27050474e7add110f3753f4c2eac65f3c59f9b7d9a77ecb0eaddde3ef915aa35

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 22:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27050474e7add110f3753f4c2eac65f3c59f9b7d9a77ecb0eaddde3ef915aa35_NeikiAnalytics.dll
Size

131KB
MD5

78d68d970faf7874251c3340aa147bb0
SHA1

b33271f263ed2a709e24b1a636875d21655de717
SHA256

27050474e7add110f3753f4c2eac65f3c59f9b7d9a77ecb0eaddde3ef915aa35
SHA512

5d2e4c93342bc05664e6f4c6c04d7c1ee7cf84cc6740f853e7fbc7259119c8846b9cf0d593891bd8e95068c8acd9ab8ef8f9da745bddef1808bd6a592033be81
SSDEEP

3072:s3P/oLJOZdZNmdB2gB0YQbfEVHQUglPJSzJoyppZX:s//2MrZ0L2gO4V7VFpZX

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 184 wrote to memory of 1524	184	rundll32.exe	86
PID 184 wrote to memory of 1524	184	rundll32.exe	86
PID 184 wrote to memory of 1524	184	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27050474e7add110f3753f4c2eac65f3c59f9b7d9a77ecb0eaddde3ef915aa35_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:184
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\27050474e7add110f3753f4c2eac65f3c59f9b7d9a77ecb0eaddde3ef915aa35_NeikiAnalytics.dll,#1
  2⤵
  PID:1524

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-TU4aNpxdx0_lMatD6OrwzVUCUzefUXyG9zrB7YbMT7sOO8HNi2GbzyBg4KnGjx-4v1_0Z3vOhtm2QlUdYfuzaQoK-ABNJ-eRl-Fv6i4I7BLBaTPmvmEOzQi_0U-xx6vhY1eMG0I9vUQySTb0z4ypbtHlD3F7KJYYqIYTUtDf9Vafn1v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZndvcmQlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Da0fca605d0ea1b061470c06d7b1c4e20&TIME=20240611T195708Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:82EA48EC-8031-841E-BBBB-3EE75126D09B&deviceId=6896198597119407&muid=82EA48EC8031841EBBBB3EE75126D09B

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-TU4aNpxdx0_lMatD6OrwzVUCUzefUXyG9zrB7YbMT7sOO8HNi2GbzyBg4KnGjx-4v1_0Z3vOhtm2QlUdYfuzaQoK-ABNJ-eRl-Fv6i4I7BLBaTPmvmEOzQi_0U-xx6vhY1eMG0I9vUQySTb0z4ypbtHlD3F7KJYYqIYTUtDf9Vafn1v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZndvcmQlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Da0fca605d0ea1b061470c06d7b1c4e20&TIME=20240611T195708Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:82EA48EC-8031-841E-BBBB-3EE75126D09B&deviceId=6896198597119407&muid=82EA48EC8031841EBBBB3EE75126D09B HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0E18D7CF19396A3030A2C36318826B1D; domain=.bing.com; expires=Wed, 23-Jul-2025 22:27:16 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B9A5DCE8D8A14B6BA5708D0D03FDAA63 Ref B: LON04EDGE0821 Ref C: 2024-06-28T22:27:16Z
date: Fri, 28 Jun 2024 22:27:15 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-TU4aNpxdx0_lMatD6OrwzVUCUzefUXyG9zrB7YbMT7sOO8HNi2GbzyBg4KnGjx-4v1_0Z3vOhtm2QlUdYfuzaQoK-ABNJ-eRl-Fv6i4I7BLBaTPmvmEOzQi_0U-xx6vhY1eMG0I9vUQySTb0z4ypbtHlD3F7KJYYqIYTUtDf9Vafn1v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZndvcmQlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Da0fca605d0ea1b061470c06d7b1c4e20&TIME=20240611T195708Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:82EA48EC-8031-841E-BBBB-3EE75126D09B&deviceId=6896198597119407&muid=82EA48EC8031841EBBBB3EE75126D09B

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-TU4aNpxdx0_lMatD6OrwzVUCUzefUXyG9zrB7YbMT7sOO8HNi2GbzyBg4KnGjx-4v1_0Z3vOhtm2QlUdYfuzaQoK-ABNJ-eRl-Fv6i4I7BLBaTPmvmEOzQi_0U-xx6vhY1eMG0I9vUQySTb0z4ypbtHlD3F7KJYYqIYTUtDf9Vafn1v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZndvcmQlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Da0fca605d0ea1b061470c06d7b1c4e20&TIME=20240611T195708Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:82EA48EC-8031-841E-BBBB-3EE75126D09B&deviceId=6896198597119407&muid=82EA48EC8031841EBBBB3EE75126D09B HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0E18D7CF19396A3030A2C36318826B1D; _EDGE_S=SID=3D7FD9CC97D666A309A7CD609655678B

