4309856e9d674296a5b8c84c225b41354a2cd1763e4f6316be62f683f8ffda41

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 06:11

Target

90bb69a38d2d069eecf08ab922a96860_NeikiAnalytics.exe
Size

73KB
MD5

90bb69a38d2d069eecf08ab922a96860
SHA1

f9af87e860e8ad8f87451e62aae6495fa7aba757
SHA256

4309856e9d674296a5b8c84c225b41354a2cd1763e4f6316be62f683f8ffda41
SHA512

f059c34ff266507f1a7a879a02f33e4d7dc7556f889ede31695e9dae0f2e5720454909ec1d13d45e426895fda2e4d6315993645e626094815d0e0264f14ffc36
SSDEEP

1536:hbLWt0pG7PK5QPqfhVWbdsmA+RjPFLC+e5hr0ZGUGf2g:hZAPNPqfcxA+HFshrOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1244	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2376	cmd.exe
2376	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2376	2796	90bb69a38d2d069eecf08ab922a96860_NeikiAnalytics.exe	29
PID 2796 wrote to memory of 2376	2796	90bb69a38d2d069eecf08ab922a96860_NeikiAnalytics.exe	29
PID 2796 wrote to memory of 2376	2796	90bb69a38d2d069eecf08ab922a96860_NeikiAnalytics.exe	29
PID 2796 wrote to memory of 2376	2796	90bb69a38d2d069eecf08ab922a96860_NeikiAnalytics.exe	29
PID 2376 wrote to memory of 1244	2376	cmd.exe	30
PID 2376 wrote to memory of 1244	2376	cmd.exe	30
PID 2376 wrote to memory of 1244	2376	cmd.exe	30
PID 2376 wrote to memory of 1244	2376	cmd.exe	30
PID 1244 wrote to memory of 2752	1244	[email protected]	31
PID 1244 wrote to memory of 2752	1244	[email protected]	31
PID 1244 wrote to memory of 2752	1244	[email protected]	31
PID 1244 wrote to memory of 2752	1244	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\90bb69a38d2d069eecf08ab922a96860_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\90bb69a38d2d069eecf08ab922a96860_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2752

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
fdd00c80308aa4d626dd9631119058bc

SHA1
7c7f1e31779250b3c3132efad74ebd7871a9d241

SHA256
a178434302a00e4b39133bdd2545c8a9add712ecced48f17375ef405a0fe513a

SHA512
7c455e245b2f66c4da7e7c7c1bd93605d4e896e56bf855b20b9272bfa0107bcea14ad71f6bc1ac634eb89e6799154570b28c4f2f4713e37b416a51896072342a

Download Submit
memory/1244-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2796-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download