File name:	ec79c87fb52556cad82dcdaba69e7260_NeikiAnalytics.exe
Full analysis:	https://app.any.run/tasks/62d947ad-4119-4029-a2f9-28194acf0e85
Verdict:	Malicious activity
Analysis date:	May 16, 2024, 23:15:19
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	EC79C87FB52556CAD82DCDABA69E7260
SHA1:	8C5C44379CCED8D8CFE17736A20C537601B85D49
SHA256:	8BD3B59422977069F5A3A3D7AB618792D9557A8EE7C1D0F209734B51599F0049
SSDEEP:	49152:1fcB3d4Gd1LxXcNRnVT8xsgvAi/9Eo0QUbrJA6YAcducA:1fQ4Gd1LxXcNRmxsg/alrJjYjA

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2018:05:04 04:46:16+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit, Removable run from swap, Net run from swap
PEType:	PE32
LinkerVersion:	14.13
CodeSize:	303616
InitializedDataSize:	403456
UninitializedDataSize:	-
EntryPoint:	0x2e33e
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	10.1.19041.685
ProductVersionNumber:	10.1.19041.685
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Microsoft Corporation
FileDescription:	Windows Software Development Kit - Windows 10.0.19041.685
FileVersion:	10.1.19041.685
InternalName:	setup
LegalCopyright:	Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName:	winsdksetup.exe
ProductName:	Windows Software Development Kit - Windows 10.0.19041.685
ProductVersion:	10.1.19041.685

PID	Process	Filename		Type
6252	ec79c87fb52556cad82dcdaba69e7260_NeikiAnalytics.exe	C:\Users\admin\AppData\Local\Temp\Setup_20240516231529_Failed.txt		text
		MD5:061F2C2540A4553E7C95E55483FC3A8F	SHA256:B8BB1F460D462382A0544BB6301950476C4883B45D5D0F910F728E1E48DAD6A8
6736	FileCoAuth.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-16.2316.6736.1.aodl		binary
		MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3	SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
6272	314E.tmp	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll		executable
		MD5:85D8CD2D469EFE82CACE866B3B7746F4	SHA256:90092E4B598480282158020953E41FA99B799D223A63E9A004FAE4E2C68B5B9D
6252	ec79c87fb52556cad82dcdaba69e7260_NeikiAnalytics.exe	C:\Users\admin\AppData\Local\Temp\314E.tmp		executable
		MD5:C610E7CCD6859872C585B2A85D7DC992	SHA256:14063FC61DC71B9881D75E93A587C27A6DAF8779FF5255A24A042BEACE541041
6736	FileCoAuth.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-16.2316.6736.1.odl		binary
		MD5:F8156F83E1D7C1B2F2EB5742E8A3A9C0	SHA256:7F8339E913E59BB95821118BCEB6D852887798160238DE95EAB226DF0B8723A7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5140	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
2288	RUXIMICS.exe	GET	200	23.53.41.88:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5140	MoUsoCoreWorker.exe	GET	200	23.53.41.88:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
2288	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
2908	OfficeClickToRun.exe	POST	200	20.44.10.122:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	9 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	unknown
4364	svchost.exe	239.255.255.250:1900	—	—	—	unknown
2288	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5140	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4232	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5140	MoUsoCoreWorker.exe	23.53.41.88:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
2288	RUXIMICS.exe	23.53.41.88:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
5140	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
2288	RUXIMICS.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
5456	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
crl.microsoft.com	23.53.41.88 23.53.41.90	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
self.events.data.microsoft.com	52.182.143.214	whitelisted

General Info

ec79c87fb52556cad82dcdaba69e7260_NeikiAnalytics.exe

EC79C87FB52556CAD82DCDABA69E7260

8C5C44379CCED8D8CFE17736A20C537601B85D49

8BD3B59422977069F5A3A3D7AB618792D9557A8EE7C1D0F209734B51599F0049

49152:1fcB3d4Gd1LxXcNRnVT8xsgvAi/9Eo0QUbrJA6YAcducA:1fQ4Gd1LxXcNRmxsg/alrJjYjA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Executable content was dropped or overwritten

Creates file in the systems drive root

Starts application with an unusual extension

Process drops legitimate windows executable

INFO

Checks supported languages

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings