4ed619507c6dcc3efb0b4099e51a646839b98b7fab0e66fc994c03ab9160f207

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 01:11

Target

462fb1cffe3e8a755a025e1dc470d2e0_NeikiAnalytics.exe
Size

73KB
MD5

462fb1cffe3e8a755a025e1dc470d2e0
SHA1

211c6643031c86c5f17b43ca8629477ef9181689
SHA256

4ed619507c6dcc3efb0b4099e51a646839b98b7fab0e66fc994c03ab9160f207
SHA512

6d88b452c4d035a12cceef32062f15392116742237dc2463d5d0b6b2d77351cc06a985722b61a7568c9847ff5c3d601dcbc2f28e9b382a151ab5e25cf3ed31e5
SSDEEP

1536:hbEk7fWvWK5QPqfhVWbdsmA+RjPFLC+e5h20ZGUGf2g:hYk7xNPqfcxA+HFsh2Og

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2032	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
1796	cmd.exe
1796	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1796	2036	462fb1cffe3e8a755a025e1dc470d2e0_NeikiAnalytics.exe	29
PID 2036 wrote to memory of 1796	2036	462fb1cffe3e8a755a025e1dc470d2e0_NeikiAnalytics.exe	29
PID 2036 wrote to memory of 1796	2036	462fb1cffe3e8a755a025e1dc470d2e0_NeikiAnalytics.exe	29
PID 2036 wrote to memory of 1796	2036	462fb1cffe3e8a755a025e1dc470d2e0_NeikiAnalytics.exe	29
PID 1796 wrote to memory of 2032	1796	cmd.exe	30
PID 1796 wrote to memory of 2032	1796	cmd.exe	30
PID 1796 wrote to memory of 2032	1796	cmd.exe	30
PID 1796 wrote to memory of 2032	1796	cmd.exe	30
PID 2032 wrote to memory of 2968	2032	[email protected]	31
PID 2032 wrote to memory of 2968	2032	[email protected]	31
PID 2032 wrote to memory of 2968	2032	[email protected]	31
PID 2032 wrote to memory of 2968	2032	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\462fb1cffe3e8a755a025e1dc470d2e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\462fb1cffe3e8a755a025e1dc470d2e0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 16256.exe
      4⤵
      PID:2968

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
d19c8d670d33192a7b44758b395af84e

SHA1
072de55cfffe8ee9bc8b1faacc05bb03f408c10b

SHA256
77742365f419090dd7ce30ecb78fe0c9a8c8f4594f096fe6039a58805a81f647

SHA512
4d17524248425a376fd132f69c31ba996861cd0062350d62fd187ed3b933fbf817fe1f05c8d680d43acf537cca4235c320c8f9c1402bdf8f8b477e5d8e61b279

Download Submit
memory/2032-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2036-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download