4b8f1c20189b4a61ef3a3acff4cdb5b5fbb8b3540e57c4d33c034072d78afbc5

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 01:43

Target

71e96ef4adf29704f9f68b8ad3522ec0_NeikiAnalytics.exe
Size

73KB
MD5

71e96ef4adf29704f9f68b8ad3522ec0
SHA1

7d015cd99b3ce0da65c1103aa5a32da7eee264b7
SHA256

4b8f1c20189b4a61ef3a3acff4cdb5b5fbb8b3540e57c4d33c034072d78afbc5
SHA512

9219821502ab7dac9fbd72285ad1a5f84fd2f0294ccf9189be5434683ee6d36407407b408dcb11f9337944ebd1b240f88ded2d5c110787cbc446f24dbeb59131
SSDEEP

1536:hbkaWqFWZmj2aZK5QPqfhVWbdsmA+RjPFLC+e5h50ZGUGf2g:hwa5XCONPqfcxA+HFsh5Og

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2944	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2928	cmd.exe
2928	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2928	1460	71e96ef4adf29704f9f68b8ad3522ec0_NeikiAnalytics.exe	29
PID 1460 wrote to memory of 2928	1460	71e96ef4adf29704f9f68b8ad3522ec0_NeikiAnalytics.exe	29
PID 1460 wrote to memory of 2928	1460	71e96ef4adf29704f9f68b8ad3522ec0_NeikiAnalytics.exe	29
PID 1460 wrote to memory of 2928	1460	71e96ef4adf29704f9f68b8ad3522ec0_NeikiAnalytics.exe	29
PID 2928 wrote to memory of 2944	2928	cmd.exe	30
PID 2928 wrote to memory of 2944	2928	cmd.exe	30
PID 2928 wrote to memory of 2944	2928	cmd.exe	30
PID 2928 wrote to memory of 2944	2928	cmd.exe	30
PID 2944 wrote to memory of 840	2944	[email protected]	31
PID 2944 wrote to memory of 840	2944	[email protected]	31
PID 2944 wrote to memory of 840	2944	[email protected]	31
PID 2944 wrote to memory of 840	2944	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\71e96ef4adf29704f9f68b8ad3522ec0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\71e96ef4adf29704f9f68b8ad3522ec0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:840

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
5b4e4d44db92e8b3dbeee880ce871ecc

SHA1
cc458caa21b72e21ed22def1fca4cebe1e6ffa4d

SHA256
51c0751703d05cf0bf70c90b3da73c6868eaaf7c31e49ff42a597b5f654f973d

SHA512
ccbdf76c306a5d20cac4b840be36cddb23be03932cea03d2712592879f9f389901b41fbb557c67a66b5450e9cbe7a7d8e880081044a7ef02aa7c873e23a5b103

Download Submit
memory/1460-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2944-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download