f77da4b8c10545ee0f1ffd855c911172b38412582ba42fb3a293d623b88995db

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 02:49

Target

8a9dfc30a5d9ee6bbcbb671723868960_NeikiAnalytics.exe
Size

73KB
MD5

8a9dfc30a5d9ee6bbcbb671723868960
SHA1

b944a7bab1bd5dfba797767520ba5e19a52f0631
SHA256

f77da4b8c10545ee0f1ffd855c911172b38412582ba42fb3a293d623b88995db
SHA512

2d98b1bc4ead487bda35fb2cf4aa883a099ef3fa19a80537f8b542e2cdfe32affb738cda29187006c0010274bbd5d2e6f4cbc00c0b16df50c97c71f9c1cd1e35
SSDEEP

1536:hbjR9dvD2K5QPqfhVWbdsmA+RjPFLC+e5hY0ZGUGf2g:h3dviNPqfcxA+HFshYOg

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2560	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
2264	cmd.exe
2264	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2264	1220	8a9dfc30a5d9ee6bbcbb671723868960_NeikiAnalytics.exe	29
PID 1220 wrote to memory of 2264	1220	8a9dfc30a5d9ee6bbcbb671723868960_NeikiAnalytics.exe	29
PID 1220 wrote to memory of 2264	1220	8a9dfc30a5d9ee6bbcbb671723868960_NeikiAnalytics.exe	29
PID 1220 wrote to memory of 2264	1220	8a9dfc30a5d9ee6bbcbb671723868960_NeikiAnalytics.exe	29
PID 2264 wrote to memory of 2560	2264	cmd.exe	30
PID 2264 wrote to memory of 2560	2264	cmd.exe	30
PID 2264 wrote to memory of 2560	2264	cmd.exe	30
PID 2264 wrote to memory of 2560	2264	cmd.exe	30
PID 2560 wrote to memory of 2952	2560	[email protected]	31
PID 2560 wrote to memory of 2952	2560	[email protected]	31
PID 2560 wrote to memory of 2952	2560	[email protected]	31
PID 2560 wrote to memory of 2952	2560	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\8a9dfc30a5d9ee6bbcbb671723868960_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8a9dfc30a5d9ee6bbcbb671723868960_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2952

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
9c0a062f5634ca2f1166a1f23679017e

SHA1
9d8ff9aa53fe9067d6ab605089b90b9ad729b12c

SHA256
61538b3a954b9cbc0bb9a152b52e4fc699ef1da9a8c43d5a51db01cbb689fb00

SHA512
6444310511cdcd8c7d868ce8072ece7af7b91dd86d1671c1d9b41785b9028ee84b6873277805bce1828e3f9b13403417def85b6a2309e799c2281748de420957

Download Submit
memory/1220-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2560-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download