46b6698528d4ea0bb55c5e118ae6305c0144229ff32bb3a594f2428be41bb627

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 23:56

Target

0e11aa663b662e931f33bd1be2a77690_NeikiAnalytics.exe
Size

73KB
MD5

0e11aa663b662e931f33bd1be2a77690
SHA1

4bb24f00158d945959acede411679647ffde9f82
SHA256

46b6698528d4ea0bb55c5e118ae6305c0144229ff32bb3a594f2428be41bb627
SHA512

d4a821a9a4ed81136895d62b59461bdb290e0d54130d47f421d45f8095e4cd8df5abf2a817bab4b62a5969ab15d15ae459f5507b9a96f8b16ce61bdb4bfc89bd
SSDEEP

1536:hbI+vSLWwK5QPqfhVWbdsmA+RjPFLC+e5hmf0ZGUGf2g:hXOtNPqfcxA+HFshoOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2368	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
1692	cmd.exe
1692	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1692	2180	0e11aa663b662e931f33bd1be2a77690_NeikiAnalytics.exe	29
PID 2180 wrote to memory of 1692	2180	0e11aa663b662e931f33bd1be2a77690_NeikiAnalytics.exe	29
PID 2180 wrote to memory of 1692	2180	0e11aa663b662e931f33bd1be2a77690_NeikiAnalytics.exe	29
PID 2180 wrote to memory of 1692	2180	0e11aa663b662e931f33bd1be2a77690_NeikiAnalytics.exe	29
PID 1692 wrote to memory of 2368	1692	cmd.exe	30
PID 1692 wrote to memory of 2368	1692	cmd.exe	30
PID 1692 wrote to memory of 2368	1692	cmd.exe	30
PID 1692 wrote to memory of 2368	1692	cmd.exe	30
PID 2368 wrote to memory of 2932	2368	[email protected]	31
PID 2368 wrote to memory of 2932	2368	[email protected]	31
PID 2368 wrote to memory of 2932	2368	[email protected]	31
PID 2368 wrote to memory of 2932	2368	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\0e11aa663b662e931f33bd1be2a77690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0e11aa663b662e931f33bd1be2a77690_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2932

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
ddc53e6c7ce939a9b1b997a6e5ddab75

SHA1
2eac1a5c9afec5926da3e790cfea84dd10bbe2a3

SHA256
b1bdd049dda444325d22a8de5d159a625565427180aa1f6c6429711981c32616

SHA512
91d502c7cdcf49404036737885a589155f3b4b291b306d68409ecc2d56202b4a13121644f7d9ea44b494d3c659c62d6bcbe743c1790a5cc6d361bb9cfd3c415a

Download Submit
memory/2180-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2368-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download