Analysis Overview
SHA256
277ef8b52e95b83a202c915a0916dea2be54b4cf7640b0d381a90ef965afccb4
Threat Level: Shows suspicious behavior
The file 5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Deletes itself
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-13 04:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 04:36
Reported
2024-06-13 04:39
Platform
win7-20240611-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5310.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5310.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2416 wrote to memory of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\5310.tmp |
| PID 2416 wrote to memory of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\5310.tmp |
| PID 2416 wrote to memory of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\5310.tmp |
| PID 2416 wrote to memory of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\5310.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\5310.tmp
"C:\Users\Admin\AppData\Local\Temp\5310.tmp" --splashC:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe 63E0B7B8506C7EDE85A0D4499F4BB7D34F5A2CBF658F8630F8F3E3F1D662B59D2B356C9A9ADF756DD9F6E8A77D8F26BDAB18E12E7EFC43D6342E1FB6CAE6B5E2
Network
Files
memory/2416-0-0x0000000000400000-0x0000000000849000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5310.tmp
| MD5 | 1f090fd343d5951764c1a101d773e861 |
| SHA1 | 3db829130df5106117f2a0027471f5cb2f2c0b39 |
| SHA256 | c8b9d31d924b7f08badf45926b1c12399053fa69c04b9407fb2f3869464e7384 |
| SHA512 | d911d4406252b27360ec78bc0a0f30f977b0178640d4aca9e70d19f630530c5c35e24c974cbbab521d3296d1cc02cd8870a76a6fda7cc0b91c165cb37e09f8c6 |
memory/2944-9-0x0000000000400000-0x0000000000849000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 04:36
Reported
2024-06-13 04:39
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3345.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3345.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1496 wrote to memory of 5016 | N/A | C:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\3345.tmp |
| PID 1496 wrote to memory of 5016 | N/A | C:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\3345.tmp |
| PID 1496 wrote to memory of 5016 | N/A | C:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\3345.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\3345.tmp
"C:\Users\Admin\AppData\Local\Temp\3345.tmp" --splashC:\Users\Admin\AppData\Local\Temp\5f017ae69bbcdedee207959194d84880_NeikiAnalytics.exe CEF271D866C22E03A62DEF8AD71E06AF4406E39E08B2143CB8B158ABA5F9EF57B66D3D41D3B7A9501A6B95A2C8A9CC1D4ECB816334856217FAF9D8E72247E34F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1496-0-0x0000000000400000-0x0000000000849000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3345.tmp
| MD5 | 5b81135c884b39d1834302d92c85baab |
| SHA1 | 9af5675ecc049761c27cfbb333ad98893cab6529 |
| SHA256 | 5c0b7c8e586f1f974b2fe1b8ef0d15af1a18bfa85b9e96c79d8f6ee9b3e4971f |
| SHA512 | 0e1e296c6e126bfe8b4187af6f695e5e9607118bc7f9fcb2beeb27b49888f6150bc9f5f3a7c3891f245229b3c7074d3684a960a93d7b63b402da86ffa0d72377 |
memory/5016-5-0x0000000000400000-0x0000000000849000-memory.dmp