Analysis Overview
SHA256
d5b8ff1e2ad6a280c4d0d3fbc90aa16115fa69cac2688f1e7260d1f2dfbb7392
Threat Level: Shows suspicious behavior
The file 53276cf69675538d958c1d9794692240_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 01:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 01:19
Reported
2024-06-13 01:22
Platform
win7-20240611-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gewos.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gewos.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2088 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\gewos.exe |
| PID 2088 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\gewos.exe |
| PID 2088 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\gewos.exe |
| PID 2088 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\gewos.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\gewos.exe
"C:\Users\Admin\AppData\Local\Temp\gewos.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nasap.net | udp |
| US | 35.212.119.5:443 | nasap.net | tcp |
Files
memory/2088-8-0x00000000003F0000-0x00000000003F6000-memory.dmp
memory/2088-1-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2088-0-0x00000000003F0000-0x00000000003F6000-memory.dmp
\Users\Admin\AppData\Local\Temp\gewos.exe
| MD5 | deb8ba6e0b6141ad68cb88b9cf51bb9b |
| SHA1 | 55bc60603da67940ee0888adcef1f2e04439cd4c |
| SHA256 | a4135e56aa1177c2dcb14dc1b47d6d017ac6c4ff2c252bc46159dbb42f1078cc |
| SHA512 | bf6a11bf3a931bcd5c5defaf3d5a6efbbe2fa430dc3924c20126abc0627588c8beb3c252f9ef8865447e341eeaad0171c17df0861d4335622bc31279f9537f74 |
memory/2992-23-0x0000000000290000-0x0000000000296000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 01:19
Reported
2024-06-13 01:22
Platform
win10v2004-20240611-en
Max time kernel
91s
Max time network
95s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gewos.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gewos.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3684 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\gewos.exe |
| PID 3684 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\gewos.exe |
| PID 3684 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\gewos.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\53276cf69675538d958c1d9794692240_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\gewos.exe
"C:\Users\Admin\AppData\Local\Temp\gewos.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nasap.net | udp |
| US | 35.212.119.5:443 | nasap.net | tcp |
| US | 8.8.8.8:53 | 5.119.212.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
memory/3684-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp
memory/3684-1-0x0000000000400000-0x0000000000406000-memory.dmp
memory/3684-8-0x0000000002EA0000-0x0000000002EA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gewos.exe
| MD5 | deb8ba6e0b6141ad68cb88b9cf51bb9b |
| SHA1 | 55bc60603da67940ee0888adcef1f2e04439cd4c |
| SHA256 | a4135e56aa1177c2dcb14dc1b47d6d017ac6c4ff2c252bc46159dbb42f1078cc |
| SHA512 | bf6a11bf3a931bcd5c5defaf3d5a6efbbe2fa430dc3924c20126abc0627588c8beb3c252f9ef8865447e341eeaad0171c17df0861d4335622bc31279f9537f74 |
memory/1096-25-0x0000000002120000-0x0000000002126000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gewosik.exe
| MD5 | ed6c1748047b655738b4e8db542eab8c |
| SHA1 | ea6807dcbc8ab73bba372e24c47caefe416d0037 |
| SHA256 | 277b5e83e98c7790dec1d2b1f33c20237497bed5ee0e1ef77862c81009129cb5 |
| SHA512 | 8b2c7352f4c282ef02e9c8e9f3d2f385ee4ee47271b447459b7e14c2230f2ffdccc1c6d2d4282303b30bcf93971b85468f5b25c46c1bc0d7b33ae05337b37b6e |