cobaltstrike | 41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 11:37

Target

41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe
Size

229KB
MD5

1ebed34934afd950c8861ecc0a65f866
SHA1

d5e4f3762932a6a388b4eb35c70a0333f21165ea
SHA256

41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb
SHA512

bb8654d2eb362c8b4e0759eced1fb611dcbebf4ef5d47f279c2fb28f7a9b77e71f7f07514b9c32e06b6bb2bc22a0cd69453d8940352915597fa91395394acb43
SSDEEP

6144:rUl132+IcwwtyRfeBgx5uU0jbV555555550:IlbyfeBgzUbq

Score

10^/10

Family

cobaltstrike

http://update.windowsupdate.com.cdn.dnsv1.com:443/FPMz

Attributes

user_agent
User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40 Host: update.windowsupdate.com

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe

description	pid	process	target process
PID 4400 created 2940	4400	41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe

pid	process
4400	41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe
4400	41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe

pid process

4400 41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe

description	pid	process	target process
PID 4400 wrote to memory of 4952	4400	41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe	explorer.exe
PID 4400 wrote to memory of 4952	4400	41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe	explorer.exe
PID 4400 wrote to memory of 4952	4400	41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe	explorer.exe

memory/4400-0-0x000002C712D60000-0x000002C712D61000-memory.dmp

Filesize
4KB

Download
memory/4400-19-0x00007FF76D150000-0x00007FF76D190000-memory.dmp

Filesize
256KB

Download
memory/4952-18-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/4952-20-0x0000000002F40000-0x0000000003340000-memory.dmp

Filesize
4.0MB

Download