d0e7cd574d39b6eab14f5e98eb20162327e5e3d82722a1da3c26b4943bbdc258

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 09:02

Target

b041de6fbce3eee00df2725854488260_NeikiAnalytics.exe
Size

51KB
MD5

b041de6fbce3eee00df2725854488260
SHA1

da7f4127847f934cc815776d3053ba9e388d2d7b
SHA256

d0e7cd574d39b6eab14f5e98eb20162327e5e3d82722a1da3c26b4943bbdc258
SHA512

b356b7362cd78c1be7b6572acd9f2a471422ca64a5c17be64608922ccb8a89d5fe969fb0b561ede817dd78a088b453ced7996d931dc4f9e7b0ef61e8c9add0d5
SSDEEP

1536:ChgHjMpUYGbra2c895ciZ7XHAAAxnNWkVb+qJM5OEgoTfT7D65IOCRb8PKiUIcJN:CsMpUFv3TRXGab8SiUIc6m

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2988	csghost_temp.exe

Loads dropped DLL 1 IoCs

pid	Process
1932	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2988	csghost_temp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1932	1632	b041de6fbce3eee00df2725854488260_NeikiAnalytics.exe	28
PID 1632 wrote to memory of 1932	1632	b041de6fbce3eee00df2725854488260_NeikiAnalytics.exe	28
PID 1632 wrote to memory of 1932	1632	b041de6fbce3eee00df2725854488260_NeikiAnalytics.exe	28
PID 1632 wrote to memory of 1932	1632	b041de6fbce3eee00df2725854488260_NeikiAnalytics.exe	28
PID 1932 wrote to memory of 2988	1932	cmd.exe	30
PID 1932 wrote to memory of 2988	1932	cmd.exe	30
PID 1932 wrote to memory of 2988	1932	cmd.exe	30
PID 1932 wrote to memory of 2988	1932	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\b041de6fbce3eee00df2725854488260_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b041de6fbce3eee00df2725854488260_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start csghost_temp.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\csghost_temp.exe
    csghost_temp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2988

C:\Users\Admin\AppData\Local\Temp\csghost_temp.exe

Filesize
27KB

MD5
bfcad45b5b9edcd5884ac9ea573f1c1e

SHA1
db15d7931296af104586ac216be9e31438c432c1

SHA256
99b7c6170656638c71e8c9b1347ed25864209bdf8b26d31f8f5eccc2f81d0590

SHA512
13e236ccaad4ef83a1b5725c301f8babd50021630e89dd23213585267cb433753b927299f6518b219a62418f1a81040e0f7c6144bcfeedac625f5dd15503045d

Download Submit