c386cd5930e3fb20ba131be8d4f76ff6c63d14b30a47eb6cdcc823ef06e408e8

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 20:11

Target

2db98881fb679a4679b40813db8eaf40_NeikiAnalytics.exe
Size

76KB
MD5

2db98881fb679a4679b40813db8eaf40
SHA1

7724925258d8e79d6bbab186efb0aa6700591b4e
SHA256

c386cd5930e3fb20ba131be8d4f76ff6c63d14b30a47eb6cdcc823ef06e408e8
SHA512

5f48e2fbe915e545c9d7c6f205476e6f56b7f1c5a893d9acd0fbdc31643effac91255ac11c0da40609ad85c2683d77417437d24c84ab65b94aa157824938b6bc
SSDEEP

768:vCru/f9Iw/E6zy4n8uZ5tUXMJ+fROUmELY2glEbM3j+rd+fpRiTWNReOOnCru/fW:71Tzy48untU8fOMEI3jyYfPiuODW

Score

1^/10

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 3744	4468	2db98881fb679a4679b40813db8eaf40_NeikiAnalytics.exe	83
PID 4468 wrote to memory of 3744	4468	2db98881fb679a4679b40813db8eaf40_NeikiAnalytics.exe	83
PID 4468 wrote to memory of 3744	4468	2db98881fb679a4679b40813db8eaf40_NeikiAnalytics.exe	83
PID 3744 wrote to memory of 436	3744	cmd.exe	84
PID 3744 wrote to memory of 436	3744	cmd.exe	84
PID 3744 wrote to memory of 436	3744	cmd.exe	84
PID 436 wrote to memory of 2512	436	iexpress.exe	85
PID 436 wrote to memory of 2512	436	iexpress.exe	85
PID 436 wrote to memory of 2512	436	iexpress.exe	85

C:\Users\Admin\AppData\Local\Temp\2db98881fb679a4679b40813db8eaf40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2db98881fb679a4679b40813db8eaf40_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\449A.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\2db98881fb679a4679b40813db8eaf40_NeikiAnalytics.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\SysWOW64\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\SysWOW64\makecab.exe
      C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
      4⤵
      PID:2512

C:\Users\Admin\AppData\Local\Temp\449A.tmp\1.bat

Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
76KB

MD5
dccb497b0175bd8a9d85c58df122952b

SHA1
013fc072480eb69e4048fbde99f8cecaa220cbea

SHA256
13e9c1eeab4eb5a37f26ab42e91db9756e0265c2d3756cebcfa3a3a4a3b1d9aa

SHA512
b04a8e792e5ee362703cf04722c86960f8b6c5d11157d6eb4160b210bc42ee92d14f713cd8abc7211e6b4b8af4acd409f47b0174129b3f29f062e2e39f82869c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF

Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit