ce3e76caa45a87af19623c62f6537b39eb71869452aa7f250ca6148c47306d52

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 03:06 UTC

Target

74a00d3bd529cc8ad80b0e8d04d24020_NeikiAnalytics.exe
Size

73KB
MD5

74a00d3bd529cc8ad80b0e8d04d24020
SHA1

381fc50028bbacc454e81e044599c7760456d84f
SHA256

ce3e76caa45a87af19623c62f6537b39eb71869452aa7f250ca6148c47306d52
SHA512

6a25e701503ffa86520b2d9d567e92d4399edd2a2a681fbbca8f9b26fe430171e8013b74ffdd1b8635fa6097f9d265bdde5de2639285dd6dc0661e1a547d5ae6
SSDEEP

1536:hbBmaWDwK5QPqfhVWbdsmA+RjPFLC+e5hSQ0ZGUGf2g:hNmncNPqfcxA+HFshXOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2696	$TMP!10@.COM

Loads dropped DLL 2 IoCs

pid	Process
2736	cmd.exe
2736	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2736	2380	74a00d3bd529cc8ad80b0e8d04d24020_NeikiAnalytics.exe	29
PID 2380 wrote to memory of 2736	2380	74a00d3bd529cc8ad80b0e8d04d24020_NeikiAnalytics.exe	29
PID 2380 wrote to memory of 2736	2380	74a00d3bd529cc8ad80b0e8d04d24020_NeikiAnalytics.exe	29
PID 2380 wrote to memory of 2736	2380	74a00d3bd529cc8ad80b0e8d04d24020_NeikiAnalytics.exe	29
PID 2736 wrote to memory of 2696	2736	cmd.exe	30
PID 2736 wrote to memory of 2696	2736	cmd.exe	30
PID 2736 wrote to memory of 2696	2736	cmd.exe	30
PID 2736 wrote to memory of 2696	2736	cmd.exe	30
PID 2696 wrote to memory of 2944	2696	$TMP!10@.COM	31
PID 2696 wrote to memory of 2944	2696	$TMP!10@.COM	31
PID 2696 wrote to memory of 2944	2696	$TMP!10@.COM	31
PID 2696 wrote to memory of 2944	2696	$TMP!10@.COM	31

C:\Users\Admin\AppData\Local\Temp\74a00d3bd529cc8ad80b0e8d04d24020_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\74a00d3bd529cc8ad80b0e8d04d24020_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c $TMP!10@.COM
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\$TMP!10@.COM
    $TMP!10@.COM
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2944

C:\Users\Admin\AppData\Local\Temp\$TMP!10@.COM

Filesize
73KB

MD5
de67977c292fd656a3b0db45c6094844

SHA1
7514554759aca071a3743536dc798680e8816c65

SHA256
a90b9082a716dfda90dc7bb20ad9ac3a6658d4fd02698075e5a87e1695fa84cb

SHA512
cf1a6cd3fea3beb138bf1cf650b0701d85d3da383f206f5767d5155ced9dde0470ab04bbe82def0a93ecfa35a320e5ee50ab76079ec61e67fc5364fa2e25bfaa

Download Submit
memory/2380-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2696-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download