2a7607f04142166fc17815a834e94aeef0d8e0b75b2a7d653c0409fddfb3562d

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 15:49

Target

10136ad80962827c380f8f42da718ac0_NeikiAnalytics.exe
Size

73KB
MD5

10136ad80962827c380f8f42da718ac0
SHA1

f4aadab8c3c9d1ff9181e1e5ffb251f290517816
SHA256

2a7607f04142166fc17815a834e94aeef0d8e0b75b2a7d653c0409fddfb3562d
SHA512

71aef868b9a57d19801234856f8b038ec4dfe200adeab004753cfbfebfb51ac986b37a30cd9284c0f49b8fb394dd485d626e8266ef23f21242f493c278e962d9
SSDEEP

1536:hbYNv0f2k5FKK5QPqfhVWbdsmA+RjPFLC+e5hx0ZGUGf2g:h8Nv0b5FKNPqfcxA+HFshxOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2856	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2552	cmd.exe
2552	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2552	2548	10136ad80962827c380f8f42da718ac0_NeikiAnalytics.exe	29
PID 2548 wrote to memory of 2552	2548	10136ad80962827c380f8f42da718ac0_NeikiAnalytics.exe	29
PID 2548 wrote to memory of 2552	2548	10136ad80962827c380f8f42da718ac0_NeikiAnalytics.exe	29
PID 2548 wrote to memory of 2552	2548	10136ad80962827c380f8f42da718ac0_NeikiAnalytics.exe	29
PID 2552 wrote to memory of 2856	2552	cmd.exe	30
PID 2552 wrote to memory of 2856	2552	cmd.exe	30
PID 2552 wrote to memory of 2856	2552	cmd.exe	30
PID 2552 wrote to memory of 2856	2552	cmd.exe	30
PID 2856 wrote to memory of 2156	2856	[email protected]	31
PID 2856 wrote to memory of 2156	2856	[email protected]	31
PID 2856 wrote to memory of 2156	2856	[email protected]	31
PID 2856 wrote to memory of 2156	2856	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\10136ad80962827c380f8f42da718ac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\10136ad80962827c380f8f42da718ac0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2156

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
b20e75741b6839bd34dd4009b99448fb

SHA1
e9183950f3ce58c045d4800889ca5a6808166a63

SHA256
4a86f653c0f47f2dec52ef0ecbad00f84e8223d4e0535253396b21ae9af2f0f7

SHA512
80dc33dff690772f58e47f252f19204bcd760cd33a3444f0b500644364c999bfdd17e4fef251f7efde0a66bbdd3c9b826fd83d44aaf4e738ca8a3f197d572f85

Download Submit
memory/2548-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2856-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download