Analysis Overview
SHA256
ced9edf5d1460713da985851fda632026b375613dbdd86ce8b7801aad1cd9a68
Threat Level: Likely benign
The file 4b1f6fd5faa0974455b510320a810840_NeikiAnalytics.exe was found to be: Likely benign.
Malicious Activity Summary
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-12 22:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 22:59
Reported
2024-06-12 23:02
Platform
win7-20231129-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4b1f6fd5faa0974455b510320a810840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b1f6fd5faa0974455b510320a810840_NeikiAnalytics.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uasca055\uasca055.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3727.tmp" "c:\Users\Admin\AppData\Local\Temp\uasca055\CSC1F10B95CE9D486191A6538F6F8FC844.TMP"
Network
Files
memory/3040-0-0x0000000000510000-0x0000000000511000-memory.dmp
memory/3040-9-0x0000000000510000-0x0000000000511000-memory.dmp
memory/3040-10-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp
memory/3040-11-0x0000000001E60000-0x0000000001E78000-memory.dmp
memory/3040-12-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp
memory/3040-13-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp
memory/3040-16-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\uasca055\uasca055.cmdline
| MD5 | a6c83b063491ece96b73ba047c67a9cb |
| SHA1 | 62ce085852541a78ba2991ca3d16a08a55ca6d83 |
| SHA256 | 954ecbad86521034d325154b064e20a93a7738a1d2fdf7f051330fe217a002dc |
| SHA512 | 8e742e33701a21dfd1fc4cd45a364e53b4324ca4ee38271b77d9ed588ede1edf502f93af8270030c284d2f515df8555581d0244320aba970666f54bfa221b158 |
\??\c:\Users\Admin\AppData\Local\Temp\uasca055\uasca055.0.cs
| MD5 | f420ebb3150f0764331a33377a7451b8 |
| SHA1 | 8ed9b9d610e8ab76aea82a3830ad31059517630b |
| SHA256 | dfb6ab38744b3a4e17cf7fa75b3126e88cbeabc907008f3921ff41c523a99a27 |
| SHA512 | b92767736261cb7c10f58576c44e62cd0d105e90e139b376d52ccb5cb7ca189205a1f7d7a5fec5d739f8763eded8b5c55b9057217fe9a55b1e151dc700760cbd |
\??\c:\Users\Admin\AppData\Local\Temp\uasca055\CSC1F10B95CE9D486191A6538F6F8FC844.TMP
| MD5 | d1043d97a80d98173643de6203ade524 |
| SHA1 | 6af50e6779ce3bbae3a7ccb67b1db17bd834a131 |
| SHA256 | 24ea9d8fc3a7321436684ba67901c16decf1b1a0268c7687caab64333691495d |
| SHA512 | 9bdcbe2f8a78770f7b98ac165d9c37bf560e79498a284f40a5024d6fb84a6a230ade20e3a1410dcc7c8d5d02fe5d405859b45b1e7d2e6f35f1e3bc794c35237b |
C:\Users\Admin\AppData\Local\Temp\RES3727.tmp
| MD5 | f9d7c20d6c449e6641fbe66c45f3adb6 |
| SHA1 | e518c51d9d995a96d980990b0df2b90c25194add |
| SHA256 | 8feab974c0c9d33b39c038c815295b6a8b4cab98442d02606d3edb2df3086c5a |
| SHA512 | 82317197dee22475375e5afb701e1920f761a0ee23f445f598cb8a68024fad21c2ec17e9da01d9fddb4f9354348f9c18bd6cf3d1e026fd651990b1798103195b |
C:\Users\Admin\AppData\Local\Temp\uasca055\uasca055.dll
| MD5 | e9665614ef18d4ba6f99c6cb900d0dd6 |
| SHA1 | d1cbb326fbd0af06d3a99391783a45eb19c5f301 |
| SHA256 | c004a091054ee3c66b98c349b2fb45cb3a0b1d726373a2bf15b40cdc00128237 |
| SHA512 | 5212fdb0b2cd86636cfea9ac18107971b639b967a9f9c43d5219c980f34245b8e16f79420dabe0d24240caa55eac4651285239efc6cb048de1ff0630b318be99 |
memory/3040-27-0x0000000001EA0000-0x0000000001EA8000-memory.dmp
memory/3040-29-0x000000013FB50000-0x000000013FBA2000-memory.dmp
memory/3040-30-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 22:59
Reported
2024-06-12 23:02
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2784 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\4b1f6fd5faa0974455b510320a810840_NeikiAnalytics.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 2784 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\4b1f6fd5faa0974455b510320a810840_NeikiAnalytics.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 5012 wrote to memory of 3948 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| PID 5012 wrote to memory of 3948 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4b1f6fd5faa0974455b510320a810840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b1f6fd5faa0974455b510320a810840_NeikiAnalytics.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v12mf4ds\v12mf4ds.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D50.tmp" "c:\Users\Admin\AppData\Local\Temp\v12mf4ds\CSCD0EFA62DD9C4D0D886BACA2CDFC58B3.TMP"
Network
Files
memory/2784-0-0x0000015DEC570000-0x0000015DEC571000-memory.dmp
memory/2784-9-0x0000015DEC570000-0x0000015DEC571000-memory.dmp
memory/2784-10-0x00007FF8CD270000-0x00007FF8CD465000-memory.dmp
memory/2784-11-0x00007FF8AEAA3000-0x00007FF8AEAA5000-memory.dmp
memory/2784-12-0x0000015DEC620000-0x0000015DEC638000-memory.dmp
memory/2784-16-0x00007FF8AEAA0000-0x00007FF8AF561000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\v12mf4ds\v12mf4ds.cmdline
| MD5 | 19f3b9108d63cc872ef8191e18d3cded |
| SHA1 | 7e238c4b85e11e489c769067d21319892d6d322a |
| SHA256 | 418bf89922c3b1d11016238d7e0fd2aa0cef375406600f3c6e030f9a1c53dfd4 |
| SHA512 | 64f09ba53dff16f0ef4e22c4e7328a1cfcc6ba1e42841b9a8ad862ea03f9e9d312d796cad19a06ad1f5df2ea168e585681c0f67cccad58153e4be291e63147cd |
\??\c:\Users\Admin\AppData\Local\Temp\v12mf4ds\v12mf4ds.0.cs
| MD5 | f420ebb3150f0764331a33377a7451b8 |
| SHA1 | 8ed9b9d610e8ab76aea82a3830ad31059517630b |
| SHA256 | dfb6ab38744b3a4e17cf7fa75b3126e88cbeabc907008f3921ff41c523a99a27 |
| SHA512 | b92767736261cb7c10f58576c44e62cd0d105e90e139b376d52ccb5cb7ca189205a1f7d7a5fec5d739f8763eded8b5c55b9057217fe9a55b1e151dc700760cbd |
memory/2784-19-0x00007FF8AEAA0000-0x00007FF8AF561000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\v12mf4ds\CSCD0EFA62DD9C4D0D886BACA2CDFC58B3.TMP
| MD5 | 9e28a032d283bdeee003c18550728ddd |
| SHA1 | a756b9c58359023dce22b6686ea1fdd00e76e9a2 |
| SHA256 | 4985262c6c84c52d0bec4c5043e135385a4285b52c7bb80b171940e56cb00d05 |
| SHA512 | 621d3845ac6c4740bdb70e1054b001f42503eb4a67ebefc640640a5cfbdadba265dedd300845c9d3375befa8ca7ed3cdf706f1d686dd4ce9b3e9d235e4eb6bd3 |
C:\Users\Admin\AppData\Local\Temp\RES6D50.tmp
| MD5 | d52fbb9acb342655e061a3bbab5dba6f |
| SHA1 | b5540a1cc37bd63d08bba304d5e4f5d376e4116c |
| SHA256 | e351d159afbd4c2dc23dc73ac98d7e79c25385e60d0061aa1d50333243b516bf |
| SHA512 | 468dabbea0ea3eb3b3a61512b8709feb59a37b75982dd65a999a6d5358e176c8b0899aa3f339f813b83af08da4f1b06bdd35851136bb2d4ed4bd2a771d2c19ba |
C:\Users\Admin\AppData\Local\Temp\v12mf4ds\v12mf4ds.dll
| MD5 | c7a933f3c5cc3a6043e09c1bcf11aed5 |
| SHA1 | c3c8750612e5e90ffc24b6bb94da088f1a4dcdae |
| SHA256 | a0915a90535a0b1f82fd7943d5498d667b3caffe381f8aca32c3e6528b4686b2 |
| SHA512 | 6c018e93185a9464b1b1fa7a4289e5a25d3602c02d4201196f1793e614efad1bcafd5a7222cedc1d7400c4de026d0ad26fdd6914805367b2b8120ddce91b67ce |
memory/2784-27-0x0000015DEC660000-0x0000015DEC668000-memory.dmp
memory/2784-30-0x00007FF7A8530000-0x00007FF7A8582000-memory.dmp
memory/2784-31-0x00007FF8AEAA0000-0x00007FF8AF561000-memory.dmp