6b3fed647d5e7171a084dca46129e7f5c0c1c4eea8c9785f5d3341e5e689b7e6

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 02:21

Target

51a093b25560824cbe299fa550033b10_NeikiAnalytics.exe
Size

73KB
MD5

51a093b25560824cbe299fa550033b10
SHA1

8783e81c1d2e70431f6dc6492a110000a9e68417
SHA256

6b3fed647d5e7171a084dca46129e7f5c0c1c4eea8c9785f5d3341e5e689b7e6
SHA512

ce8ab85cdaef4408efb812c81ac5b55a4c2d3386571880c5823efe4873783a118e49167df4935313f927d1c4ca42939f1d966753b3ed54dc2fe382b558bb8a80
SSDEEP

1536:hb6CZbDT3dl2ZrcnK5QPqfhVWbdsmA+RjPFLC+e5hv0ZGUGf2g:h3T3dl2BoNPqfcxA+HFshvOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2364	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
1928	cmd.exe
1928	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1928	2204	51a093b25560824cbe299fa550033b10_NeikiAnalytics.exe	29
PID 2204 wrote to memory of 1928	2204	51a093b25560824cbe299fa550033b10_NeikiAnalytics.exe	29
PID 2204 wrote to memory of 1928	2204	51a093b25560824cbe299fa550033b10_NeikiAnalytics.exe	29
PID 2204 wrote to memory of 1928	2204	51a093b25560824cbe299fa550033b10_NeikiAnalytics.exe	29
PID 1928 wrote to memory of 2364	1928	cmd.exe	30
PID 1928 wrote to memory of 2364	1928	cmd.exe	30
PID 1928 wrote to memory of 2364	1928	cmd.exe	30
PID 1928 wrote to memory of 2364	1928	cmd.exe	30
PID 2364 wrote to memory of 3004	2364	[email protected]	31
PID 2364 wrote to memory of 3004	2364	[email protected]	31
PID 2364 wrote to memory of 3004	2364	[email protected]	31
PID 2364 wrote to memory of 3004	2364	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\51a093b25560824cbe299fa550033b10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51a093b25560824cbe299fa550033b10_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 15225.exe
      4⤵
      PID:3004

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
059e31a691ae7233e4691098b09981fc

SHA1
ce3dc977f07f507f4b97b78e1d5936f334fb0223

SHA256
c8bf8b00700059e29d0914fe8038880cb356b80473feb0ba2473f2aac1ee48c2

SHA512
a718ddade6f898b0525d41b3f368dbd9f4d48f9733e5bbb96a9682ee9b1d4648f441a90a5f57dbfb33ebdda574350f1a6fe6e79f5a212f3a66bc2e4c19b6f660

Download Submit
memory/2204-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2364-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download