f128f8b6e8e0cebfac1768f0f171c0767102bb070c1c4c2e4381d0041c3cceae

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 07:10

Target

9216368c9767877d7e2ec3064a821590_NeikiAnalytics.exe
Size

73KB
MD5

9216368c9767877d7e2ec3064a821590
SHA1

f709a4560d8f7a282dac73c55a937fa3b721543d
SHA256

f128f8b6e8e0cebfac1768f0f171c0767102bb070c1c4c2e4381d0041c3cceae
SHA512

54f0f6b76e83d8bc3a2e998060d9252353a745b8b05fba242523da5c52baea79863a9adf69ab4338822256da478056085f5fbc7986de075b1133bce10e75e495
SSDEEP

1536:hbsEaMbDiK5QPqfhVWbdsmA+RjPFLC+e5h60ZGUGf2g:hQWXiNPqfcxA+HFsh6Og

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
1524	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
3036	cmd.exe
3036	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3036	2240	9216368c9767877d7e2ec3064a821590_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 3036	2240	9216368c9767877d7e2ec3064a821590_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 3036	2240	9216368c9767877d7e2ec3064a821590_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 3036	2240	9216368c9767877d7e2ec3064a821590_NeikiAnalytics.exe	29
PID 3036 wrote to memory of 1524	3036	cmd.exe	30
PID 3036 wrote to memory of 1524	3036	cmd.exe	30
PID 3036 wrote to memory of 1524	3036	cmd.exe	30
PID 3036 wrote to memory of 1524	3036	cmd.exe	30
PID 1524 wrote to memory of 2744	1524	[email protected]	31
PID 1524 wrote to memory of 2744	1524	[email protected]	31
PID 1524 wrote to memory of 2744	1524	[email protected]	31
PID 1524 wrote to memory of 2744	1524	[email protected]	31

C:\Users\Admin\AppData\Local\Temp\9216368c9767877d7e2ec3064a821590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9216368c9767877d7e2ec3064a821590_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:2744

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
bf5487dfc9e93efe090e9147e12ecee1

SHA1
6bebd6a252c419f21e4b4bfbcbd065f4381e87f3

SHA256
af3cd5fa6656bd10e68853d4ad3f469dfa50ea989561afef38ab64ad12d52d2e

SHA512
1fa32c6af08d6f0b88713340cc7039c4bad7c77eb0ee0ee04633ee6109874daf3d4cc80196b099ee89673a47081ad4e673494a58b9e817489af54e8dbba1d15f

Download Submit
memory/1524-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2240-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download