a9e79533627f50cd098052465da09ebaf6ce721dcdd89fe7fb342fcd299b748d

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 11:21

Target

ba4d4e9f7e1c6e0eb443f0d47b1d75b0_NeikiAnalytics.exe
Size

73KB
MD5

ba4d4e9f7e1c6e0eb443f0d47b1d75b0
SHA1

38efc38db7a2abd4dfbf72c4521c4c94d2877a43
SHA256

a9e79533627f50cd098052465da09ebaf6ce721dcdd89fe7fb342fcd299b748d
SHA512

b528df1308060e94fd143aca42d3cd46a226130bb12ad8941580dc624a3b29af99d95d22bb7a94e5c9bbae11fe5b05921f8174f1b29f31ebe0c6a54a4c3846d9
SSDEEP

1536:hbuJeqj8qK5QPqfhVWbdsmA+RjPFLC+e5hM0ZGUGf2g:hKJfNPqfcxA+HFshMOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1064	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
1740	cmd.exe
1740	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1740	2292	ba4d4e9f7e1c6e0eb443f0d47b1d75b0_NeikiAnalytics.exe	29
PID 2292 wrote to memory of 1740	2292	ba4d4e9f7e1c6e0eb443f0d47b1d75b0_NeikiAnalytics.exe	29
PID 2292 wrote to memory of 1740	2292	ba4d4e9f7e1c6e0eb443f0d47b1d75b0_NeikiAnalytics.exe	29
PID 2292 wrote to memory of 1740	2292	ba4d4e9f7e1c6e0eb443f0d47b1d75b0_NeikiAnalytics.exe	29
PID 1740 wrote to memory of 1064	1740	cmd.exe	30
PID 1740 wrote to memory of 1064	1740	cmd.exe	30
PID 1740 wrote to memory of 1064	1740	cmd.exe	30
PID 1740 wrote to memory of 1064	1740	cmd.exe	30
PID 1064 wrote to memory of 2900	1064	[email protected]	31
PID 1064 wrote to memory of 2900	1064	[email protected]	31
PID 1064 wrote to memory of 2900	1064	[email protected]	31
PID 1064 wrote to memory of 2900	1064	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\ba4d4e9f7e1c6e0eb443f0d47b1d75b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ba4d4e9f7e1c6e0eb443f0d47b1d75b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 16256.exe
      4⤵
      PID:2900

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
6401cadaea4f18fbcd4a6e66455291f0

SHA1
8d00d0e53c232d10fad1f1e90b1fba70eeade036

SHA256
cbb41bb3969c598f412ec33a5bb1dde10fbdcc1b37b2b575a4f59be04082ed54

SHA512
df8b57256e68945a1b6705b16a87e133f8ee47b51e623e0ad563c98aaa3eef30223f3d8b9417fe462c474f2084818f5621cf1207b10731d9d8b89668e9b59392

Download Submit
memory/1064-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2292-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download