4a57361d4ef7323768b696e5c0a0cebe142c5f3d436fd6689af17c342465fe3f

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 22:52

Target

09a6036b4c723bc1026c2de103b65200_NeikiAnalytics.exe
Size

73KB
MD5

09a6036b4c723bc1026c2de103b65200
SHA1

bac243ff611fa7c95890f2f813a126e13ff5564c
SHA256

4a57361d4ef7323768b696e5c0a0cebe142c5f3d436fd6689af17c342465fe3f
SHA512

1c69e174b98ca940bb80fed7b11ed1c29ce01af2113ce03f05b6954d4cb86ce0c755f97389f21ab465944d3bdf7157de9c3d610a9d4199cc908742397b99abdf
SSDEEP

1536:hblyhJYSwyRK5QPqfhVWbdsmA+RjPFLC+e5hT0ZGUGf2g:hKKSwGNPqfcxA+HFshTOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
3024	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
3020	cmd.exe
3020	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 3020	2924	09a6036b4c723bc1026c2de103b65200_NeikiAnalytics.exe	29
PID 2924 wrote to memory of 3020	2924	09a6036b4c723bc1026c2de103b65200_NeikiAnalytics.exe	29
PID 2924 wrote to memory of 3020	2924	09a6036b4c723bc1026c2de103b65200_NeikiAnalytics.exe	29
PID 2924 wrote to memory of 3020	2924	09a6036b4c723bc1026c2de103b65200_NeikiAnalytics.exe	29
PID 3020 wrote to memory of 3024	3020	cmd.exe	30
PID 3020 wrote to memory of 3024	3020	cmd.exe	30
PID 3020 wrote to memory of 3024	3020	cmd.exe	30
PID 3020 wrote to memory of 3024	3020	cmd.exe	30
PID 3024 wrote to memory of 1036	3024	[email protected]	31
PID 3024 wrote to memory of 1036	3024	[email protected]	31
PID 3024 wrote to memory of 1036	3024	[email protected]	31
PID 3024 wrote to memory of 1036	3024	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\09a6036b4c723bc1026c2de103b65200_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\09a6036b4c723bc1026c2de103b65200_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:1036

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
5fdfc8dfdf1b56251a9d02436533addc

SHA1
96b087af796ff52c8e3031edbcf896dc9ccf5c6f

SHA256
3382291a83c27ea40bcb9cb2ee0baf70800969d9eba8d7f2ba6aa86c448a6de4

SHA512
46b5e24718eeb7f0f10c65179e90e0213a4b9e9b5f3a59a0aebab880262612736c1c0f0557ac7ef241bd25f04b7febe45ca370715e6f762a005fa8061d81c585

Download Submit
memory/2924-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3024-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download