68934419f8d403f1d3d1cdab84ad330bb239162f3ddd5aa82097ccb9dd7913af

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 16:12

Target

11f9d2706dd8ddd5fc32960b2519bef0_NeikiAnalytics.exe
Size

73KB
MD5

11f9d2706dd8ddd5fc32960b2519bef0
SHA1

bbf0216d2bf71aa4eef7ad0ba6ad5127c9848394
SHA256

68934419f8d403f1d3d1cdab84ad330bb239162f3ddd5aa82097ccb9dd7913af
SHA512

6f5679eed8c591b62f8557a324f0d365d6191413818f3a634a673ef10db2b715be9117e283457f2358435d61528894ec411a6370ea9fbdae225a781b6af18219
SSDEEP

1536:hbq3ycNo1VK5QPqfhVWbdsmA+RjPFLC+e5hX0ZGUGf2g:hu30XNPqfcxA+HFshXOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1628	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
848	cmd.exe
848	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 848	1640	11f9d2706dd8ddd5fc32960b2519bef0_NeikiAnalytics.exe	29
PID 1640 wrote to memory of 848	1640	11f9d2706dd8ddd5fc32960b2519bef0_NeikiAnalytics.exe	29
PID 1640 wrote to memory of 848	1640	11f9d2706dd8ddd5fc32960b2519bef0_NeikiAnalytics.exe	29
PID 1640 wrote to memory of 848	1640	11f9d2706dd8ddd5fc32960b2519bef0_NeikiAnalytics.exe	29
PID 848 wrote to memory of 1628	848	cmd.exe	30
PID 848 wrote to memory of 1628	848	cmd.exe	30
PID 848 wrote to memory of 1628	848	cmd.exe	30
PID 848 wrote to memory of 1628	848	cmd.exe	30
PID 1628 wrote to memory of 2812	1628	[email protected]	31
PID 1628 wrote to memory of 2812	1628	[email protected]	31
PID 1628 wrote to memory of 2812	1628	[email protected]	31
PID 1628 wrote to memory of 2812	1628	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\11f9d2706dd8ddd5fc32960b2519bef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\11f9d2706dd8ddd5fc32960b2519bef0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2812

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
d6e2d82248362664af52dfdcec14eb0c

SHA1
b1654c8ade480f9f9a180ac0d45f77085c26cbb2

SHA256
04ca719fa3ffe7b38d3589663f66a21fdc434f84bb48e92760caff3435fd3552

SHA512
dbe35511ea3b15774efd886bee665f8cd2f7969ae886c81eb20587f38668d398913075aeb94a7ecc9dad29586bc8a32fd4d73968badd225371469efada42cc03

Download Submit
memory/1628-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1640-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download