8e16d8ebe0c84c82502817c70b52ce28441e4b816b60f1cb414f7b6d31e48f44

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 15:34

Target

f565b71c40ed6df07a314aca8a9044b0_NeikiAnalytics.exe
Size

73KB
MD5

f565b71c40ed6df07a314aca8a9044b0
SHA1

731394f6e8a5d2c2c92644ac2619589a6df1f5b4
SHA256

8e16d8ebe0c84c82502817c70b52ce28441e4b816b60f1cb414f7b6d31e48f44
SHA512

f4a6af61deb5f5edf87b6344b4d1771c73f197fffc1636e09a5b3041d752523c77f4efe117ea4d48d7cd0a50959a89df03dd890bb9453bc16911e616bf79603a
SSDEEP

1536:hbRrytEJq4kDWK5QPqfhVWbdsmA+RjPFLC+e5hJ0ZGUGf2g:h5e4NPqfcxA+HFshJOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1688	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
1692	cmd.exe
1692	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1692	2464	f565b71c40ed6df07a314aca8a9044b0_NeikiAnalytics.exe	29
PID 2464 wrote to memory of 1692	2464	f565b71c40ed6df07a314aca8a9044b0_NeikiAnalytics.exe	29
PID 2464 wrote to memory of 1692	2464	f565b71c40ed6df07a314aca8a9044b0_NeikiAnalytics.exe	29
PID 2464 wrote to memory of 1692	2464	f565b71c40ed6df07a314aca8a9044b0_NeikiAnalytics.exe	29
PID 1692 wrote to memory of 1688	1692	cmd.exe	30
PID 1692 wrote to memory of 1688	1692	cmd.exe	30
PID 1692 wrote to memory of 1688	1692	cmd.exe	30
PID 1692 wrote to memory of 1688	1692	cmd.exe	30
PID 1688 wrote to memory of 2920	1688	[email protected]	31
PID 1688 wrote to memory of 2920	1688	[email protected]	31
PID 1688 wrote to memory of 2920	1688	[email protected]	31
PID 1688 wrote to memory of 2920	1688	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\f565b71c40ed6df07a314aca8a9044b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f565b71c40ed6df07a314aca8a9044b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2920

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
2fa0f1eadfdb1ac655ddbd32a613fedd

SHA1
77ba1716bd3006171ecf47d000f71baaebee453b

SHA256
7d66597dcba99f9c8023f8fffe51f7397e0dbb9bbc10c97c52dbf5bde61e5bdf

SHA512
d886e95b22ed90b84441ad592e50da37f24ba1037cb35e7e1436721f963f07293fd09fec72be5f4d09cb2fd55867a7ed15e26be024e75fb4c5e8517252a66cde

Download Submit
memory/1688-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2464-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download