Analysis Overview
SHA256
c8468234c23f6e2a7985cdb3dfda34a3f0a357f762e3e54d369f19d94fb5d7e2
Threat Level: Shows suspicious behavior
The file 69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Unsigned PE
Runs .reg file with regedit
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 07:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 07:38
Reported
2024-06-13 07:41
Platform
win7-20240508-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\TrkWks = "C:\\Users\\Admin\\AppData\\Local\\TrkWks.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
Network
Files
memory/2980-0-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2980-1-0x0000000000020000-0x0000000000029000-memory.dmp
memory/2980-2-0x0000000000020000-0x0000000000029000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
| MD5 | 815dc60dafb80c98b73d7e2677e354c0 |
| SHA1 | 4719d47bddca660bc7ea913f66567bb6f963e73d |
| SHA256 | eae9854927aa4f85a269d29ecc0c48ff074d46ebb3d02899a859c0468c4e959a |
| SHA512 | e72fa7b3fe4c0188db7f5721ce56a6ba66ce7d2f0f0de6ecbe3b21d87267f0d2b3988ce97d2ffac897a9984e950ac33648abbd6e2949a74158a254794333e5e7 |
memory/2980-13-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\TrkWks.exe
| MD5 | 49abb714dd72f6dee2e102a7de9e2011 |
| SHA1 | 23fd610b88bd5347fb5033f5cf2ae6e0cd836408 |
| SHA256 | 66ec041bf7e59850aa93fd7f350da2cb4e02a6aa03066d619cc5860ff6b47412 |
| SHA512 | f89f47f5c71f546a73538df967b7949ba5289b2eddcfdc0737fecbb74dcefd27b1f54a21c71688765661c0a1fab72f521b5a1f3170aed040d2f80d31dc084073 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 07:38
Reported
2024-06-13 07:41
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinHttp = "C:\\Users\\Admin\\AppData\\Local\\WinHttp.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1004 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe | C:\Windows\SysWOW64\regedit.exe |
| PID 1004 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe | C:\Windows\SysWOW64\regedit.exe |
| PID 1004 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe | C:\Windows\SysWOW64\regedit.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
Network
Files
memory/1004-0-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
| MD5 | f44153ef26be29552cf320325ad8b72e |
| SHA1 | 74ac72ba2ff0f871e59b11c95ad707372662370c |
| SHA256 | 767009fb8726500a4bc54b2ee744cc3ada64fdf16a44e22ff9dfe7652e2a439f |
| SHA512 | 1d42a4dba1d8d0df9f8fedfba384ffdbcff3103c8ba360f255b5d7e8a46128f40521e4d16cf6de04365b3b6ffad8bc681cf7042d92867ab3d912601a3d5e6e65 |
C:\Users\Admin\AppData\Local\WinHttp.exe
| MD5 | 04dc0697bd8b651005aaae52ded921e4 |
| SHA1 | baa0902ba21b7e01f75f1e7eb59308cc537d65b8 |
| SHA256 | 3595f5be0db294b499cc348212765a02df40fd02e463344f5e8bbdb2ad58abdd |
| SHA512 | 6b3d002f12fdbcb6b73d16ff2bab9f19c800668c944702c4d86e55da93194ea0e0e9ea3ba0b1401cf3e03d3832bf74825233e1d40bf108ad08aed13aea6d8755 |
memory/1004-10-0x0000000000400000-0x0000000000409000-memory.dmp