dc693853c0cfc83ddf942e625af511bbd24e31bb6138d49878022b17a0b5a76d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 01:54

Target

f13664a2cb5e736bf0dd5f15db900580_NeikiAnalytics.exe
Size

73KB
MD5

f13664a2cb5e736bf0dd5f15db900580
SHA1

72a72e14d69825f18fc41d398e8acce24ebdbdae
SHA256

dc693853c0cfc83ddf942e625af511bbd24e31bb6138d49878022b17a0b5a76d
SHA512

0c2ea696213d410e1c7f051042010ccb0c0d96e9fb1fbf48775f97a6bec101973aa9cd805c7e644a5f04d7fab103077190c0b01208dca3635de057c149507256
SSDEEP

1536:hbe2f0xXOeK5QPqfhVWbdsmA+RjPFLC+e5h70ZGUGf2g:hH0hbNPqfcxA+HFsh7Og

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2948	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2944	cmd.exe
2944	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2944	2024	f13664a2cb5e736bf0dd5f15db900580_NeikiAnalytics.exe	29
PID 2024 wrote to memory of 2944	2024	f13664a2cb5e736bf0dd5f15db900580_NeikiAnalytics.exe	29
PID 2024 wrote to memory of 2944	2024	f13664a2cb5e736bf0dd5f15db900580_NeikiAnalytics.exe	29
PID 2024 wrote to memory of 2944	2024	f13664a2cb5e736bf0dd5f15db900580_NeikiAnalytics.exe	29
PID 2944 wrote to memory of 2948	2944	cmd.exe	30
PID 2944 wrote to memory of 2948	2944	cmd.exe	30
PID 2944 wrote to memory of 2948	2944	cmd.exe	30
PID 2944 wrote to memory of 2948	2944	cmd.exe	30
PID 2948 wrote to memory of 2476	2948	[email protected]	31
PID 2948 wrote to memory of 2476	2948	[email protected]	31
PID 2948 wrote to memory of 2476	2948	[email protected]	31
PID 2948 wrote to memory of 2476	2948	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\f13664a2cb5e736bf0dd5f15db900580_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f13664a2cb5e736bf0dd5f15db900580_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 16256.exe
      4⤵
      PID:2476

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
44ae1c1ee56d95b6b79bc53aea758da3

SHA1
f49b4fe2006b8fdc53027b3f5a303d26b64a85bb

SHA256
f888d394a37b040264a191c7f2eff8239cab790fc12627ca81a904026fce7c90

SHA512
14324ddc8db8da20f4adc05be613328430946b65e0cd6b73762f1f26ec75922d3bc4d81a25ddfa9853bd5fb0c2360ee488375c2ee2b16b130d1666572a2e5c55

Download Submit
memory/2024-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2948-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download