bd01cf65ee3027f32954914b6002b8eac10c7652bf4cc1829410363aeccc40cd

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 13:00

Target

00494b1acaf3e981fe4a312824a61710_NeikiAnalytics.exe
Size

73KB
MD5

00494b1acaf3e981fe4a312824a61710
SHA1

40cebf8116321561011b23bc574d5b3816175530
SHA256

bd01cf65ee3027f32954914b6002b8eac10c7652bf4cc1829410363aeccc40cd
SHA512

29afa584abf0b71a40d997ebdc121bc44bcc59634b2fcff235b905677252f0154c53cdad3be5cc41cc6d79168f0818edb6d5ef97077c537b7faa733e358ea5dc
SSDEEP

1536:hbi2Cn14K5QPqfhVWbdsmA+RjPFLC+e5h380ZGUGf2g:hObn14NPqfcxA+HFshMOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2504	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2912	cmd.exe
2912	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2912	3008	00494b1acaf3e981fe4a312824a61710_NeikiAnalytics.exe	29
PID 3008 wrote to memory of 2912	3008	00494b1acaf3e981fe4a312824a61710_NeikiAnalytics.exe	29
PID 3008 wrote to memory of 2912	3008	00494b1acaf3e981fe4a312824a61710_NeikiAnalytics.exe	29
PID 3008 wrote to memory of 2912	3008	00494b1acaf3e981fe4a312824a61710_NeikiAnalytics.exe	29
PID 2912 wrote to memory of 2504	2912	cmd.exe	30
PID 2912 wrote to memory of 2504	2912	cmd.exe	30
PID 2912 wrote to memory of 2504	2912	cmd.exe	30
PID 2912 wrote to memory of 2504	2912	cmd.exe	30
PID 2504 wrote to memory of 2632	2504	[email protected]	31
PID 2504 wrote to memory of 2632	2504	[email protected]	31
PID 2504 wrote to memory of 2632	2504	[email protected]	31
PID 2504 wrote to memory of 2632	2504	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\00494b1acaf3e981fe4a312824a61710_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00494b1acaf3e981fe4a312824a61710_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 16256.exe
      4⤵
      PID:2632

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
847250f46ed42d4bbb92db69d35ceb05

SHA1
ecfe8ddb2a36e1e518cbd1ea01f3c5b5e9c9eb10

SHA256
3dc2824d0da7fc755c32ed60e39c15560da2e3fb54e583ee1d80e4bdfbf35b2c

SHA512
41704eca62dc058b38abe4e336d16c088e8749db16812259fd1a68023d98536b112127dfd1dab56548770963193ec68f864b4ecee4381570cab63828724251a6

Download Submit
memory/2504-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3008-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download