1594f4ecfbabca6bacf88cc68c9efb1d970a9ea520628a6825b603974f78f570

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 02:55

Target

3297b36f91e7d9167e61f826617c8ca0_NeikiAnalytics.exe
Size

73KB
MD5

3297b36f91e7d9167e61f826617c8ca0
SHA1

3c27315dee1b0918fd6d6a8633397327b94d6953
SHA256

1594f4ecfbabca6bacf88cc68c9efb1d970a9ea520628a6825b603974f78f570
SHA512

0aec8a5c79b1e39a44b9d0125c55cbe493816096090ae39cdf98d05809a478597bffeb84ddce5abfe2de7f9eb3cd443c858f804480ebf7c0a77bd0e333061be8
SSDEEP

1536:hbYNv0f2k5FKK5QPqfhVWbdsmA+RjPFLC+e5hp0ZGUGf2g:h8Nv0b5FKNPqfcxA+HFshpOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2300	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
288	cmd.exe
288	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 288	1724	3297b36f91e7d9167e61f826617c8ca0_NeikiAnalytics.exe	29
PID 1724 wrote to memory of 288	1724	3297b36f91e7d9167e61f826617c8ca0_NeikiAnalytics.exe	29
PID 1724 wrote to memory of 288	1724	3297b36f91e7d9167e61f826617c8ca0_NeikiAnalytics.exe	29
PID 1724 wrote to memory of 288	1724	3297b36f91e7d9167e61f826617c8ca0_NeikiAnalytics.exe	29
PID 288 wrote to memory of 2300	288	cmd.exe	30
PID 288 wrote to memory of 2300	288	cmd.exe	30
PID 288 wrote to memory of 2300	288	cmd.exe	30
PID 288 wrote to memory of 2300	288	cmd.exe	30
PID 2300 wrote to memory of 1316	2300	[email protected]	31
PID 2300 wrote to memory of 1316	2300	[email protected]	31
PID 2300 wrote to memory of 1316	2300	[email protected]	31
PID 2300 wrote to memory of 1316	2300	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\3297b36f91e7d9167e61f826617c8ca0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3297b36f91e7d9167e61f826617c8ca0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:1316

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
d8e1d72b653bacf8e8298270a815e92b

SHA1
9279b096a4c8d461956a9c21ab4a6cfa2bda9a81

SHA256
f775a8a2b44025b1d641125fc3c2e5779af6bcc9432a3cdcb39fa626e38c63b1

SHA512
d59536c6b054098d2ad3780c08b539454cf832168a6626e36ae003ccdecd58a7e490dbe6fee20390787658dd8d5a642132165244f458201cf3bdc9e719d350e2

Download Submit
memory/1724-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2300-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download