0e0705194fb24dbf4b399451307c85adfd286e2285f4113c1616a5e5f5fdcaa3

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 06:16

Target

0e0705194fb24dbf4b399451307c85adfd286e2285f4113c1616a5e5f5fdcaa3_NeikiAnalytics.exe
Size

79KB
MD5

118d707b05c51a881ab8793615450710
SHA1

22413c8011c9839cb2619cf0c31ae829c9929571
SHA256

0e0705194fb24dbf4b399451307c85adfd286e2285f4113c1616a5e5f5fdcaa3
SHA512

7da24955fbaa04a99d7fedf40b29eaaeefb0d658985b95d553431bd376478805bdbb82c1dec35334fdf8fc55a9e571fa30ea7dea97dee82bbf790236db618709
SSDEEP

1536:zvnQ97QhjYrr259AZOQA8AkqUhMb2nuy5wgIP0CSJ+5yiB8GMGlZ5G:zvnQx3f259A4GdqU7uy5w9WMyiN5G

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3028	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
1948	cmd.exe
1948	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1948	2364	0e0705194fb24dbf4b399451307c85adfd286e2285f4113c1616a5e5f5fdcaa3_NeikiAnalytics.exe	29
PID 2364 wrote to memory of 1948	2364	0e0705194fb24dbf4b399451307c85adfd286e2285f4113c1616a5e5f5fdcaa3_NeikiAnalytics.exe	29
PID 2364 wrote to memory of 1948	2364	0e0705194fb24dbf4b399451307c85adfd286e2285f4113c1616a5e5f5fdcaa3_NeikiAnalytics.exe	29
PID 2364 wrote to memory of 1948	2364	0e0705194fb24dbf4b399451307c85adfd286e2285f4113c1616a5e5f5fdcaa3_NeikiAnalytics.exe	29
PID 1948 wrote to memory of 3028	1948	cmd.exe	30
PID 1948 wrote to memory of 3028	1948	cmd.exe	30
PID 1948 wrote to memory of 3028	1948	cmd.exe	30
PID 1948 wrote to memory of 3028	1948	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\0e0705194fb24dbf4b399451307c85adfd286e2285f4113c1616a5e5f5fdcaa3_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0e0705194fb24dbf4b399451307c85adfd286e2285f4113c1616a5e5f5fdcaa3_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    PID:3028

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
79KB

MD5
67a37c86fe51de4f822b1e22d3380592

SHA1
829f4ac0b8c8fb410efc90380ba2681097254541

SHA256
1dfe4d599d60c9af897f6e62ca8f5052dbb8f2533880a7a090da5efb4231f702

SHA512
b025828df7b2b75e00820e4547c2899bc96e65a1be4086acfff9b4180c5d409c06c2bfb0ba7fcb5eeebed59ce59bfe2e4be5115b19257ed48e5cf0befd63a0a3

Download Submit
memory/2364-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3028-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download