91905fa43d54f52694be04511cd36ca16e426ca146ac26a4261b4b7a8a8c11fc

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 21:02

Target

19b2ae8e598937891c380970ea876190_NeikiAnalytics.exe
Size

73KB
MD5

19b2ae8e598937891c380970ea876190
SHA1

71c6eb7a9290d5c0fcf86b9cc78fdc2513fa7e85
SHA256

91905fa43d54f52694be04511cd36ca16e426ca146ac26a4261b4b7a8a8c11fc
SHA512

fc0217e32b3c6de8057ee98bcb5eb6b669c0642ba79f1a2b4d2546334e75beb791fdfe751ffbd54cd263116e640f8d76f4d3fe7eabe7001ebea406e80a1e9ef6
SSDEEP

1536:hbaJckqAK5QPqfhVWbdsmA+RjPFLC+e5hA0ZGUGf2g:htANPqfcxA+HFshAOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2616	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2520	cmd.exe
2520	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2520	1660	19b2ae8e598937891c380970ea876190_NeikiAnalytics.exe	29
PID 1660 wrote to memory of 2520	1660	19b2ae8e598937891c380970ea876190_NeikiAnalytics.exe	29
PID 1660 wrote to memory of 2520	1660	19b2ae8e598937891c380970ea876190_NeikiAnalytics.exe	29
PID 1660 wrote to memory of 2520	1660	19b2ae8e598937891c380970ea876190_NeikiAnalytics.exe	29
PID 2520 wrote to memory of 2616	2520	cmd.exe	30
PID 2520 wrote to memory of 2616	2520	cmd.exe	30
PID 2520 wrote to memory of 2616	2520	cmd.exe	30
PID 2520 wrote to memory of 2616	2520	cmd.exe	30
PID 2616 wrote to memory of 2712	2616	[email protected]	31
PID 2616 wrote to memory of 2712	2616	[email protected]	31
PID 2616 wrote to memory of 2712	2616	[email protected]	31
PID 2616 wrote to memory of 2712	2616	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\19b2ae8e598937891c380970ea876190_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\19b2ae8e598937891c380970ea876190_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2712

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
89602f26f90988f45b0bc839a9d4b009

SHA1
50fc1daaf670df081c8092315c245613c2a75df8

SHA256
14e075fb3f28def55f5708d2d94ee4484f2afaca8fddd0c8dedd2bacb258b7f9

SHA512
a313142ba44e1490e2969a04d44a6ccdb5dc031daf4ac24c59e2a9e826542a1ff7e3bf71bc3d4bef423b0b79c016f7c01d68ebe0c57b66cceb1f29ee6eadb35f

Download Submit
memory/1660-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2616-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download