d0e7cd574d39b6eab14f5e98eb20162327e5e3d82722a1da3c26b4943bbdc258

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 09:02

Target

b041de6fbce3eee00df2725854488260_NeikiAnalytics.exe
Size

51KB
MD5

b041de6fbce3eee00df2725854488260
SHA1

da7f4127847f934cc815776d3053ba9e388d2d7b
SHA256

d0e7cd574d39b6eab14f5e98eb20162327e5e3d82722a1da3c26b4943bbdc258
SHA512

b356b7362cd78c1be7b6572acd9f2a471422ca64a5c17be64608922ccb8a89d5fe969fb0b561ede817dd78a088b453ced7996d931dc4f9e7b0ef61e8c9add0d5
SSDEEP

1536:ChgHjMpUYGbra2c895ciZ7XHAAAxnNWkVb+qJM5OEgoTfT7D65IOCRb8PKiUIcJN:CsMpUFv3TRXGab8SiUIc6m

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1740	csghost_temp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1740	csghost_temp.exe
1740	csghost_temp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2284	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2284	AUDIODG.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 4064	3916	b041de6fbce3eee00df2725854488260_NeikiAnalytics.exe	81
PID 3916 wrote to memory of 4064	3916	b041de6fbce3eee00df2725854488260_NeikiAnalytics.exe	81
PID 3916 wrote to memory of 4064	3916	b041de6fbce3eee00df2725854488260_NeikiAnalytics.exe	81
PID 4064 wrote to memory of 1740	4064	cmd.exe	83
PID 4064 wrote to memory of 1740	4064	cmd.exe	83
PID 4064 wrote to memory of 1740	4064	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\b041de6fbce3eee00df2725854488260_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b041de6fbce3eee00df2725854488260_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start csghost_temp.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\csghost_temp.exe
    csghost_temp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1740

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Users\Admin\AppData\Local\Temp\csghost_temp.exe

Filesize
27KB

MD5
bfcad45b5b9edcd5884ac9ea573f1c1e

SHA1
db15d7931296af104586ac216be9e31438c432c1

SHA256
99b7c6170656638c71e8c9b1347ed25864209bdf8b26d31f8f5eccc2f81d0590

SHA512
13e236ccaad4ef83a1b5725c301f8babd50021630e89dd23213585267cb433753b927299f6518b219a62418f1a81040e0f7c6144bcfeedac625f5dd15503045d

Download Submit