26372ce8a6fb3e15a1a21da11e9f783da8f4566717e92f812e3e6c44520bbe1b

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 12:48

Target

e5460d2874bf94c12959dd8d87b99ac0_NeikiAnalytics.exe
Size

73KB
MD5

e5460d2874bf94c12959dd8d87b99ac0
SHA1

5e258f7f4502cc3e146c4c44d767cadeb9c6e638
SHA256

26372ce8a6fb3e15a1a21da11e9f783da8f4566717e92f812e3e6c44520bbe1b
SHA512

e1b038137cdda7a64301b3eb9fb0f31c1f14a3090fdb0c35cd68d2b81f6b0376eae24d1b34e48a8d644b32a1d2163b41153d3eb45b64c6fea7f0e22656bd2387
SSDEEP

1536:hbjR9dvD2K5QPqfhVWbdsmA+RjPFLC+e5h40ZGUGf2g:h3dviNPqfcxA+HFsh4Og

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1964	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2188	cmd.exe
2188	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2188	2916	e5460d2874bf94c12959dd8d87b99ac0_NeikiAnalytics.exe	29
PID 2916 wrote to memory of 2188	2916	e5460d2874bf94c12959dd8d87b99ac0_NeikiAnalytics.exe	29
PID 2916 wrote to memory of 2188	2916	e5460d2874bf94c12959dd8d87b99ac0_NeikiAnalytics.exe	29
PID 2916 wrote to memory of 2188	2916	e5460d2874bf94c12959dd8d87b99ac0_NeikiAnalytics.exe	29
PID 2188 wrote to memory of 1964	2188	cmd.exe	30
PID 2188 wrote to memory of 1964	2188	cmd.exe	30
PID 2188 wrote to memory of 1964	2188	cmd.exe	30
PID 2188 wrote to memory of 1964	2188	cmd.exe	30
PID 1964 wrote to memory of 3000	1964	[email protected]	31
PID 1964 wrote to memory of 3000	1964	[email protected]	31
PID 1964 wrote to memory of 3000	1964	[email protected]	31
PID 1964 wrote to memory of 3000	1964	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\e5460d2874bf94c12959dd8d87b99ac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e5460d2874bf94c12959dd8d87b99ac0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:3000

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
a7b95252a0dac634b50759d7d0109c83

SHA1
80ab1fd6d491189b04380396bf6617453f2df1dd

SHA256
3add3337cc82e2bff39298261333895d06ca7a3e66d252de7a4b8d0316830109

SHA512
a2ab45fec060290f02ae2fa20854766597799d64bbb81a542e29b9b90bd22471e2d7c86c083915e75d85d772ce95cc1e887d346aed82bb7e0df640d680b66b51

Download Submit
memory/1964-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2916-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download