f5f2c27607717158820c30edadc1e9544783c8a28d5142adee5597330a0cbb2d

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 23:59 UTC

Target

260336131033973e8ceb5ce3de4783b0_NeikiAnalytics.exe
Size

73KB
MD5

260336131033973e8ceb5ce3de4783b0
SHA1

8a7fc9ddfb915008a9cb6308d0d4cfc3034b55a9
SHA256

f5f2c27607717158820c30edadc1e9544783c8a28d5142adee5597330a0cbb2d
SHA512

d1191f8c7feeaa6b5eb00ebb43700f3126ba24c0601b28d9b3598fc7b6cced8493c4e458d60bd90510baf9d65196d9bfeb0356ab18d59bd1efab59b3505536ec
SSDEEP

1536:hb36BZ4v8ZK5QPqfhVWbdsmA+RjPFLC+e5hP0ZGUGf2g:h7GZO8ZNPqfcxA+HFshPOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3044	$TMP!10@.COM

Loads dropped DLL 2 IoCs

pid	Process
3048	cmd.exe
3048	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 3048	844	260336131033973e8ceb5ce3de4783b0_NeikiAnalytics.exe	29
PID 844 wrote to memory of 3048	844	260336131033973e8ceb5ce3de4783b0_NeikiAnalytics.exe	29
PID 844 wrote to memory of 3048	844	260336131033973e8ceb5ce3de4783b0_NeikiAnalytics.exe	29
PID 844 wrote to memory of 3048	844	260336131033973e8ceb5ce3de4783b0_NeikiAnalytics.exe	29
PID 3048 wrote to memory of 3044	3048	cmd.exe	30
PID 3048 wrote to memory of 3044	3048	cmd.exe	30
PID 3048 wrote to memory of 3044	3048	cmd.exe	30
PID 3048 wrote to memory of 3044	3048	cmd.exe	30
PID 3044 wrote to memory of 2764	3044	$TMP!10@.COM	31
PID 3044 wrote to memory of 2764	3044	$TMP!10@.COM	31
PID 3044 wrote to memory of 2764	3044	$TMP!10@.COM	31
PID 3044 wrote to memory of 2764	3044	$TMP!10@.COM	31

C:\Users\Admin\AppData\Local\Temp\260336131033973e8ceb5ce3de4783b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\260336131033973e8ceb5ce3de4783b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c $TMP!10@.COM
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\$TMP!10@.COM
    $TMP!10@.COM
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2764

\Users\Admin\AppData\Local\Temp\$TMP!10@.COM

Filesize
73KB

MD5
4afea108af0d5980d1a38957275abf5f

SHA1
c8a3821d2f361bd51f35ecee06336dbffeeb3cf5

SHA256
e7d04af784fb84cc1127a1a43df9014d4b428a75c3af0266915b63737c7cf691

SHA512
32611f6ff88bc2dbb422d19ee4471a2ddc501e7d8d7ba26fe0e287b6d00d26ddfe20dc7eff45e54bbf1bae742885bae8217da6e085378645cc91c43ca7f77e89

Download Submit
memory/844-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3044-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download