Analysis Overview
SHA256
a57320c28a1c5939e2107e21d5ca1bbdbdd8c1f31fa558a7391d6df8d6483616
Threat Level: Shows suspicious behavior
The file 69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 07:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 07:40
Reported
2024-06-13 07:42
Platform
win7-20240611-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EXEA7C.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EXEA7C.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EXEA7C.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\EXEA7C.tmp
"C:\Users\Admin\AppData\Local\Temp\EXEA7C.tmp" "C:\Users\Admin\AppData\Local\Temp\OFMA7D.tmp" "C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
\Users\Admin\AppData\Local\Temp\EXEA7C.tmp
| MD5 | 34cabedafaf5ce498d245242ac48670e |
| SHA1 | 7a78f2a64618448f8118203f3c7225f6f84622d0 |
| SHA256 | 6dbefd357dc6ad020b5f4c7597312029094bdf9cc08bf2ae911bb2617ab28b39 |
| SHA512 | 6801b911e4272093129cea416d4e8334250f6d393b4d634d251c22922f5c1906516cf53e2958011e7cb3e2a3e86ba74ea2547bbbcaba210db375ac0a6152fe18 |
C:\Users\Admin\AppData\Local\Temp\OFMA7D.tmp
| MD5 | 082069362450094d1fec642739a254ad |
| SHA1 | adc27fe04047274393c10c721bbb4eab84b23bd5 |
| SHA256 | 2de063a397b4023aa91547554c34c10aa17aa7257e87797670a16c11fdffa8cf |
| SHA512 | 655dbd75945d69276d7bef40ff0a1b2a4a5958a31ef05fa9ddaed44743c813f1733c02aee91889e4b9d5c2456408c35d1cdfaf942cf974734b5226afaf6670f5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 07:40
Reported
2024-06-13 07:42
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4724 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp |
| PID 4724 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp |
| PID 4724 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp |
| PID 3952 wrote to memory of 3308 | N/A | C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp | C:\Windows\splwow64.exe |
| PID 3952 wrote to memory of 3308 | N/A | C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp | C:\Windows\splwow64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp
"C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM4F88.tmp" "C:\Users\Admin\AppData\Local\Temp\69d7298d99f47d92fb61d3190e0d58f0_NeikiAnalytics.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\EXE4F87.tmp
| MD5 | 34cabedafaf5ce498d245242ac48670e |
| SHA1 | 7a78f2a64618448f8118203f3c7225f6f84622d0 |
| SHA256 | 6dbefd357dc6ad020b5f4c7597312029094bdf9cc08bf2ae911bb2617ab28b39 |
| SHA512 | 6801b911e4272093129cea416d4e8334250f6d393b4d634d251c22922f5c1906516cf53e2958011e7cb3e2a3e86ba74ea2547bbbcaba210db375ac0a6152fe18 |
C:\Users\Admin\AppData\Local\Temp\OFM4F88.tmp
| MD5 | 082069362450094d1fec642739a254ad |
| SHA1 | adc27fe04047274393c10c721bbb4eab84b23bd5 |
| SHA256 | 2de063a397b4023aa91547554c34c10aa17aa7257e87797670a16c11fdffa8cf |
| SHA512 | 655dbd75945d69276d7bef40ff0a1b2a4a5958a31ef05fa9ddaed44743c813f1733c02aee91889e4b9d5c2456408c35d1cdfaf942cf974734b5226afaf6670f5 |