289b1eb8bb4cb939c569c23fc482587d0603d7e5c158999a4eca4fd29e01071bd37 |