Analysis Overview
SHA256
bf087b2c78b284f4ca9e95732fa2b881abb0714b1f983b31071ab59752cb18f3
Threat Level: Shows suspicious behavior
The file 6b62d708eb847e9881045eaf31e4aef0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-13 08:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 08:04
Reported
2024-06-13 08:07
Platform
win7-20240221-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\148A.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\148A.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b62d708eb847e9881045eaf31e4aef0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2148 wrote to memory of 820 | N/A | C:\Users\Admin\AppData\Local\Temp\6b62d708eb847e9881045eaf31e4aef0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\148A.tmp |
| PID 2148 wrote to memory of 820 | N/A | C:\Users\Admin\AppData\Local\Temp\6b62d708eb847e9881045eaf31e4aef0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\148A.tmp |
| PID 2148 wrote to memory of 820 | N/A | C:\Users\Admin\AppData\Local\Temp\6b62d708eb847e9881045eaf31e4aef0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\148A.tmp |
| PID 2148 wrote to memory of 820 | N/A | C:\Users\Admin\AppData\Local\Temp\6b62d708eb847e9881045eaf31e4aef0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\148A.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\6b62d708eb847e9881045eaf31e4aef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6b62d708eb847e9881045eaf31e4aef0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\148A.tmp
"C:\Users\Admin\AppData\Local\Temp\148A.tmp"
Network
Files
\Users\Admin\AppData\Local\Temp\148A.tmp
| MD5 | 2920a5f1aa2cd0ddaf5aeefa506e18ab |
| SHA1 | 9361f614dba093f2f897f7031c1fa90b77ab1836 |
| SHA256 | 6055238eb581b4eb3ae6679607e5bcbe5f7e994131bc10774b96658f441b5399 |
| SHA512 | 11dcdb05e75f2baa9945af650501a3631d4c7e110cd68aa246357afee9efc5bdbe7d3fbd1892c8a0df67b84414a58873a72c793754a23a3008d72c8eee58d6d5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 08:04
Reported
2024-06-13 08:07
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EC73.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2272 wrote to memory of 3796 | N/A | C:\Users\Admin\AppData\Local\Temp\6b62d708eb847e9881045eaf31e4aef0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\EC73.tmp |
| PID 2272 wrote to memory of 3796 | N/A | C:\Users\Admin\AppData\Local\Temp\6b62d708eb847e9881045eaf31e4aef0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\EC73.tmp |
| PID 2272 wrote to memory of 3796 | N/A | C:\Users\Admin\AppData\Local\Temp\6b62d708eb847e9881045eaf31e4aef0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\EC73.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\6b62d708eb847e9881045eaf31e4aef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6b62d708eb847e9881045eaf31e4aef0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\EC73.tmp
"C:\Users\Admin\AppData\Local\Temp\EC73.tmp"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4048,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\EC73.tmp
| MD5 | 0cfd3aa482ccc2a54c1e6f7e4293826a |
| SHA1 | 140fd4056efbe133fbcd39f989aaab816eec173e |
| SHA256 | b0a10793d4c845718c1ec2c561044d23a0a905ceac6d06dcab420ca95ce38661 |
| SHA512 | 16dc693867b0b1f6156949a01853d8ded47198c1522cadaa61bfa2961b08a08ba53fceac1ebc7df0fee425cae9bfd8622f2b4543ad8808e2d7d4ae608fa5e29d |