2327a8bfa5861aa9b63e96110d6df3e31c4d106e270186b7b0c09d08b3a10b33

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e72e40296daed8428d8b9e42f722500_NeikiAnalytics.exe
Size

12KB
MD5

1e72e40296daed8428d8b9e42f722500
SHA1

8faa83a1b6af146b7001f8913fb0b604c11d47c9
SHA256

2327a8bfa5861aa9b63e96110d6df3e31c4d106e270186b7b0c09d08b3a10b33
SHA512

db51c923826a7343b928616c44911eea7690c3061cce7d34c71f1da0c7976283402199d2dc66245508b7ec8bb925d98b6de3de3dedcb1aafc230f2e98abfd9c2
SSDEEP

192:aGKI1/H76txMt60qvXvftpBCz4zKnhCPscd8LRqY3VLGqvR/RnWlJdxqHbrhAw1x:kU6t+H2jjg5jYAWlJj+X

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
5096	242606215538307.exe
1748	242606215548432.exe
2864	242606215559104.exe
3240	242606215609557.exe
1636	242606215619776.exe
1560	242606215629166.exe
1220	242606215638698.exe
3500	242606215648338.exe
3796	242606215658541.exe
3580	242606215708401.exe
4516	242606215717557.exe
116	242606215727276.exe
1460	242606215737791.exe
4856	242606215748151.exe
2424	242606215758698.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4160	4080	1e72e40296daed8428d8b9e42f722500_NeikiAnalytics.exe	94
PID 4080 wrote to memory of 4160	4080	1e72e40296daed8428d8b9e42f722500_NeikiAnalytics.exe	94
PID 4160 wrote to memory of 5096	4160	cmd.exe	95
PID 4160 wrote to memory of 5096	4160	cmd.exe	95
PID 5096 wrote to memory of 396	5096	242606215538307.exe	96
PID 5096 wrote to memory of 396	5096	242606215538307.exe	96
PID 396 wrote to memory of 1748	396	cmd.exe	97
PID 396 wrote to memory of 1748	396	cmd.exe	97
PID 1748 wrote to memory of 4428	1748	242606215548432.exe	99
PID 1748 wrote to memory of 4428	1748	242606215548432.exe	99
PID 4428 wrote to memory of 2864	4428	cmd.exe	100
PID 4428 wrote to memory of 2864	4428	cmd.exe	100
PID 2864 wrote to memory of 884	2864	242606215559104.exe	101
PID 2864 wrote to memory of 884	2864	242606215559104.exe	101
PID 884 wrote to memory of 3240	884	cmd.exe	102
PID 884 wrote to memory of 3240	884	cmd.exe	102
PID 3240 wrote to memory of 3820	3240	242606215609557.exe	103
PID 3240 wrote to memory of 3820	3240	242606215609557.exe	103
PID 3820 wrote to memory of 1636	3820	cmd.exe	104
PID 3820 wrote to memory of 1636	3820	cmd.exe	104
PID 1636 wrote to memory of 3652	1636	242606215619776.exe	105
PID 1636 wrote to memory of 3652	1636	242606215619776.exe	105
PID 3652 wrote to memory of 1560	3652	cmd.exe	106
PID 3652 wrote to memory of 1560	3652	cmd.exe	106
PID 1560 wrote to memory of 5088	1560	242606215629166.exe	107
PID 1560 wrote to memory of 5088	1560	242606215629166.exe	107
PID 5088 wrote to memory of 1220	5088	cmd.exe	108
PID 5088 wrote to memory of 1220	5088	cmd.exe	108
PID 1220 wrote to memory of 4456	1220	242606215638698.exe	109
PID 1220 wrote to memory of 4456	1220	242606215638698.exe	109
PID 4456 wrote to memory of 3500	4456	cmd.exe	110
PID 4456 wrote to memory of 3500	4456	cmd.exe	110
PID 3500 wrote to memory of 428	3500	242606215648338.exe	111
PID 3500 wrote to memory of 428	3500	242606215648338.exe	111
PID 428 wrote to memory of 3796	428	cmd.exe	112
PID 428 wrote to memory of 3796	428	cmd.exe	112
PID 3796 wrote to memory of 4252	3796	242606215658541.exe	113
PID 3796 wrote to memory of 4252	3796	242606215658541.exe	113
PID 4252 wrote to memory of 3580	4252	cmd.exe	114
PID 4252 wrote to memory of 3580	4252	cmd.exe	114
PID 3580 wrote to memory of 4072	3580	242606215708401.exe	115
PID 3580 wrote to memory of 4072	3580	242606215708401.exe	115
PID 4072 wrote to memory of 4516	4072	cmd.exe	116
PID 4072 wrote to memory of 4516	4072	cmd.exe	116
PID 4516 wrote to memory of 1052	4516	242606215717557.exe	117
PID 4516 wrote to memory of 1052	4516	242606215717557.exe	117
PID 1052 wrote to memory of 116	1052	cmd.exe	118
PID 1052 wrote to memory of 116	1052	cmd.exe	118
PID 116 wrote to memory of 2220	116	242606215727276.exe	119
PID 116 wrote to memory of 2220	116	242606215727276.exe	119
PID 2220 wrote to memory of 1460	2220	cmd.exe	120
PID 2220 wrote to memory of 1460	2220	cmd.exe	120
PID 1460 wrote to memory of 1888	1460	242606215737791.exe	121
PID 1460 wrote to memory of 1888	1460	242606215737791.exe	121
PID 1888 wrote to memory of 4856	1888	cmd.exe	122
PID 1888 wrote to memory of 4856	1888	cmd.exe	122
PID 4856 wrote to memory of 3688	4856	242606215748151.exe	123
PID 4856 wrote to memory of 3688	4856	242606215748151.exe	123
PID 3688 wrote to memory of 2424	3688	cmd.exe	124
PID 3688 wrote to memory of 2424	3688	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\1e72e40296daed8428d8b9e42f722500_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1e72e40296daed8428d8b9e42f722500_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215538307.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\242606215538307.exe
    C:\Users\Admin\AppData\Local\Temp\242606215538307.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215548432.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Users\Admin\AppData\Local\Temp\242606215548432.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215548432.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215559104.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\242606215559104.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215559104.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215609557.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\242606215609557.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215609557.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215619776.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\242606215619776.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215619776.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215629166.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\242606215629166.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215629166.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215638698.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\242606215638698.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215638698.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215648338.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\242606215648338.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215648338.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215658541.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\242606215658541.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215658541.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215708401.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\242606215708401.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215708401.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215717557.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\242606215717557.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215717557.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215727276.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\242606215727276.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215727276.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215737791.exe 00000d
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\242606215737791.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215737791.exe 00000d
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215748151.exe 00000e
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\242606215748151.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215748151.exe 00000e
        29⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606215758698.exe 00000f
        30⤵
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\242606215758698.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606215758698.exe 00000f
        31⤵
        Executes dropped EXE
        
