1c0b220570048bc2a025fcb4e89e4879a1cd374b5329fa1593d8cf1518d9f73f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 14:28

Target

be1564dcd6fe6f29c1318281b738a170_NeikiAnalytics.exe
Size

73KB
MD5

be1564dcd6fe6f29c1318281b738a170
SHA1

8277f0e78b76dbbb1e6585e156d0200810278806
SHA256

1c0b220570048bc2a025fcb4e89e4879a1cd374b5329fa1593d8cf1518d9f73f
SHA512

cbcdbd632ebf2f828b6690a0115939b4748ee91dcef6607c5c1631b417c3c406795515b9c004009522f96675f65edbb3fd0692c87007941a86973ce01e3eb90f
SSDEEP

1536:hbyfGPRcsfK5QPqfhVWbdsmA+RjPFLC+e5hI0ZGUGf2g:h+fG9NPqfcxA+HFshIOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1672	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
1992	cmd.exe
1992	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1992	2332	be1564dcd6fe6f29c1318281b738a170_NeikiAnalytics.exe	29
PID 2332 wrote to memory of 1992	2332	be1564dcd6fe6f29c1318281b738a170_NeikiAnalytics.exe	29
PID 2332 wrote to memory of 1992	2332	be1564dcd6fe6f29c1318281b738a170_NeikiAnalytics.exe	29
PID 2332 wrote to memory of 1992	2332	be1564dcd6fe6f29c1318281b738a170_NeikiAnalytics.exe	29
PID 1992 wrote to memory of 1672	1992	cmd.exe	30
PID 1992 wrote to memory of 1672	1992	cmd.exe	30
PID 1992 wrote to memory of 1672	1992	cmd.exe	30
PID 1992 wrote to memory of 1672	1992	cmd.exe	30
PID 1672 wrote to memory of 2852	1672	[email protected]	31
PID 1672 wrote to memory of 2852	1672	[email protected]	31
PID 1672 wrote to memory of 2852	1672	[email protected]	31
PID 1672 wrote to memory of 2852	1672	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\be1564dcd6fe6f29c1318281b738a170_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\be1564dcd6fe6f29c1318281b738a170_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2852

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
613f7e3d7ddb1f46bacece5f77388095

SHA1
47e828581fef3f58222bb0f2ef5a50ce920ee659

SHA256
395849bd5a1f19741d66529aba7f1af9f5d7f97ac5c5ea9bd44070113d5d7cf0

SHA512
a1b76a4e1979ddb770bce456fdbf2dfb54a24bc842e7c78624962f79246654e8bf15a7f0177bcc1d7d0e9343925d936c8b8f2a59e4899cd075c03b147331c604

Download Submit
memory/1672-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2332-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download