Analysis Overview
SHA256
76bc0ce0743246205e44fc6b36df5f4a5a50293c64ec54d0d7aa0b15d2774402
Threat Level: Shows suspicious behavior
The file 70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Deletes itself
Program crash
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-13 09:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 09:24
Reported
2024-06-13 09:27
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 144
Network
Files
memory/2264-0-0x0000000000400000-0x00000000004ED000-memory.dmp
\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe
| MD5 | c9eae405ee67e981c9b4892506da4f79 |
| SHA1 | e4c8561100e828aed4626eb5d14c250135174485 |
| SHA256 | e7db1423b9b3231ffccd4af57517b508f5fb423e16cb18d6bda5fde6abe10657 |
| SHA512 | 1324eaee3d688625112c7167ffea890243bb28758a738cea5e4d9e45497748d444dede5fb5287e7c891bd0e97525b3d24bc2ebccdb72d7074ae2b4489956e741 |
memory/2264-7-0x0000000003030000-0x000000000311D000-memory.dmp
memory/1936-9-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/2264-10-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/1936-11-0x0000000002DA0000-0x0000000002E8D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 09:24
Reported
2024-06-13 09:27
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe | N/A |
Program crash
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4384 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe |
| PID 4384 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe |
| PID 4384 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4384 -ip 4384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 344
C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4944 -ip 4944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4944 -ip 4944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 404
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3212,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4384-0-0x0000000000400000-0x00000000004ED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\70595e150d6d58b19cb54fa1cd6c0de0_NeikiAnalytics.exe
| MD5 | b072c500e1c4f387f512d4559221ed61 |
| SHA1 | fdf168ec49e62783d57ca04e86f46f273470c81d |
| SHA256 | 40086bbf368721bd9dac1daf1b10e72f1c477474a52a1e36b3e213b377f5e6b5 |
| SHA512 | 5fa3161d53eee21496475d5fbdf4d64a13ffec3931b68957dbf8abb0826e3447cc2a35ab8769fbc28aeb5a31835736e2e4ecb107ca6606a93dc5749f9f003f33 |
memory/4384-6-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/4944-7-0x0000000000400000-0x00000000004ED000-memory.dmp
memory/4944-8-0x0000000005020000-0x000000000510D000-memory.dmp
memory/4944-9-0x0000000000400000-0x00000000004A3000-memory.dmp