        PID:2424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\242606215538307.exe

Filesize
13KB

MD5
f549335f5f44cebc399c553252a7a808

SHA1
d265a039640d00b7c5c2b0b77c2f57a4d84f3e4c

SHA256
2e4576d8793aa77d2fb0bbe9df918f144b1f6f6fc77cda46413185aa24152e86

SHA512
11c4bf7293978b0a0d9d5d88c297d2e656c779f0996e1c454bcc99e2995b8c0ad99293d2ced51ab22d29bcc20ac5a91e013dea4b9d4560224e6cab1460ea285c

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215548432.exe

Filesize
12KB

MD5
5d43b80d11ab3e8fbc2fb0e7f49803c1

SHA1
e4e41029b4b6822ad58ac42ad77fe3dbd422369a

SHA256
4a605ea76f43821f2cfd7bffb408ae36446bf303a1788bc79921e8d666a403b4

SHA512
e7cd6cc810115f36d83344c9d12db2455e105df350c21c926ee49a77c9cb5a4af72b58c71dcdc8d5c17f62184d21c75221068da6b5ade565698320138eb944eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215559104.exe

Filesize
13KB

MD5
082cb88db6e2fa215282a7739821ed8d

SHA1
93e32b9da31d913433d377eee863b10d24cab0d0

SHA256
87c432e5946cea97d210461a8e2f4150c4aaa82198140b3279f562691a020577

SHA512
7b1ad199601bb063e9c29476d10654f720ecd066e0c1d8a0b52dc35489ad599669b6cd22db64713c9b976bedb2973a49da1198c22b068994c8de64f75dd8a5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215609557.exe

Filesize
12KB

MD5
36d9701018f96dcfda58392a188a2787

SHA1
8d0cb82b166de3f0578885209684bb65c0414bdb

SHA256
2563bf8dc808cbf8e3eb3604f941f3ebdb53abbb9a2f21ea46896d3c5860458b

SHA512
7d4885b4135a004a9bdaa3df028c2041866b0e9a91ad38618fdb21ab643bbdbe76c78df5b0bd52dfacfd16f537677b86291ccd1f73c4606521f8f00a659e39b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215619776.exe

Filesize
13KB

MD5
8aefb215405bb7a7014bcc84ae2be5c6

SHA1
196bc98a0e0e651133c6b9b37c0de71cab551441

SHA256
fc1dda54d2c025af90ee0cef68594386d5244825802b1a2d4863cfbd0e7afbfb

SHA512
76f45b9d6507416503ba7ca502cf57caccd4f439dfd8d1844d0f4b03bda9517bf8fb4f2371d19e12af3ef8bb8ec762ca15155c06fce9a96a20f0e3551f55c7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215629166.exe

