787d06f6cc112acb09877929fd6cb0e9d8c5e4d68e67ac2d64b3ee42e8093f20

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:22

Target

05e4ce4aacb645a1453f0488d8751190_NeikiAnalytics.exe
Size

714KB
MD5

05e4ce4aacb645a1453f0488d8751190
SHA1

bb177c865b8c066fd0b969c3feb65959bdffc35d
SHA256

787d06f6cc112acb09877929fd6cb0e9d8c5e4d68e67ac2d64b3ee42e8093f20
SHA512

f19a2d752d83b2f7ae9f993dcc5a8e889bdaf99f3309b071d0af8f13a5e4f2782158fe3013381bebfa1137cc90be45d52a33a84f9ce1737d7f7610c2b5faa686
SSDEEP

12288:q+o7D6DHPQiJN3D0s9x6uQhFg523D6GvFz2fLHbJhz7Vj1JNM:Lo6D4i73D0sM3RFahz7V1JNM

Score

7^/10

Executes dropped EXE 1 IoCs

Processes:

SWDTKSelfExtract.dat

pid process

1132 SWDTKSelfExtract.dat
Loads dropped DLL 1 IoCs

Processes:

05e4ce4aacb645a1453f0488d8751190_NeikiAnalytics.exe

pid process

4204 05e4ce4aacb645a1453f0488d8751190_NeikiAnalytics.exe

pid	process
1132	SWDTKSelfExtract.dat

pid	process
4204	05e4ce4aacb645a1453f0488d8751190_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

Processes:

expand.exe

description	ioc	process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SWDTKSelfExtract.dat

pid process

1132 SWDTKSelfExtract.dat
1132 SWDTKSelfExtract.dat

pid	process
1132	SWDTKSelfExtract.dat
1132	SWDTKSelfExtract.dat

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

05e4ce4aacb645a1453f0488d8751190_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 4204 wrote to memory of 564	4204	05e4ce4aacb645a1453f0488d8751190_NeikiAnalytics.exe	cmd.exe
PID 4204 wrote to memory of 564	4204	05e4ce4aacb645a1453f0488d8751190_NeikiAnalytics.exe	cmd.exe
PID 4204 wrote to memory of 564	4204	05e4ce4aacb645a1453f0488d8751190_NeikiAnalytics.exe	cmd.exe
PID 564 wrote to memory of 2812	564	cmd.exe	expand.exe
PID 564 wrote to memory of 2812	564	cmd.exe	expand.exe
PID 564 wrote to memory of 2812	564	cmd.exe	expand.exe
PID 4204 wrote to memory of 1132	4204	05e4ce4aacb645a1453f0488d8751190_NeikiAnalytics.exe	SWDTKSelfExtract.dat
PID 4204 wrote to memory of 1132	4204	05e4ce4aacb645a1453f0488d8751190_NeikiAnalytics.exe	SWDTKSelfExtract.dat
PID 4204 wrote to memory of 1132	4204	05e4ce4aacb645a1453f0488d8751190_NeikiAnalytics.exe	SWDTKSelfExtract.dat

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "EXPAND "C:\Users\Admin\AppData\Local\Temp\7-zip32_0.dat" "C:\Users\Admin\AppData\Local\Temp\7-zip32_0.dll""
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\expand.exe
EXPAND "C:\Users\Admin\AppData\Local\Temp\7-zip32_0.dat" "C:\Users\Admin\AppData\Local\Temp\7-zip32_0.dll"
3⤵
- Drops file in Windows directory
PID:2812

C:\Users\Admin\AppData\Local\Temp\7-zip32_0.dll
Filesize
625KB

MD5
52f1fd0614e8c290f44c74062382ac18

SHA1
445f4f16c25e64f55217d6799cf3ffd7e2643c59

SHA256
bb3d272d1b8f67724f77deab8b0fce886bc7bafd74ae2d53c462cd6c6fb61517

SHA512
13bda94c20c8d7ad6dc2a383a6827db9098239ac04f6d77a2a321263814b7cb8b8edf04c235ed27c0cc66b2dedef9dce9f9e52477ed99fdbda3cbbe58b352ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SWDTKSelfExtract_0\SWDTKSelfExtract.dat
Filesize
395KB

MD5
9897d82fe8c0a76e923a90578c0f9c4e

SHA1
e665ae647283542199bd48111f23a18a0a6ce86c

SHA256
e431ea55bab7800542472c152716e25cb61b996e193ee0d7707553aa3382fdaa

SHA512
d223fbc05b91b85d90bef247214e3701460e7674878141e6de0bd1e33aba0fd43f93a97147d1ef9a5804b1232f4797a684e6aaf81b51d41406b9d623838770e1

Download Submit
\??\c:\users\admin\appdata\local\temp\7-zip32_0.dat
Filesize
354KB

MD5
92f2bc9536723270040ef6d288d51f07

SHA1
aefd381d18a1c6620c39fb3ae417d63bc5ec4d5d

SHA256
1d27b9f993550f2daaaa2f87c433c5c813e56fce6cba6ba18926762942a91f1d

SHA512
40f2fbc89541627a02aaec7864154fb9861ffc4322e03d87f8ad98db7658d01cc7d8330bbbbbb8323dc7c563b9105a209927dd8a45d1eed02698c30ce78643ab

Download Submit