Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 02:33
Behavioral task
behavioral1
Sample
846312476e0ae4e5dea7dabb3fe9f910_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
846312476e0ae4e5dea7dabb3fe9f910_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
846312476e0ae4e5dea7dabb3fe9f910_NeikiAnalytics.exe
-
Size
98KB
-
MD5
846312476e0ae4e5dea7dabb3fe9f910
-
SHA1
6545b7799803a58c0aa2e42a3d0ac447e2060fed
-
SHA256
01046e01bae27400fbabcdfa85148e0d17a2ef0b94ba1f2a1fd2172546603e3a
-
SHA512
eab296e448cf2d7cc926c22e738902393859bb61838e08e845c3759f92e0791cf87c83b4c65a245c8bdbf6667ae9d47a6e2658bc74e4442c2e536a53f07a7a13
-
SSDEEP
1536:LCsijmb+6BQyusX1UjtA0uWRf/eloco9F1jVEyt:GxD6jSm0uWRfCobFjVES
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
846312476e0ae4e5dea7dabb3fe9f910_NeikiAnalytics.exedescription pid process target process PID 2176 wrote to memory of 2204 2176 846312476e0ae4e5dea7dabb3fe9f910_NeikiAnalytics.exe cmd.exe PID 2176 wrote to memory of 2204 2176 846312476e0ae4e5dea7dabb3fe9f910_NeikiAnalytics.exe cmd.exe PID 2176 wrote to memory of 2204 2176 846312476e0ae4e5dea7dabb3fe9f910_NeikiAnalytics.exe cmd.exe PID 2176 wrote to memory of 2204 2176 846312476e0ae4e5dea7dabb3fe9f910_NeikiAnalytics.exe cmd.exe PID 2176 wrote to memory of 2204 2176 846312476e0ae4e5dea7dabb3fe9f910_NeikiAnalytics.exe cmd.exe PID 2176 wrote to memory of 2204 2176 846312476e0ae4e5dea7dabb3fe9f910_NeikiAnalytics.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\846312476e0ae4e5dea7dabb3fe9f910_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\846312476e0ae4e5dea7dabb3fe9f910_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