d50b045f7271e0e451d96162db7326aa73a41c4351f62a7a4a8e70890e4fb7d7

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 06:59

Target

9d88f97725ca1fea179f216762c25640_NeikiAnalytics.exe
Size

68KB
MD5

9d88f97725ca1fea179f216762c25640
SHA1

598663b05977bcd2668f3fa9a0494e696b86104b
SHA256

d50b045f7271e0e451d96162db7326aa73a41c4351f62a7a4a8e70890e4fb7d7
SHA512

f4f3bc40274f3464c0a7fa7bc3c5cc767e5c5d61d61fbba2fb485800221f55e719f8f822fbf257ce3fe610a02923f6968705659341ac4e79bd7a84f6b4dd4011
SSDEEP

768:GlCro/f9Uw/E6zy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rd+fpR0OTW/ReOOOi:GPRTzy48untU8fOMEI3jyYfPBYOOi

Score

1^/10

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 3384	4320	9d88f97725ca1fea179f216762c25640_NeikiAnalytics.exe	82
PID 4320 wrote to memory of 3384	4320	9d88f97725ca1fea179f216762c25640_NeikiAnalytics.exe	82
PID 4320 wrote to memory of 3384	4320	9d88f97725ca1fea179f216762c25640_NeikiAnalytics.exe	82
PID 3384 wrote to memory of 4140	3384	cmd.exe	84
PID 3384 wrote to memory of 4140	3384	cmd.exe	84
PID 3384 wrote to memory of 4140	3384	cmd.exe	84
PID 4140 wrote to memory of 3524	4140	iexpress.exe	85
PID 4140 wrote to memory of 3524	4140	iexpress.exe	85
PID 4140 wrote to memory of 3524	4140	iexpress.exe	85

C:\Users\Admin\AppData\Local\Temp\9d88f97725ca1fea179f216762c25640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9d88f97725ca1fea179f216762c25640_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5072.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\9d88f97725ca1fea179f216762c25640_NeikiAnalytics.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\SysWOW64\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\SysWOW64\makecab.exe
      C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
      4⤵
      PID:3524

C:\Users\Admin\AppData\Local\Temp\5072.tmp\1.bat

Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
68KB

MD5
1a138c84a3cb779613605787e431f0cf

SHA1
4bdfbdc69513041fc80a716ed2d64a638ea658e4

SHA256
5d61f88f028343b060d7aab069dc917a59bbaa711ce9f27d2ce282fe87493dc8

SHA512
382189bf418a60c8c0bfffbd1197251e98d795bf32fb4ab8a12f3abe3c43a38ddbf3824588f19fa5a9a6c9c7c3e9d565f46e61ec54b6ecbde1ff85a2a8f6e32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF

Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit
memory/4320-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4320-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download