Analysis Overview
SHA256
ad90736eea120efefa04cb406bd4ec115cd82fa3df4069754db280d7d7714e87
Threat Level: Likely benign
The file 60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe was found to be: Likely benign.
Malicious Activity Summary
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-13 05:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 05:07
Reported
2024-06-13 05:09
Platform
win7-20240419-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lmf4xdhj\lmf4xdhj.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES362D.tmp" "c:\Users\Admin\AppData\Local\Temp\lmf4xdhj\CSC7246D83EFB04449293A5591839A692.TMP"
Network
Files
memory/2844-0-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2844-9-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2844-10-0x000007FEF5343000-0x000007FEF5344000-memory.dmp
memory/2844-11-0x0000000001EE0000-0x0000000001EFA000-memory.dmp
memory/2844-12-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp
memory/2844-13-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp
memory/2844-16-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\lmf4xdhj\lmf4xdhj.cmdline
| MD5 | 49e55b24a9ec01b6184ee586134b59e7 |
| SHA1 | b216465f491ec25694bb988094397fdfe065ec7a |
| SHA256 | 2ef8381d29dc5570b834711d6c426b90e92b3390f94b77a700b8d7bc1727c0db |
| SHA512 | 813c3a49722e9b4522617fff7268825fdb5605a0396e0927eeafad4909b26b5a0b79e8bca322fb2ea2245329fca1ef14dd04412bf7c6473c2054180e1a5033e5 |
\??\c:\Users\Admin\AppData\Local\Temp\lmf4xdhj\lmf4xdhj.0.cs
| MD5 | f420ebb3150f0764331a33377a7451b8 |
| SHA1 | 8ed9b9d610e8ab76aea82a3830ad31059517630b |
| SHA256 | dfb6ab38744b3a4e17cf7fa75b3126e88cbeabc907008f3921ff41c523a99a27 |
| SHA512 | b92767736261cb7c10f58576c44e62cd0d105e90e139b376d52ccb5cb7ca189205a1f7d7a5fec5d739f8763eded8b5c55b9057217fe9a55b1e151dc700760cbd |
\??\c:\Users\Admin\AppData\Local\Temp\lmf4xdhj\CSC7246D83EFB04449293A5591839A692.TMP
| MD5 | a4a09bcd01de34331b1ba7d079e3bfc9 |
| SHA1 | a9cc4b4dec111d5c0b9471ee25bb8b7adc825b0d |
| SHA256 | fdddfa95f89a2b6cc75e84d0842849a46a9782ab8e56ab7992b6b5f2d28151a2 |
| SHA512 | defb2556b0cdeff9915581f1ae0cedd719b0b70c79fbc81b2b0dba76c6d4a7825bee5cf2586775825bc99ea05e8d2ac9e649c909696e6f1fbcbc3205369269f4 |
C:\Users\Admin\AppData\Local\Temp\RES362D.tmp
| MD5 | 166767e26e73aecb2f3433bd3107d1c3 |
| SHA1 | e9c5e275ba6b6b43c00dbcde8b20d94aa9d7ac5c |
| SHA256 | ad6c77a461ec6bf78b23444c7b592a38f29c0e83d0fb8d713e85f5bfca8a6f55 |
| SHA512 | a549be3a6aca24955d4b71829a4e83efad72d7580db7495b93a3d75419a158d9e4e9943eab18deab31dad5238fd6b24261deaf0fff341bbb7f4dd397beba4222 |
C:\Users\Admin\AppData\Local\Temp\lmf4xdhj\lmf4xdhj.dll
| MD5 | 6a4a1e65b4f7677261a2ac919c083e3c |
| SHA1 | cf6fa0cbb250b3dbecc51b3949daa7cda408985a |
| SHA256 | 8e1a15fde0a411775eee6f8245fb08097cd4a2aa88a44534b39d0840c544af50 |
| SHA512 | 07d1d82b16fbaf436a296190b5d1b4ced9e3473d9736e2011dcd7fdd3a11d725a550f0390fb156c5b23708140971b924c8af42f2aa69517111bdaeda8ba9b80d |
memory/2844-27-0x0000000001F20000-0x0000000001F28000-memory.dmp
memory/2844-29-0x000000013FFC0000-0x0000000140019000-memory.dmp
memory/2844-30-0x000007FEF5340000-0x000007FEF5D2C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 05:07
Reported
2024-06-13 05:09
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3880 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 3880 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 3184 wrote to memory of 4596 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| PID 3184 wrote to memory of 4596 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\60b7aa4ea638f374b44cc2676ad447a0_NeikiAnalytics.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h1nmufib\h1nmufib.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55FF.tmp" "c:\Users\Admin\AppData\Local\Temp\h1nmufib\CSCAD75CB55BBBB45DB945D976598DD419F.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
memory/3880-0-0x0000020DE9F70000-0x0000020DE9F71000-memory.dmp
memory/3880-9-0x0000020DE9F70000-0x0000020DE9F71000-memory.dmp
memory/3880-10-0x00007FFEFCBB0000-0x00007FFEFCDA5000-memory.dmp
memory/3880-11-0x00007FFEDE553000-0x00007FFEDE555000-memory.dmp
memory/3880-12-0x0000020DEA090000-0x0000020DEA0AA000-memory.dmp
memory/3880-16-0x00007FFEDE550000-0x00007FFEDF011000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\h1nmufib\h1nmufib.0.cs
| MD5 | f420ebb3150f0764331a33377a7451b8 |
| SHA1 | 8ed9b9d610e8ab76aea82a3830ad31059517630b |
| SHA256 | dfb6ab38744b3a4e17cf7fa75b3126e88cbeabc907008f3921ff41c523a99a27 |
| SHA512 | b92767736261cb7c10f58576c44e62cd0d105e90e139b376d52ccb5cb7ca189205a1f7d7a5fec5d739f8763eded8b5c55b9057217fe9a55b1e151dc700760cbd |
memory/3880-18-0x00007FFEDE550000-0x00007FFEDF011000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\h1nmufib\h1nmufib.cmdline
| MD5 | 595f41431e15d03d04ec94b621a9fda1 |
| SHA1 | 083b8aff98f97bee80f25b7cc1b4f1e4a187e4ed |
| SHA256 | 86a3d0ff1b1405f8f230882967e26fd1dca5e0082cb2ac45096557cc4a61bedb |
| SHA512 | 208996b825cbfb8deaa9ce9a8b36987ddccfd67b079140729f7bae03aa13902a82865db84e5af9563ea1ef73ead2f2ecad8fb28ed8dcb8f8916ab859ed2e124b |
\??\c:\Users\Admin\AppData\Local\Temp\h1nmufib\CSCAD75CB55BBBB45DB945D976598DD419F.TMP
| MD5 | 713f9aeb21ccb3e99bb3381c4540d6ee |
| SHA1 | d8a83b391abbec4d4941338eabe1f3aea55928f5 |
| SHA256 | a9befb7094c94120609c4e7ff43c63547784f1e68b13ac934a216b125a6cc699 |
| SHA512 | 513e4c266a12f819c317bb0a8980b8f7a60c7964aaabedbc8697a59d1145047376000e020ecb8c94ff9ebf46b06ba5be1de9322c93e757c2907f8419829a6882 |
C:\Users\Admin\AppData\Local\Temp\RES55FF.tmp
| MD5 | b8727c8ca738a3e497206cf008a0a8cb |
| SHA1 | 7ec48abe37e1cb425275aabf1a371c0473d2b9f3 |
| SHA256 | b62870250bfd5f49424be86c074247fe345fb8ccd2f0fced3af9a2e9cc1de51e |
| SHA512 | 9e2be4e1e95818b6d57c1091b18f367eda6cd9a1a151d1e4fe5f7aa4c3a59acb7395b3769461b71861148d43d6b306081a36564226dd515aba0a01ef0b53b7b1 |
C:\Users\Admin\AppData\Local\Temp\h1nmufib\h1nmufib.dll
| MD5 | c7c172df867782e9b7fbbd166d2b66a5 |
| SHA1 | 743696987e1e3d9ecfb974588ed38bcecb7d7594 |
| SHA256 | 68bf013a088b340bf79cfd07d928140ac7dc6a6619d6c6b0c8eb114daf3fe376 |
| SHA512 | b8f0e220bbd5da23593bbb9b643371cec2c3a93199a7707ccda059c0af7abd149833beb6d80002f651397770a51a84eddc4301d0ba219927f9384f8509b774e6 |
memory/3880-27-0x0000020DEA0D0000-0x0000020DEA0D8000-memory.dmp
memory/3880-30-0x00007FF66E7E0000-0x00007FF66E839000-memory.dmp
memory/3880-31-0x00007FFEDE550000-0x00007FFEDF011000-memory.dmp