Analysis Overview
SHA256
e180262fa23508eb588a22bb9faf2dd2a3cf275cb12f2d402a2d9b9ce23c5455
Threat Level: Likely benign
The file 6d07ebb10f0c376fe83728c5e4903910_NeikiAnalytics.exe was found to be: Likely benign.
Malicious Activity Summary
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-13 08:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 08:31
Reported
2024-06-13 08:33
Platform
win7-20231129-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\NDISAPI.log | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\NDISAPI.log | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2128 wrote to memory of 1916 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d07ebb10f0c376fe83728c5e4903910_NeikiAnalytics.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d07ebb10f0c376fe83728c5e4903910_NeikiAnalytics.dll,#1
Network
Files
C:\Windows\SysWOW64\NDISAPI.log
| MD5 | 2c12252f8d3ee2ef71a5758b2b9f98bf |
| SHA1 | c29c34d806abd22bca70d12217ff4f0b6fef08dc |
| SHA256 | 26fc45856effb8dc9aa8cfb7437aee3ce9031e4204abbfedbcb7c3d4316313a0 |
| SHA512 | aaa38fb1ca8d7bb635952bda2545eea10c567b3dd78ca48df60581528edfdaedf1cb152cbe3c93b2d75aad33f7e4595193b1af8ca4e55e96582f2de9d7bd31b7 |
C:\Windows\SysWOW64\NDISAPI.log
| MD5 | 7a8de150dcd4f88db258acffa70eb1fe |
| SHA1 | 5a19ae254c82d5afce99f9cde954959c12d35f63 |
| SHA256 | dfeb74c55b1929af991ed6c18dc516eb5338e626a757a0b643d69a51fab145cb |
| SHA512 | b75441009af5aa53e54fd574803d3c2a6a496a1e474d72c65188932e0c9ec25d451821c8c8abb7c3bf0fe28d81c28379b550a3099304c767602a1ae162bc1c48 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 08:31
Reported
2024-06-13 08:33
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\NDISAPI.log | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\NDISAPI.log | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3040 wrote to memory of 2668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 2668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3040 wrote to memory of 2668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d07ebb10f0c376fe83728c5e4903910_NeikiAnalytics.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d07ebb10f0c376fe83728c5e4903910_NeikiAnalytics.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\NDISAPI.log
| MD5 | 2b7a55a64720ba65080a73ab689868b8 |
| SHA1 | cd036df27a1f69c017c38349a14c9e51661ecef4 |
| SHA256 | 27f9cbbb9d481bd5a8d41a88682dcc26f14e6945ddd773ad75e9a3491c8b26c3 |
| SHA512 | b0bc1ab3c2b0e87a7fe66c26009be3c655375df7b1cd66cb9a9e8593c81bb9b1ac0b0a368a4f88fc39dac5def3e98557fff61035f4d0d65215d6943c6f3a7738 |