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=OYlaKI1c_EP466l4p48_XtooBsfMTubs-bmZBbB39Io; domain=.bing.com; expires=Wed, 23-Jul-2025 22:27:16 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7B6C28A4255B4D34AB25B03280F41415 Ref B: LON04EDGE0821 Ref C: 2024-06-28T22:27:16Z
date: Fri, 28 Jun 2024 22:27:16 GMT
DNS

133.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.32.126.40.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/aes/c.gif?RG=39723ac40f5e41ea89b10a65b9c098e7&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T195708Z&adUnitId=11730597&localId=w:82EA48EC-8031-841E-BBBB-3EE75126D09B&deviceId=6896198597119407

Remote address:

23.62.61.97:443

Request

GET /aes/c.gif?RG=39723ac40f5e41ea89b10a65b9c098e7&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T195708Z&adUnitId=11730597&localId=w:82EA48EC-8031-841E-BBBB-3EE75126D09B&deviceId=6896198597119407 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0E18D7CF19396A3030A2C36318826B1D

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 77C0AD9DA7AB4CDEB3B46E7F993B77DF Ref B: AMS04EDGE2616 Ref C: 2024-06-28T22:27:16Z
content-length: 0
date: Fri, 28 Jun 2024 22:27:16 GMT
set-cookie: _EDGE_S=SID=3D7FD9CC97D666A309A7CD609655678B; path=/; httponly; domain=bing.com
set-cookie: MUIDB=0E18D7CF19396A3030A2C36318826B1D; path=/; httponly; expires=Wed, 23-Jul-2025 22:27:16 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5d3d3e17.1719613636.a39b20b
DNS

97.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.61.62.23.in-addr.arpa

IN PTR

Response

97.61.62.23.in-addr.arpa

IN PTR

a23-62-61-97deploystaticakamaitechnologiescom
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

100.58.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

100.58.20.217.in-addr.arpa

IN PTR

Response
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
DNS

14.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.173.189.20.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-TU4aNpxdx0_lMatD6OrwzVUCUzefUXyG9zrB7YbMT7sOO8HNi2GbzyBg4KnGjx-4v1_0Z3vOhtm2QlUdYfuzaQoK-ABNJ-eRl-Fv6i4I7BLBaTPmvmEOzQi_0U-xx6vhY1eMG0I9vUQySTb0z4ypbtHlD3F7KJYYqIYTUtDf9Vafn1v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZndvcmQlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Da0fca605d0ea1b061470c06d7b1c4e20&TIME=20240611T195708Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:82EA48EC-8031-841E-BBBB-3EE75126D09B&deviceId=6896198597119407&muid=82EA48EC8031841EBBBB3EE75126D09B

tls, http2

2.5kB
9.1kB
19
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-TU4aNpxdx0_lMatD6OrwzVUCUzefUXyG9zrB7YbMT7sOO8HNi2GbzyBg4KnGjx-4v1_0Z3vOhtm2QlUdYfuzaQoK-ABNJ-eRl-Fv6i4I7BLBaTPmvmEOzQi_0U-xx6vhY1eMG0I9vUQySTb0z4ypbtHlD3F7KJYYqIYTUtDf9Vafn1v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZndvcmQlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Da0fca605d0ea1b061470c06d7b1c4e20&TIME=20240611T195708Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:82EA48EC-8031-841E-BBBB-3EE75126D09B&deviceId=6896198597119407&muid=82EA48EC8031841EBBBB3EE75126D09B

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8-TU4aNpxdx0_lMatD6OrwzVUCUzefUXyG9zrB7YbMT7sOO8HNi2GbzyBg4KnGjx-4v1_0Z3vOhtm2QlUdYfuzaQoK-ABNJ-eRl-Fv6i4I7BLBaTPmvmEOzQi_0U-xx6vhY1eMG0I9vUQySTb0z4ypbtHlD3F7KJYYqIYTUtDf9Vafn1v%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZndvcmQlM2ZvY2lkJTNkY21taWV5YnVyNGM%26rlid%3Da0fca605d0ea1b061470c06d7b1c4e20&TIME=20240611T195708Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:82EA48EC-8031-841E-BBBB-3EE75126D09B&deviceId=6896198597119407&muid=82EA48EC8031841EBBBB3EE75126D09B

HTTP Response

204
23.62.61.97:443

https://www.bing.com/aes/c.gif?RG=39723ac40f5e41ea89b10a65b9c098e7&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T195708Z&adUnitId=11730597&localId=w:82EA48EC-8031-841E-BBBB-3EE75126D09B&deviceId=6896198597119407

tls, http2

1.4kB
5.4kB
16
14

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=39723ac40f5e41ea89b10a65b9c098e7&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240611T195708Z&adUnitId=11730597&localId=w:82EA48EC-8031-841E-BBBB-3EE75126D09B&deviceId=6896198597119407

HTTP Response

200

8.8.8.8:53

g.bing.com

dns

112 B
151 B
2
1

DNS Request

g.bing.com

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

133.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

133.32.126.40.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

97.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

97.61.62.23.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

100.58.20.217.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

100.58.20.217.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

14.173.189.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.173.189.20.in-addr.arpa

Windows 7 deprecation

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.