Analysis Overview
SHA256
0b0b4a48930c16a3abf27ec4eff34eb05d4b2d351438e3fc0708a0a54150355f
Threat Level: Shows suspicious behavior
The file c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-19 14:44
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 14:44
Reported
2024-06-19 14:46
Platform
win7-20240611-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2108 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe |
| PID 2108 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe |
| PID 2108 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe |
| PID 2108 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI21082\2.exe.manifest
| MD5 | bfac74236f1e608af27428665adc4b2d |
| SHA1 | be0b54e633d97f6d7748cb7ec22e0ccdccc39977 |
| SHA256 | a7a1e535948b381901a22e15d1a5c5ea40787ae1a8f2ae7a42971d378ffbba9d |
| SHA512 | c93aa76ea7293131ba2f8283175f45bd8e442549e796927d75e1cfa4c6dbae3189c9c9f93097ad3ac60609f06218e30fbc627d2e13c8c91a3f299d13f03d9508 |
C:\Users\Admin\AppData\Local\Temp\_MEI21082\python27.dll
| MD5 | 018a9873015fddb712d44d36ba09e676 |
| SHA1 | 94603bd77d3d1d73c49494f21efb891fb38ad0ac |
| SHA256 | db5abf8f14c45843bdf4a65bff502b9e5bfce0fe969121b14168cb609ae0caa4 |
| SHA512 | 5fced694f06672fedb21f63ed3461908ab698fe7e567b0b210d3c61c7791857e29fe3034160109516f5312676d3c80e42f67449c23e4544ecce77c9a67b23d7a |
C:\Users\Admin\AppData\Local\Temp\_MEI21082\MSVCR90.dll
| MD5 | c57d4e31734fa87dc4d5dd236fbf534c |
| SHA1 | a918b8bbe6f91b94c95f00046719ff05f01e2db7 |
| SHA256 | d7566fb962532f1250eeb1149fd65a9f5abce97995cfa5b89d5cb8f502f08dee |
| SHA512 | 4aa9dd98fedf22f77b113195ad58c27dd02bd7bbc41942aaa837f303d9ed0b7d39a7573befc33dade229c82634adc9238aa7e5f9018e60d97ac9e0340d2f1e76 |
C:\Users\Admin\AppData\Local\Temp\_MEI21~1\_ctypes.pyd
| MD5 | 6ae4a18b7591824366b0b41f24d52d45 |
| SHA1 | e22e8abf69c8676b68fe42d9f26c2bd5f731af39 |
| SHA256 | f943df92c70b640b6462312a048d92df8d2e4447129a6d2b75f8f99d6b5d641a |
| SHA512 | f882514fb21191c16dd0e778a26400e3614622df3da9e75da8360def79aeb23d96c820e10351a103ce910272192d39760f271d20cbb3763ef1d8b427b676559c |
C:\Users\Admin\AppData\Local\Temp\_MEI21~1\_socket.pyd
| MD5 | 1a5c016edfe7fe97de9d31981f048044 |
| SHA1 | ef9ddea3006a8d89bf89099f8952290f05d6f75c |
| SHA256 | 85a8bf57179152370bc1598d4fc8d6d7fe31ea839c4c6b0f2c20e52a87b8d101 |
| SHA512 | bed7dd0c5f3082555710e01ffba164e33f3c45522429657b6768c8c39affeb9dec516fcbc5a2f833b5cab83dc1bd616c1774df7662e83fe55f5fcd4ff4083f78 |
C:\Users\Admin\AppData\Local\Temp\_MEI21~1\_ssl.pyd
| MD5 | 8fd7848b51ea13322302f7683ab622e3 |
| SHA1 | fe667643d8cf57c228c3eb35a65d5c5c0ad236f8 |
| SHA256 | bf7015462eca2a7b049085ef5879dbabc8ca1eba65e7b84379fb57e392f28f65 |
| SHA512 | ad848cbb867d02bc4afffe48b168c4b0707c100861d5b8410ce21ec2c2466db33998bf43ceb894bc80b6daa475275fecf9d47a1b1917538013490d29c030c16b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 14:44
Reported
2024-06-19 14:46
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 468 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe |
| PID 468 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe |
| PID 468 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c506650ad9138ffde6620e23b3c42d90_NeikiAnalytics.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI4682\2.exe.manifest
| MD5 | bfac74236f1e608af27428665adc4b2d |
| SHA1 | be0b54e633d97f6d7748cb7ec22e0ccdccc39977 |
| SHA256 | a7a1e535948b381901a22e15d1a5c5ea40787ae1a8f2ae7a42971d378ffbba9d |
| SHA512 | c93aa76ea7293131ba2f8283175f45bd8e442549e796927d75e1cfa4c6dbae3189c9c9f93097ad3ac60609f06218e30fbc627d2e13c8c91a3f299d13f03d9508 |
C:\Users\Admin\AppData\Local\Temp\_MEI4682\python27.dll
| MD5 | 018a9873015fddb712d44d36ba09e676 |
| SHA1 | 94603bd77d3d1d73c49494f21efb891fb38ad0ac |
| SHA256 | db5abf8f14c45843bdf4a65bff502b9e5bfce0fe969121b14168cb609ae0caa4 |
| SHA512 | 5fced694f06672fedb21f63ed3461908ab698fe7e567b0b210d3c61c7791857e29fe3034160109516f5312676d3c80e42f67449c23e4544ecce77c9a67b23d7a |
C:\Users\Admin\AppData\Local\Temp\_MEI4682\_ctypes.pyd
| MD5 | 6ae4a18b7591824366b0b41f24d52d45 |
| SHA1 | e22e8abf69c8676b68fe42d9f26c2bd5f731af39 |
| SHA256 | f943df92c70b640b6462312a048d92df8d2e4447129a6d2b75f8f99d6b5d641a |
| SHA512 | f882514fb21191c16dd0e778a26400e3614622df3da9e75da8360def79aeb23d96c820e10351a103ce910272192d39760f271d20cbb3763ef1d8b427b676559c |
C:\Users\Admin\AppData\Local\Temp\_MEI4682\_socket.pyd
| MD5 | 1a5c016edfe7fe97de9d31981f048044 |
| SHA1 | ef9ddea3006a8d89bf89099f8952290f05d6f75c |
| SHA256 | 85a8bf57179152370bc1598d4fc8d6d7fe31ea839c4c6b0f2c20e52a87b8d101 |
| SHA512 | bed7dd0c5f3082555710e01ffba164e33f3c45522429657b6768c8c39affeb9dec516fcbc5a2f833b5cab83dc1bd616c1774df7662e83fe55f5fcd4ff4083f78 |
C:\Users\Admin\AppData\Local\Temp\_MEI4682\_ssl.pyd
| MD5 | 8fd7848b51ea13322302f7683ab622e3 |
| SHA1 | fe667643d8cf57c228c3eb35a65d5c5c0ad236f8 |
| SHA256 | bf7015462eca2a7b049085ef5879dbabc8ca1eba65e7b84379fb57e392f28f65 |
| SHA512 | ad848cbb867d02bc4afffe48b168c4b0707c100861d5b8410ce21ec2c2466db33998bf43ceb894bc80b6daa475275fecf9d47a1b1917538013490d29c030c16b |