5e481295106f947602b61c889ee01dbf8e9b21a017b435308570b12bef3d08ca

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 02:06

Target

4727c28cf3e97663af41bff16a112f50_NeikiAnalytics.exe
Size

99KB
MD5

4727c28cf3e97663af41bff16a112f50
SHA1

34c667f2499420b54303495457dc86ae157c3aeb
SHA256

5e481295106f947602b61c889ee01dbf8e9b21a017b435308570b12bef3d08ca
SHA512

4b7a4626cecffb099e945b353c0f9c8820fc674841c4c8811f3e1b2ad3b25db7bd2545127157fa1fd2a4b1ca1b2274f90e26a7d39a55e82bffa8a1a6e91d22f5
SSDEEP

1536:c1Tzy48untU8fOMEI3jyqfPiuOa6dVWMSRlUrRh:WzltUeOua/dVulCn

Score

1^/10

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2920	2948	4727c28cf3e97663af41bff16a112f50_NeikiAnalytics.exe	29
PID 2948 wrote to memory of 2920	2948	4727c28cf3e97663af41bff16a112f50_NeikiAnalytics.exe	29
PID 2948 wrote to memory of 2920	2948	4727c28cf3e97663af41bff16a112f50_NeikiAnalytics.exe	29
PID 2948 wrote to memory of 2920	2948	4727c28cf3e97663af41bff16a112f50_NeikiAnalytics.exe	29
PID 2920 wrote to memory of 2928	2920	cmd.exe	30
PID 2920 wrote to memory of 2928	2920	cmd.exe	30
PID 2920 wrote to memory of 2928	2920	cmd.exe	30
PID 2920 wrote to memory of 2928	2920	cmd.exe	30
PID 2928 wrote to memory of 2992	2928	iexpress.exe	31
PID 2928 wrote to memory of 2992	2928	iexpress.exe	31
PID 2928 wrote to memory of 2992	2928	iexpress.exe	31
PID 2928 wrote to memory of 2992	2928	iexpress.exe	31

C:\Users\Admin\AppData\Local\Temp\4727c28cf3e97663af41bff16a112f50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4727c28cf3e97663af41bff16a112f50_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\C6F.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\4727c28cf3e97663af41bff16a112f50_NeikiAnalytics.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\makecab.exe
      C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
      4⤵
      PID:2992

C:\Users\Admin\AppData\Local\Temp\C6F.tmp\1.bat

Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
99KB

MD5
352cae7c14551627df8a7f07a7f535ce

SHA1
0f1f038c82c580952922823b7f3de366e28461c4

SHA256
2e9c314503d45a0b38b94313ccb338642ccfe1421d3314ae7b6e05073ca7e85c

SHA512
dd1bb902399d5ce6ebf9842304740e7319de914beb42da60325cf286b2acbb0b2d500e75aa3e1277f82d6564b891c71cf8191810ecd49511ac69eaa93ca97579

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF

Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit
memory/2948-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2948-17-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download