961be2f241e884ce6fafab5a06d9d5697fefeb04d1fa46bfbce6f87bd848cc8f

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 12:11

Target

4333e4807409c4df3f62143c84cb8e70_NeikiAnalytics.exe
Size

73KB
MD5

4333e4807409c4df3f62143c84cb8e70
SHA1

462a1126160cfe9dcd60fb136912c63a15b55b98
SHA256

961be2f241e884ce6fafab5a06d9d5697fefeb04d1fa46bfbce6f87bd848cc8f
SHA512

4205535059181b81ebe9060653e36ad8594521427cf419595ebd4601a07a693d28a8984e7d5a87814ac4192dc49d274c2b46f8e0de57c7d608b73457ef8baec1
SSDEEP

1536:hbZlo2jTZyMAK5QPqfhVWbdsmA+RjPFLC+e5hi0ZGUGf2g:hvo2jTZBANPqfcxA+HFshiOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2140	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
896	cmd.exe
896	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 896	2976	4333e4807409c4df3f62143c84cb8e70_NeikiAnalytics.exe	29
PID 2976 wrote to memory of 896	2976	4333e4807409c4df3f62143c84cb8e70_NeikiAnalytics.exe	29
PID 2976 wrote to memory of 896	2976	4333e4807409c4df3f62143c84cb8e70_NeikiAnalytics.exe	29
PID 2976 wrote to memory of 896	2976	4333e4807409c4df3f62143c84cb8e70_NeikiAnalytics.exe	29
PID 896 wrote to memory of 2140	896	cmd.exe	30
PID 896 wrote to memory of 2140	896	cmd.exe	30
PID 896 wrote to memory of 2140	896	cmd.exe	30
PID 896 wrote to memory of 2140	896	cmd.exe	30
PID 2140 wrote to memory of 2428	2140	[email protected]	31
PID 2140 wrote to memory of 2428	2140	[email protected]	31
PID 2140 wrote to memory of 2428	2140	[email protected]	31
PID 2140 wrote to memory of 2428	2140	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\4333e4807409c4df3f62143c84cb8e70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4333e4807409c4df3f62143c84cb8e70_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 15225.exe
      4⤵
      PID:2428

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
91b6a6065d7009fd435f7c182630a680

SHA1
d7107ffd6ad6a628a4e1d11b494dd673c64d4460

SHA256
ac2ead0c0fbfcd34a23ae00d73f7ba223e82b176d73e0c4591d56fbe08bb8876

SHA512
27b0402d20b9095decc8ec5037c34354431e1fcd3f302b916408ac5daf6cfb0d5598daa4250439a0ab9854a5aaaee40ba2962e7f276204ee81d552f0ab12056a

Download Submit
memory/2140-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2976-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download