Analysis Overview
SHA256
a053147af307e4767620c803d10f2d34dfad784e96dd0838e0fb615e3612861e
Threat Level: Shows suspicious behavior
The file 84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Deletes itself
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 20:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 20:32
Reported
2024-06-13 20:35
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2BA2.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2BA2.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1264 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\2BA2.tmp |
| PID 1264 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\2BA2.tmp |
| PID 1264 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\2BA2.tmp |
| PID 1264 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\2BA2.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\2BA2.tmp
"C:\Users\Admin\AppData\Local\Temp\2BA2.tmp" --pingC:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe BB5DD7F80BF2B15E58692996DF2A6D350EA07447080E111DC9096754930FF3F10805A93CCDC3960EDB4DB8A42C0BA02B997515280ECD860BEE047C0FFCCA7200
Network
Files
memory/1264-0-0x0000000000400000-0x0000000000486000-memory.dmp
\Users\Admin\AppData\Local\Temp\2BA2.tmp
| MD5 | 6cb851526fec1c1aa1e17f6e5b0bff45 |
| SHA1 | f2a92dfa9de3cc1990c1750589bc760305d2f0a7 |
| SHA256 | 4acb872fcd95fd0d04ec5b2f97f39195baf726275964c3b1ec246b3f277c990d |
| SHA512 | 861c48109064810646a7370fb450cbc53d4982f595a7c382a93244bd427157822ab9c9ae83abf7ff3d68548c4b4b9dc77c306635ac7601c1ddee724d429f3aec |
memory/1264-4-0x0000000002160000-0x00000000021E6000-memory.dmp
memory/1264-8-0x0000000000400000-0x0000000000486000-memory.dmp
memory/2440-9-0x0000000000400000-0x0000000000486000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 20:32
Reported
2024-06-13 20:35
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
56s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7474.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7474.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1344 wrote to memory of 3532 | N/A | C:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\7474.tmp |
| PID 1344 wrote to memory of 3532 | N/A | C:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\7474.tmp |
| PID 1344 wrote to memory of 3532 | N/A | C:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\7474.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\7474.tmp
"C:\Users\Admin\AppData\Local\Temp\7474.tmp" --pingC:\Users\Admin\AppData\Local\Temp\84a672eea1d62eee1a83a37ad7a6b300_NeikiAnalytics.exe 314C916F745D22EBBCF5B1877B68376FA6857D03624C3DB27A4ED30C7B8BA3761DAE60A447CAF763924322860649D7111D7680CBBE1756A50D525E22C08D0D21
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1344-0-0x0000000000400000-0x0000000000486000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7474.tmp
| MD5 | 61065366b1796a19786dd2b43bdd2cda |
| SHA1 | d1cee560dd6d5585fd4fa0b9ee5eb4bb7fea61df |
| SHA256 | 06fa2f9d38e0c45eb08fc1b7477cacfeca31cc75d6902709e7990a3ba8ef664a |
| SHA512 | cfaa6d74f64b7bd2a33d3d85707a08e3a4b54cca1f860fdd7cc315d15d6856e8216a714dc7457aab414e82ea5273e6a96e705decd7c1b57cef02b84ad88d2f3b |
memory/1344-6-0x0000000000400000-0x0000000000486000-memory.dmp
memory/3532-7-0x0000000000400000-0x0000000000486000-memory.dmp
memory/3532-8-0x0000000000400000-0x0000000000486000-memory.dmp