2837fa42a956417cbbf67c3a6f8656f79fcdca19e245548658b4b7d759a9692f

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 23:32

Target

0c6f81b13ee2e0aa2bf26b17ffc17a20_NeikiAnalytics.exe
Size

73KB
MD5

0c6f81b13ee2e0aa2bf26b17ffc17a20
SHA1

06d2c11bbbc563c5101040f806ddff79f8816140
SHA256

2837fa42a956417cbbf67c3a6f8656f79fcdca19e245548658b4b7d759a9692f
SHA512

a1a2817dece3989e46723843fab969318a5a3526bdd8cc1f64f57ee324f1f599cc348871c1b5c2d1e06a3a701cc95d139937eeea1322ca1e77f699b2701680a0
SSDEEP

1536:hbqD0X1jYK5QPqfhVWbdsmA+RjPFLC+e5ht0ZGUGf2g:h+2eNPqfcxA+HFshtOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2348	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2996	cmd.exe
2996	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2996	2232	0c6f81b13ee2e0aa2bf26b17ffc17a20_NeikiAnalytics.exe	29
PID 2232 wrote to memory of 2996	2232	0c6f81b13ee2e0aa2bf26b17ffc17a20_NeikiAnalytics.exe	29
PID 2232 wrote to memory of 2996	2232	0c6f81b13ee2e0aa2bf26b17ffc17a20_NeikiAnalytics.exe	29
PID 2232 wrote to memory of 2996	2232	0c6f81b13ee2e0aa2bf26b17ffc17a20_NeikiAnalytics.exe	29
PID 2996 wrote to memory of 2348	2996	cmd.exe	30
PID 2996 wrote to memory of 2348	2996	cmd.exe	30
PID 2996 wrote to memory of 2348	2996	cmd.exe	30
PID 2996 wrote to memory of 2348	2996	cmd.exe	30
PID 2348 wrote to memory of 2140	2348	[email protected]	31
PID 2348 wrote to memory of 2140	2348	[email protected]	31
PID 2348 wrote to memory of 2140	2348	[email protected]	31
PID 2348 wrote to memory of 2140	2348	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\0c6f81b13ee2e0aa2bf26b17ffc17a20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0c6f81b13ee2e0aa2bf26b17ffc17a20_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2140

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
9a6bd10cd1e6dc913136c3ef344850a9

SHA1
578b77c9c4bb6437c2c2c05262e0408c4127295c

SHA256
699dd94b8c827fe343631be96c468d233c38cfb04e1d3f3553baa2d22b7ccd6c

SHA512
964503ea4b524f1540a08e9dd4bc6292d7866cab6412c0254980eec19e651434c4cf05da5299cc4fff9aad9cb2b061f4bf6c5eb2528eadc8a043f0be0926bb3a

Download Submit
memory/2232-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2348-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download