0470807ca44a272746482ee116ff7c321b2eb6dd6d5e6881c4167f776350dbf1

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 05:23

Target

0470807ca44a272746482ee116ff7c321b2eb6dd6d5e6881c4167f776350dbf1_NeikiAnalytics.exe
Size

79KB
MD5

2b82e4a2e7a88df0b367480f011f1830
SHA1

6ee0c3bdf97574f563d40de468a029a917fc640a
SHA256

0470807ca44a272746482ee116ff7c321b2eb6dd6d5e6881c4167f776350dbf1
SHA512

812c7e668a745d9ac5f06f0e69e02635aaf5c4b21cc3a25db3e3cb82936680718aced2cc9e289742d23ed371f25eeb4ce938b63c447d34fe8ddf4db7d26d1120
SSDEEP

1536:zvEzb99PNHUFOQA8AkqUhMb2nuy5wgIP0CSJ+5yyB8GMGlZ5G:zvEPPNHUcGdqU7uy5w9WMyyN5G

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2868	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2272	cmd.exe
2272	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2272	1224	0470807ca44a272746482ee116ff7c321b2eb6dd6d5e6881c4167f776350dbf1_NeikiAnalytics.exe	29
PID 1224 wrote to memory of 2272	1224	0470807ca44a272746482ee116ff7c321b2eb6dd6d5e6881c4167f776350dbf1_NeikiAnalytics.exe	29
PID 1224 wrote to memory of 2272	1224	0470807ca44a272746482ee116ff7c321b2eb6dd6d5e6881c4167f776350dbf1_NeikiAnalytics.exe	29
PID 1224 wrote to memory of 2272	1224	0470807ca44a272746482ee116ff7c321b2eb6dd6d5e6881c4167f776350dbf1_NeikiAnalytics.exe	29
PID 2272 wrote to memory of 2868	2272	cmd.exe	30
PID 2272 wrote to memory of 2868	2272	cmd.exe	30
PID 2272 wrote to memory of 2868	2272	cmd.exe	30
PID 2272 wrote to memory of 2868	2272	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\0470807ca44a272746482ee116ff7c321b2eb6dd6d5e6881c4167f776350dbf1_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0470807ca44a272746482ee116ff7c321b2eb6dd6d5e6881c4167f776350dbf1_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    PID:2868

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
79KB

MD5
a39083d6cb50b63e9d42756e5e66e83d

SHA1
a9adb6217ecbd6ba2a281b78b939f8c6e3f8cbe8

SHA256
e3c632769c236be0f465ce27613d60694c91fcd471675838ad813101fdff814a

SHA512
d5ffed53ffdc8e17cb294bf6f09c5e389125758db67c48da0bbf3b0431268cd1ffb6e0c342579889247614aae92358c9d632ebe52afbac7dd4760a02e7d6c161

Download Submit
memory/1224-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2868-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download