e1a6e1d3f3396a419dd2c61e6a0a9bdabdeaf39ea036155027bce3448baad020

Analysis

max time kernel
141s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 11:33

Target

d2fbf1a97a29182e13053ee096a9ba60_NeikiAnalytics.exe
Size

61KB
MD5

d2fbf1a97a29182e13053ee096a9ba60
SHA1

056fd59691368cdbc92864e623bbe86ddfcfbed6
SHA256

e1a6e1d3f3396a419dd2c61e6a0a9bdabdeaf39ea036155027bce3448baad020
SHA512

595705b7af158f887035277de296c3b8646e9297e7228ad536a1e4a06b1db5b8d712af529f28017a93734bdbec5880f4b78a0157ae1e932b03ce22f60ade8e48
SSDEEP

768:BCrk/f9Uw/E6zy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rsfpRfLTWLReOORuR:3RTzy48untU8fOMEI3jysfPDEORuR

Score

1^/10

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 5052	3612	d2fbf1a97a29182e13053ee096a9ba60_NeikiAnalytics.exe	86
PID 3612 wrote to memory of 5052	3612	d2fbf1a97a29182e13053ee096a9ba60_NeikiAnalytics.exe	86
PID 3612 wrote to memory of 5052	3612	d2fbf1a97a29182e13053ee096a9ba60_NeikiAnalytics.exe	86
PID 5052 wrote to memory of 4340	5052	cmd.exe	87
PID 5052 wrote to memory of 4340	5052	cmd.exe	87
PID 5052 wrote to memory of 4340	5052	cmd.exe	87
PID 4340 wrote to memory of 4600	4340	iexpress.exe	88
PID 4340 wrote to memory of 4600	4340	iexpress.exe	88
PID 4340 wrote to memory of 4600	4340	iexpress.exe	88

C:\Users\Admin\AppData\Local\Temp\d2fbf1a97a29182e13053ee096a9ba60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d2fbf1a97a29182e13053ee096a9ba60_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6830.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\d2fbf1a97a29182e13053ee096a9ba60_NeikiAnalytics.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\SysWOW64\makecab.exe
      C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
      4⤵
      PID:4600

C:\Users\Admin\AppData\Local\Temp\6830.tmp\1.bat

Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
62KB

MD5
319f1e317af49a772f573ba4cbd24216

SHA1
35f079b298c6ae608b99b00a54ea7f91f4de2439

SHA256
39ae876481c2ee492e3ea8573bf2b51cd989c3694ad07ca1d6b27387c776b563

SHA512
769153612d0b707beafc2b96ab3c62ccf8030fa357fe60f3727e81076166507916e44f41fc339253df33069e0b7abaed136a91a3636457826e06bf072ce13544

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF

Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit
memory/3612-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3612-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download