Analysis Overview
SHA256
03bcec36de566b396586d8354a73181ca584c2ac701e8a846ca2f08e741c54f2
Threat Level: Shows suspicious behavior
The file 1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 07:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 07:34
Reported
2024-06-09 07:37
Platform
win7-20240221-en
Max time kernel
123s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\system32.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\system32.exe" | C:\Users\Admin\system32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\system32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2000 wrote to memory of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe | C:\Users\Admin\system32.exe |
| PID 2000 wrote to memory of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe | C:\Users\Admin\system32.exe |
| PID 2000 wrote to memory of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe | C:\Users\Admin\system32.exe |
| PID 2000 wrote to memory of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe | C:\Users\Admin\system32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe"
C:\Users\Admin\system32.exe
C:\Users\Admin\system32.exe
Network
Files
C:\Users\Admin\System32.exe
| MD5 | df5d11e3d45b004232d4bacd4f113e6b |
| SHA1 | bcb448e159b110351ee4142778ff82cc43296c42 |
| SHA256 | f6f59d0628483ba08b042ac843c35f5cb99b50cb59f2aa1a670d3ea2fe5480be |
| SHA512 | 049599a57b7f3808fbe3a572f73fd7bfe01f8f3e9b8345fc90115dd9f239612f1684b05c29d038820fc16bbd4c87c2053930d611ff9b4a290c578aec4bdbfac7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 07:34
Reported
2024-06-09 07:37
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\system32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\system32.exe" | C:\Users\Admin\system32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\system32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3720 wrote to memory of 3604 | N/A | C:\Users\Admin\AppData\Local\Temp\1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe | C:\Users\Admin\system32.exe |
| PID 3720 wrote to memory of 3604 | N/A | C:\Users\Admin\AppData\Local\Temp\1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe | C:\Users\Admin\system32.exe |
| PID 3720 wrote to memory of 3604 | N/A | C:\Users\Admin\AppData\Local\Temp\1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe | C:\Users\Admin\system32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1630281bf6150a3debbfc4aecf53c530_NeikiAnalytics.exe"
C:\Users\Admin\system32.exe
C:\Users\Admin\system32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\System32.exe
| MD5 | df5d11e3d45b004232d4bacd4f113e6b |
| SHA1 | bcb448e159b110351ee4142778ff82cc43296c42 |
| SHA256 | f6f59d0628483ba08b042ac843c35f5cb99b50cb59f2aa1a670d3ea2fe5480be |
| SHA512 | 049599a57b7f3808fbe3a572f73fd7bfe01f8f3e9b8345fc90115dd9f239612f1684b05c29d038820fc16bbd4c87c2053930d611ff9b4a290c578aec4bdbfac7 |