f04df83b27cd3c7529dcd400f84fcd323577a3bf6c46da037e783ce467398b12

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 05:21

Target

44d9374023cbae99e42a2856d8a74840_NeikiAnalytics.exe
Size

73KB
MD5

44d9374023cbae99e42a2856d8a74840
SHA1

072c653dad3c2f7f092005123a3bde03d3250aa1
SHA256

f04df83b27cd3c7529dcd400f84fcd323577a3bf6c46da037e783ce467398b12
SHA512

9cd087272bb4272de1d2fa8feda991a13d9dfdd369c038d869c64d650738593e7b0d9d25f4feef78d5af168cc481aaeb44c4ee21658c85f983c943445272a6e7
SSDEEP

1536:hbenS1B1lQd4K5QPqfhVWbdsmA+RjPFLC+e5hlT0ZGUGf2g:hCSL1lQiNPqfcxA+HFshlTOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2860	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
1928	cmd.exe
1928	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1928	1732	44d9374023cbae99e42a2856d8a74840_NeikiAnalytics.exe	29
PID 1732 wrote to memory of 1928	1732	44d9374023cbae99e42a2856d8a74840_NeikiAnalytics.exe	29
PID 1732 wrote to memory of 1928	1732	44d9374023cbae99e42a2856d8a74840_NeikiAnalytics.exe	29
PID 1732 wrote to memory of 1928	1732	44d9374023cbae99e42a2856d8a74840_NeikiAnalytics.exe	29
PID 1928 wrote to memory of 2860	1928	cmd.exe	30
PID 1928 wrote to memory of 2860	1928	cmd.exe	30
PID 1928 wrote to memory of 2860	1928	cmd.exe	30
PID 1928 wrote to memory of 2860	1928	cmd.exe	30
PID 2860 wrote to memory of 3028	2860	[email protected]	31
PID 2860 wrote to memory of 3028	2860	[email protected]	31
PID 2860 wrote to memory of 3028	2860	[email protected]	31
PID 2860 wrote to memory of 3028	2860	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\44d9374023cbae99e42a2856d8a74840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\44d9374023cbae99e42a2856d8a74840_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:3028

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
1226e0a8d565a68626b09b09f897826b

SHA1
e7dd3c15097a6463be589fcae188afbe167b317f

SHA256
d5fa5892dd4394cd0c65144ae51819a0ded1019e2cb549b12820637e48214b62

SHA512
9f5c15e36193a7f55e36525b0dd182a612af898a210ce0755338d08fdb2cb38d7be03b9a97a0eb6ab60c659851e93ff599c1fea53a2eb91c5938bfd9ba9ac114

Download Submit
memory/1732-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2860-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download