Analysis Overview
SHA256
6cb8b68ee6a31233c2bba4bac31cfb382caa4ab65fc83b70a2b84a89e48a62a2
Threat Level: Shows suspicious behavior
The file 049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Writes to the Master Boot Record (MBR)
Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-08 23:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 23:03
Reported
2024-06-08 23:08
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | master.etl.desktop.qq.com | udp |
| US | 8.8.8.8:53 | c.gj.qq.com | udp |
| CN | 157.255.4.39:443 | master.etl.desktop.qq.com | tcp |
| US | 8.8.8.8:53 | c.gj.qq.com | udp |
| HK | 43.135.106.184:80 | c.gj.qq.com | tcp |
| HK | 43.135.106.184:80 | c.gj.qq.com | tcp |
| US | 8.8.8.8:53 | oth.eve.mdt.qq.com | udp |
| US | 8.8.8.8:53 | oth.eve.mdt.qq.com | udp |
| US | 8.8.8.8:53 | oth.eve.mdt.qq.com | udp |
| US | 8.8.8.8:53 | oth.eve.mdt.qq.com | udp |
| SG | 101.33.47.206:8081 | oth.eve.mdt.qq.com | tcp |
| SG | 101.33.47.206:8081 | oth.eve.mdt.qq.com | tcp |
| SG | 101.33.47.68:8081 | oth.eve.mdt.qq.com | tcp |
| SG | 101.33.47.206:8081 | oth.eve.mdt.qq.com | tcp |
| CN | 157.255.4.39:443 | master.etl.desktop.qq.com | tcp |
| CN | 157.255.4.39:443 | master.etl.desktop.qq.com | tcp |
| CN | 157.255.4.39:443 | master.etl.desktop.qq.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\TencentDownload\~f767eff\QQPCDownload.dll
| MD5 | 9d44d2a1e8c988979a2f7d77a4f038fa |
| SHA1 | d91d84512e7ce2957f2b4e6fc2d97d04ba7f1557 |
| SHA256 | fd1af002dd83bb74d244414df2bd90553050486671410aec2a9dea729114aa2f |
| SHA512 | 4d14b1099e5104ee9b853b2201c08fef8fff16953e530b19c18df73e0fb2bb8f018b10c1070c37420f63156fb9b203bbce3f90d1f4c2fee7a9f7a2a7fc33d657 |
memory/2656-6-0x00000000008B0000-0x00000000008B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\TencentDownload\~f767eff\beacon_sdk.dll
| MD5 | 573ec741ba9393c06292c329ca78e50c |
| SHA1 | 8f7956a1f2a40af28f0f470b82a90042bdfd836c |
| SHA256 | 0118930d91b51e6e4dfea02c4b81c152cbb848e227c02a1dcdc0909b167fdad0 |
| SHA512 | 741574fecb16a6581c1a8d5fb412752915dc02a0f8b8a485a8fdf0d71005851c5fa6710fba242234a5a9ef250d3d85aff24af7492a16922351ec783d5b9d19cd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 23:03
Reported
2024-06-08 23:08
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\049264b4bf5eb0b7ea8fe9c113be6d90_NeikiAnalytics.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | master.etl.desktop.qq.com | udp |
| US | 8.8.8.8:53 | c.gj.qq.com | udp |
| CN | 157.255.4.39:443 | master.etl.desktop.qq.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| HK | 43.135.106.117:80 | c.gj.qq.com | tcp |
| HK | 43.135.106.117:80 | c.gj.qq.com | tcp |
| US | 8.8.8.8:53 | oth.eve.mdt.qq.com | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.106.135.43.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| SG | 101.33.47.206:8081 | oth.eve.mdt.qq.com | tcp |
| SG | 101.33.47.206:8081 | oth.eve.mdt.qq.com | tcp |
| SG | 101.33.47.206:8081 | oth.eve.mdt.qq.com | tcp |
| SG | 101.33.47.206:8081 | oth.eve.mdt.qq.com | tcp |
| US | 8.8.8.8:53 | 206.47.33.101.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| CN | 157.255.4.39:443 | master.etl.desktop.qq.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| CN | 157.255.4.39:443 | master.etl.desktop.qq.com | tcp |
| CN | 157.255.4.39:443 | master.etl.desktop.qq.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e572710\QQPCDownload.dll
| MD5 | 9d44d2a1e8c988979a2f7d77a4f038fa |
| SHA1 | d91d84512e7ce2957f2b4e6fc2d97d04ba7f1557 |
| SHA256 | fd1af002dd83bb74d244414df2bd90553050486671410aec2a9dea729114aa2f |
| SHA512 | 4d14b1099e5104ee9b853b2201c08fef8fff16953e530b19c18df73e0fb2bb8f018b10c1070c37420f63156fb9b203bbce3f90d1f4c2fee7a9f7a2a7fc33d657 |
C:\ProgramData\Tencent\DeskUpdate\Guid.db
| MD5 | 8ecaf420539b9f96aff88d42f55cb445 |
| SHA1 | 2bae46284ec361705dbb05a1c1dc2d08a697284a |
| SHA256 | 4996eebd89eb68d514669a0b0b2f7e5c6c168844d71477c1b220dafce86beb35 |
| SHA512 | 695ca720bf64a6a90465b0c0d70db75e09b6e67d31b9492cff9e24fa0dc2a7381e50d9d2740ac7a3ac38398bf1103b5d94bb457c15ab64d22c5e108ad09639b5 |
C:\ProgramData\Tencent\DeskUpdate\GuidInfo.db
| MD5 | a143c7b6b8bebc7046677be1a7270aa6 |
| SHA1 | 72399aafa1eb19734268fcd9909e801d2c8644d4 |
| SHA256 | 764f954ce734095be720ebdd6cbf6f2d2c8469491214063bfd457605d0a14623 |
| SHA512 | c5e646b58d58c14c4eb70def72acf35febd7ebe5ddef19bf2e63357fb4d98eb7f4204d517c7413ec7591e5434683a4ce54f4c8d13144eee0f6795817fc9c992c |
C:\ProgramData\Tencent\DeskUpdate\GuidList.db
| MD5 | 61ea8a586825c954d1cc835fc0aac762 |
| SHA1 | ce648f55e869b9883fb98160a83f750c0504817c |
| SHA256 | 8b4fa3d767e1109f0e9ece1b31f7ede46e38725233f1301e219e93c603668d96 |
| SHA512 | 0c3754b3257c97f3fa3bf4956308698cb3e1926c5403f1aaf9dfc02a081f651920dc4ac7a073c00f3d85ce90f0e9b382454364084dcd867e98c609ea1abfe043 |
C:\Users\Admin\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db
| MD5 | 62f0545df12c80cf7fce69d7b787b329 |
| SHA1 | 24e28042829e0fbdf9aad7d20d1c4b330757c3d9 |
| SHA256 | 99ea6f1c593ee0e2bb00027e9e4030d6ba3f435e3eaaa4971e7293a441329aa6 |
| SHA512 | 8fb411ad151642dfa30f42122bc47cb8368966a7be36c817d945b0a12b9eec34c1e1364aa2b27640efc00d47ef78e3a9d95c4e2cfcd71686c0b8377a79bac258 |
C:\Users\Admin\AppData\Local\Temp\TencentDownload\~e572710\beacon_sdk.dll
| MD5 | 573ec741ba9393c06292c329ca78e50c |
| SHA1 | 8f7956a1f2a40af28f0f470b82a90042bdfd836c |
| SHA256 | 0118930d91b51e6e4dfea02c4b81c152cbb848e227c02a1dcdc0909b167fdad0 |
| SHA512 | 741574fecb16a6581c1a8d5fb412752915dc02a0f8b8a485a8fdf0d71005851c5fa6710fba242234a5a9ef250d3d85aff24af7492a16922351ec783d5b9d19cd |