Filesize
13KB

MD5
0efc831060602d4086ba543815f2a553

SHA1
9e6b3a0d7c3005e33f50b7cb6cfa4a681e65ecb4

SHA256
2d3b3149a6447b3630ddc8846afe0b0149c82812181f5504093cc5b013a1934f

SHA512
0d5a44bc4b679ca3d949c89d9036d6c198ff3b074076d8d83f6cb38e6a9ff78321ed5bb984d8394feda4fcde4c37ac6ddc0c74ae9af04eff272f4d82d99d601b

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215638698.exe

Filesize
13KB

MD5
cda77beb5dfbc0e77ff3c2a9b6527ce1

SHA1
66f187d4842a5cd1129f2a4b9ea532c176eea555

SHA256
fbb6766968de7deefea7c3e05a023c665589c0d8b49a75ce17a6871c6757e76e

SHA512
858a3ab466b47cc706818b415b5f878c1e724f12aba2cd770c2a8b5232c4a4f5b67b643826716b6b379c36b0e996e7255596c85fb0fd1e19f63f639a1b41b6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215648338.exe

Filesize
12KB

MD5
96d961855d76e6ccb95c0aa9db0da828

SHA1
ffd2396786fe57ab56d48fa42ddf36d813b2bf45

SHA256
08ce8398f2932018b9afff8121cc57799a33528706cc09319c11959df251efad

SHA512
81a002605c55a3722685d4e591aaa441c5d7356aaebb34024e8ac4be94c81e730281e6e020d918638edb64615a1bde42e7d2d7b4850e6b176d295c882468b0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215658541.exe

Filesize
13KB

MD5
938bec681a8a950eef028d2d90e08abe

SHA1
c7d3f0608a0b3f3b2ea0c57890f952055abb6205

SHA256
e90765e6d200d8bfabd9a4e51796977f037abb95a053c9d10786d7b1426d50a4

SHA512
8c748d0b821dd023e5f72aa3d2e9b02e31a480a96f80214df519d51964db48491834ba0b29fd70b6aa551162976cbebdf761bc19931a6998ac8524ca109376f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215708401.exe

Filesize
12KB

MD5
26e4caf5570d7af8e9f4386e557c2610

SHA1
243442985da36eb710f06c3f5df8e45f3adddad6

SHA256
cdaffb78b3802620f973a0bf2ad5aed577efab90ee5e18e7e42c2b7c601db033

SHA512
4221bfa0dc531a22907a1a3761cec16d833a173cee13c0e88b21f0150bc5f65ae07e658132397cbbb775a0ddff65b2aaa84bf0aa6b6ed15cc0037b6dadb714eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215717557.exe

Filesize
13KB

MD5
893eb656b1c89791c13f1681441f743e

SHA1
ec31558299dc55fa635b1ff5371f75f38bb5c281

SHA256
22cd53552e716b04f08901310706d7f51c7f95baabcf18f73cb6c38b3c291eff

SHA512
8f305d04374c55edc8ca1a513b207cc7d9c40c334159186299eaabb3e3a766905e4bddfabb34bb9c2f68b7c715af0e396247725556a557a54915c43bbe626ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215727276.exe

Filesize
13KB

MD5
661c147dca927dc666450a0aead1b262

SHA1
5150b060f18a4641eb46df77510c7205cf59cee9

SHA256
80df866eda6f5dba90723f133471a90404b2c683b690a5267d8acb7257bf4c9c

SHA512
d98ceb38325a84e7d85e7292ee75204b020dec4044ecbb50267db4fc501e264ab06d956c53c28ac17d90b45940d091c88db067f470096ca60b2f0c1d4112a692

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215737791.exe

Filesize
12KB

MD5
01a5268b06264f1c92e79fe30adb3e1b

SHA1
53afe85ac589d6fe471134c90ef2980e2fcf4fb0

SHA256
1f0d833ce0cd8ad5fb058ecc7cc259ac937c2eb98be9649f4b087863be4b35ac

SHA512
3856110f07baab566ac5ef6c8c48269391709d8c11e5323e27399f67b4695cff611b1512c114f861ab60ba088028253efb3694ba00df47ebb18bf08a483dcae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215748151.exe

Filesize
13KB

MD5
bc453e86f5821c65a3591cad2049c00b

SHA1
6bbbb70574d01405103430b5f71154589cdd785a

SHA256
66ed322b6e6d0d0d29bf90d72a822645a3fd9be1a845123d1bd2e603f2376185

SHA512
2226d3e6ec7123421ef360a4dbffda60eaa0ea3202bcff84b56e7a607618c11657f98f6ae74c10c99ac5e979c24136389a29bb742f701ce5ae9dd357aab50f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606215758698.exe

Filesize
12KB

MD5
a6508899d73dd567c2facc0375f6fca9

SHA1
5ccaf6b6ac9c5a21124acf5c55a551f5a96f1454

SHA256
207dc47733fc5c0f694d9c58dcf6b8ba2e287e10a334c30c0bbb3636c5762406

SHA512
d31335998f425200d3c4384275554492a4b4d1d9c0c69980c6df872cc6d5212cb27afa023a944a955a2dd18442c862e86cd9f8d7e531105f1d4ed61335b6c2ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads