Analysis Overview
SHA256
c4cdd3457cc1a6f6e5e0ddc044e4971cb69bae89402ec223e0ab360495172e0a
Threat Level: Likely benign
The file 65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe was found to be: Likely benign.
Malicious Activity Summary
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-13 06:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 06:33
Reported
2024-06-13 06:35
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3708 wrote to memory of 4016 | N/A | C:\Users\Admin\AppData\Local\Temp\65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 3708 wrote to memory of 4016 | N/A | C:\Users\Admin\AppData\Local\Temp\65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe |
| PID 4016 wrote to memory of 3632 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
| PID 4016 wrote to memory of 3632 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xlnpdu3v\xlnpdu3v.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A98.tmp" "c:\Users\Admin\AppData\Local\Temp\xlnpdu3v\CSC5EEC71288F864AC2B6CF5B901A6CA69.TMP"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
memory/3708-0-0x00000216C8760000-0x00000216C8761000-memory.dmp
memory/3708-9-0x00000216C8760000-0x00000216C8761000-memory.dmp
memory/3708-10-0x00007FF84DBB0000-0x00007FF84DDA5000-memory.dmp
memory/3708-11-0x00007FF82DA73000-0x00007FF82DA75000-memory.dmp
memory/3708-12-0x00000216CA330000-0x00000216CA35A000-memory.dmp
memory/3708-13-0x00007FF82DA70000-0x00007FF82E531000-memory.dmp
memory/3708-14-0x00007FF82DA70000-0x00007FF82E531000-memory.dmp
memory/3708-17-0x00007FF82DA70000-0x00007FF82E531000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\xlnpdu3v\xlnpdu3v.cmdline
| MD5 | e39cfe761794a9b4f96eff66738dd976 |
| SHA1 | 7318c5d78beccbf8db51e387c421d2cfd5c062b8 |
| SHA256 | d9ea9089d2e3a9009c2faffa0188616b05db770fd56332f2beca0a6a45abcc44 |
| SHA512 | fc9683d8db3a296975bec73c37f9a58b6d4edbe1acc355d484894abc52eb91541f81a5c0e4592cbd77621e52cd667de5690fddea97ebfff6c1b8d1d5e0db6a7f |
\??\c:\Users\Admin\AppData\Local\Temp\xlnpdu3v\xlnpdu3v.0.cs
| MD5 | f420ebb3150f0764331a33377a7451b8 |
| SHA1 | 8ed9b9d610e8ab76aea82a3830ad31059517630b |
| SHA256 | dfb6ab38744b3a4e17cf7fa75b3126e88cbeabc907008f3921ff41c523a99a27 |
| SHA512 | b92767736261cb7c10f58576c44e62cd0d105e90e139b376d52ccb5cb7ca189205a1f7d7a5fec5d739f8763eded8b5c55b9057217fe9a55b1e151dc700760cbd |
\??\c:\Users\Admin\AppData\Local\Temp\xlnpdu3v\CSC5EEC71288F864AC2B6CF5B901A6CA69.TMP
| MD5 | 676d4e89d67840e800354e3ff8d13ddf |
| SHA1 | 33f2c0bae9f6b89690c3444ab7df03d2a22aebb3 |
| SHA256 | 16619901c1d3511b43cec2be6c83957157f5c56a470d18ed2b7a84af5d25f5b9 |
| SHA512 | ab512aee78ea2eb68533f77d79272338b3eed31963dcf898af050cbb983bd56f14893f60740f3025c23266d4fec50d0053096bf325b150748d8856521d46c723 |
C:\Users\Admin\AppData\Local\Temp\RES1A98.tmp
| MD5 | 449ad3187bf49ac091240870257315b4 |
| SHA1 | 10986d59245796fa3c059229a03e7549c756fcab |
| SHA256 | e84d11e720c96c747cf4b5412e949a7af933d3ebea63e89599a3cd31d9f73349 |
| SHA512 | 630a63c83c01a8f80f42f6a5f1dd86a86c3e60cb1f4d9d9de633b4510f44c13c8e11733d8c4071299f812bb01555df7b7f1bec8b18db1fbdea97fbc9625f3b89 |
memory/3708-26-0x00007FF678400000-0x00007FF67846E000-memory.dmp
memory/3708-29-0x00000216CA2E0000-0x00000216CA2E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xlnpdu3v\xlnpdu3v.dll
| MD5 | 02a1c3c8229345412d4b8267be87f8ce |
| SHA1 | 506eaf3b9c96c6ffa98cabc0ef1ec481b2473852 |
| SHA256 | 0209958012b19956084ef5aa1a82226c3d7f07bee5d9a2ddd4a3c1a331cd0923 |
| SHA512 | 63fb0f6f5565833afd353ab6ba54da3a8c5ea5ed65e44a988f7b944efd5d2f8e53600587f67675af57785d4309d10d50a6ba941f18e92661be0c972261f8fe62 |
memory/3708-32-0x00007FF678400000-0x00007FF67846E000-memory.dmp
memory/3708-33-0x00007FF82DA70000-0x00007FF82E531000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 06:33
Reported
2024-06-13 06:35
Platform
win7-20240508-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\65d959f73b322eb6ba81e5c5474add10_NeikiAnalytics.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\30fyqlan\30fyqlan.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47CA.tmp" "c:\Users\Admin\AppData\Local\Temp\30fyqlan\CSC2A85F629F97344EF92AEDE8F54287AEF.TMP"
Network
Files
memory/2952-0-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2952-9-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2952-10-0x000007FEF5053000-0x000007FEF5054000-memory.dmp
memory/2952-11-0x0000000001E80000-0x0000000001EAA000-memory.dmp
memory/2952-12-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp
memory/2952-13-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp
memory/2952-17-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\30fyqlan\30fyqlan.cmdline
| MD5 | 1472a3806517b93b182b6b21291ab393 |
| SHA1 | 4417aebfc0e02cc76514275501d219a1d9b128ce |
| SHA256 | 2e4fda4a699e2573a9bca7e4799d17dd638777cade9691765c65f1c5568b1817 |
| SHA512 | 82ddd4c59d47f5f4009382e2bf3d2e5bb42ad2be464e72ad9d912da69fcdb4012352f6dc1c8e53c4c916855ed491a2f4428373da961177f0516e990d46d83169 |
\??\c:\Users\Admin\AppData\Local\Temp\30fyqlan\30fyqlan.0.cs
| MD5 | f420ebb3150f0764331a33377a7451b8 |
| SHA1 | 8ed9b9d610e8ab76aea82a3830ad31059517630b |
| SHA256 | dfb6ab38744b3a4e17cf7fa75b3126e88cbeabc907008f3921ff41c523a99a27 |
| SHA512 | b92767736261cb7c10f58576c44e62cd0d105e90e139b376d52ccb5cb7ca189205a1f7d7a5fec5d739f8763eded8b5c55b9057217fe9a55b1e151dc700760cbd |
\??\c:\Users\Admin\AppData\Local\Temp\30fyqlan\CSC2A85F629F97344EF92AEDE8F54287AEF.TMP
| MD5 | 0c4a48baf0a977f2edcb00530476afcc |
| SHA1 | 2bdab88df9245d673f69179dd2daf1368cc0cc81 |
| SHA256 | 57bd64a7b32e3c6227d9cfeac91305a85e79820af86b8eef0c52ad9645d5f4bf |
| SHA512 | 99ee83197d97727847126c022dd626fdec28cab6ba14eb970eb7ac2ed833b6d725e2c09cba126a674b00b988f3f3bdc9177c8b28b816ee1a427b2d3ace601c2c |
C:\Users\Admin\AppData\Local\Temp\RES47CA.tmp
| MD5 | 01fa66185aac8e6b405c308c85d1d83c |
| SHA1 | 03ab607241c60c25855bfe972a22e433cdc02705 |
| SHA256 | efe05dcf0ad3064da979b08ed016891cbe6e1cbb6a88a5e22c3742d0f311fb07 |
| SHA512 | 12453c747a6627c5fd305a2a8134e941387104aff9f3cfe54537c4593db775625a1a311ceee0408944b8f3da8f1caae611d9df7387965d3e88fcdba71aa4236a |
memory/2952-27-0x00000000003A0000-0x00000000003A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\30fyqlan\30fyqlan.dll
| MD5 | c684213ab190af3e3c449d20dda9ce58 |
| SHA1 | 500aa254ccf3997da33b285f899827a691a2d21f |
| SHA256 | a79a0d2dfbbffdf7a51b9cfc969dae2fbc183b38bc50ff5baa2958af8823ef5c |
| SHA512 | f0c89885965d0c612e1156e17af479bda2d75e2a24b98e7aa3bc1ed14a8fa38018723a656cee680fb7a11f3f2245d41650ed08ef3739c4837ae6f22f075510b7 |
memory/2952-29-0x000000013F030000-0x000000013F09E000-memory.dmp
memory/2952-30-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp