6b0ce73a27b4841cf8a88bb79b8ee0c9507b8745afa2641ea3b2144cb08e132c

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 21:15

Target

373b94df2e17ce9a9671dcc12b109470_NEIKI.exe
Size

73KB
MD5

373b94df2e17ce9a9671dcc12b109470
SHA1

50325488975fdbaaff921612d13e11ad5f2deaed
SHA256

6b0ce73a27b4841cf8a88bb79b8ee0c9507b8745afa2641ea3b2144cb08e132c
SHA512

0d2051f7fa14a4bd039dbe751a29f13488e601077a349a5bb72910bf0d6f7292c9c973e77268b43169ad473f19d720b682f80901be3d2a8a0726a12734995297
SSDEEP

1536:hbnSKkXeOK5QPqfhVWbdsmA+RjPFLC+e5h90ZGUGf2g:hzSTDNPqfcxA+HFsh9Og

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2824	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2600	cmd.exe
2600	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2600	2364	373b94df2e17ce9a9671dcc12b109470_NEIKI.exe	29
PID 2364 wrote to memory of 2600	2364	373b94df2e17ce9a9671dcc12b109470_NEIKI.exe	29
PID 2364 wrote to memory of 2600	2364	373b94df2e17ce9a9671dcc12b109470_NEIKI.exe	29
PID 2364 wrote to memory of 2600	2364	373b94df2e17ce9a9671dcc12b109470_NEIKI.exe	29
PID 2600 wrote to memory of 2824	2600	cmd.exe	30
PID 2600 wrote to memory of 2824	2600	cmd.exe	30
PID 2600 wrote to memory of 2824	2600	cmd.exe	30
PID 2600 wrote to memory of 2824	2600	cmd.exe	30
PID 2824 wrote to memory of 2144	2824	[email protected]	31
PID 2824 wrote to memory of 2144	2824	[email protected]	31
PID 2824 wrote to memory of 2144	2824	[email protected]	31
PID 2824 wrote to memory of 2144	2824	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\373b94df2e17ce9a9671dcc12b109470_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\373b94df2e17ce9a9671dcc12b109470_NEIKI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2144

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
5c6848c7b86b0887dccb8b307adf4a72

SHA1
c3971dbb1391965841b5528075cf78ed77f3a614

SHA256
bf1eb1d77d327c458f22cc9b41be6a01f0b9c1122e8ac0bf5f3681424e2c7306

SHA512
4c8f35febdf5c98e6bf25fe311d486c9b69b5f1469e7d0c654599c58a4652a6629025ca02f84121c1d5ab7b17cc492317ef77a1aac57cd8dfeb72e51d3d410cd

Download Submit
memory/2364-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2824-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download