f45aa53da58838e5e089e84371ae7fd857635a40c0e8f0ff73c20492bd3b982e

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2324886bf4120d518db39b5c4eeafc30_NeikiAnalytics.exe
Size

12KB
MD5

2324886bf4120d518db39b5c4eeafc30
SHA1

f28b43ffaf117ae578bc2ed49b357b3f7e55720e
SHA256

f45aa53da58838e5e089e84371ae7fd857635a40c0e8f0ff73c20492bd3b982e
SHA512

55688c8c14a7a17343d92864cbfb123b3f5e9b98b3d18183510f3a7499d54f0375c788e75cca1ec7e92923953cd739bd2c357ca07b8b4c3b38d9f707f48b95d8
SSDEEP

192:ctfT5qQ76ir6oE/ccx3u7mfM8xpQnScIUqjemc1FWWlJdxqHgr6Bo:6B7xO+mnvNrnWlJj+

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
1836	240606231439434.exe
3288	242606231449528.exe
4384	242606231459262.exe
2444	242606231509669.exe
1092	242606231519825.exe
1616	242606231529872.exe
1524	242606231539684.exe
4984	242606231549731.exe
4576	242606231559591.exe
3644	242606231610981.exe
3004	242606231620637.exe
1124	242606231631731.exe
2472	242606231642309.exe
2572	242606231652247.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1560	1900	2324886bf4120d518db39b5c4eeafc30_NeikiAnalytics.exe	96
PID 1900 wrote to memory of 1560	1900	2324886bf4120d518db39b5c4eeafc30_NeikiAnalytics.exe	96
PID 1560 wrote to memory of 1836	1560	cmd.exe	97
PID 1560 wrote to memory of 1836	1560	cmd.exe	97
PID 1836 wrote to memory of 2600	1836	240606231439434.exe	102
PID 1836 wrote to memory of 2600	1836	240606231439434.exe	102
PID 2600 wrote to memory of 3288	2600	cmd.exe	103
PID 2600 wrote to memory of 3288	2600	cmd.exe	103
PID 3288 wrote to memory of 4848	3288	242606231449528.exe	105
PID 3288 wrote to memory of 4848	3288	242606231449528.exe	105
PID 4848 wrote to memory of 4384	4848	cmd.exe	106
PID 4848 wrote to memory of 4384	4848	cmd.exe	106
PID 4384 wrote to memory of 492	4384	242606231459262.exe	107
PID 4384 wrote to memory of 492	4384	242606231459262.exe	107
PID 492 wrote to memory of 2444	492	cmd.exe	108
PID 492 wrote to memory of 2444	492	cmd.exe	108
PID 2444 wrote to memory of 2332	2444	242606231509669.exe	110
PID 2444 wrote to memory of 2332	2444	242606231509669.exe	110
PID 2332 wrote to memory of 1092	2332	cmd.exe	111
PID 2332 wrote to memory of 1092	2332	cmd.exe	111
PID 1092 wrote to memory of 2100	1092	242606231519825.exe	112
PID 1092 wrote to memory of 2100	1092	242606231519825.exe	112
PID 2100 wrote to memory of 1616	2100	cmd.exe	113
PID 2100 wrote to memory of 1616	2100	cmd.exe	113
PID 1616 wrote to memory of 4104	1616	242606231529872.exe	114
PID 1616 wrote to memory of 4104	1616	242606231529872.exe	114
PID 4104 wrote to memory of 1524	4104	cmd.exe	115
PID 4104 wrote to memory of 1524	4104	cmd.exe	115
PID 1524 wrote to memory of 3340	1524	242606231539684.exe	116
PID 1524 wrote to memory of 3340	1524	242606231539684.exe	116
PID 3340 wrote to memory of 4984	3340	cmd.exe	117
PID 3340 wrote to memory of 4984	3340	cmd.exe	117
PID 4984 wrote to memory of 3204	4984	242606231549731.exe	118
PID 4984 wrote to memory of 3204	4984	242606231549731.exe	118
PID 3204 wrote to memory of 4576	3204	cmd.exe	119
PID 3204 wrote to memory of 4576	3204	cmd.exe	119
PID 4576 wrote to memory of 3508	4576	242606231559591.exe	120
PID 4576 wrote to memory of 3508	4576	242606231559591.exe	120
PID 3508 wrote to memory of 3644	3508	cmd.exe	121
PID 3508 wrote to memory of 3644	3508	cmd.exe	121
PID 3644 wrote to memory of 2400	3644	242606231610981.exe	122
PID 3644 wrote to memory of 2400	3644	242606231610981.exe	122
PID 2400 wrote to memory of 3004	2400	cmd.exe	123
PID 2400 wrote to memory of 3004	2400	cmd.exe	123
PID 3004 wrote to memory of 1096	3004	242606231620637.exe	124
PID 3004 wrote to memory of 1096	3004	242606231620637.exe	124
PID 1096 wrote to memory of 1124	1096	cmd.exe	125
PID 1096 wrote to memory of 1124	1096	cmd.exe	125
PID 1124 wrote to memory of 4940	1124	242606231631731.exe	126
PID 1124 wrote to memory of 4940	1124	242606231631731.exe	126
PID 4940 wrote to memory of 2472	4940	cmd.exe	127
PID 4940 wrote to memory of 2472	4940	cmd.exe	127
PID 2472 wrote to memory of 4500	2472	242606231642309.exe	128
PID 2472 wrote to memory of 4500	2472	242606231642309.exe	128
PID 4500 wrote to memory of 2572	4500	cmd.exe	129
PID 4500 wrote to memory of 2572	4500	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\2324886bf4120d518db39b5c4eeafc30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2324886bf4120d518db39b5c4eeafc30_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240606231439434.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\240606231439434.exe
    C:\Users\Admin\AppData\Local\Temp\240606231439434.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606231449528.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\242606231449528.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606231449528.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3288
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606231459262.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\242606231459262.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606231459262.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606231509669.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\242606231509669.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606231509669.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606231519825.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\242606231519825.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606231519825.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606231529872.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\242606231529872.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606231529872.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606231539684.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\242606231539684.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606231539684.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606231549731.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\242606231549731.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606231549731.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606231559591.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\242606231559591.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606231559591.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606231610981.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\242606231610981.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606231610981.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606231620637.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\242606231620637.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606231620637.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606231631731.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\242606231631731.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606231631731.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606231642309.exe 00000d
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\242606231642309.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606231642309.exe 00000d
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606231652247.exe 00000e
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\242606231652247.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606231652247.exe 00000e
        29⤵
        Executes dropped EXE
        
        PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:5072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240606231439434.exe

Filesize
13KB

MD5
027efa47fb949248ed6e79eb6a236dea

SHA1
dbe5fd08667383e9d699ff688edcc1eb9d546610

SHA256
d84e5e78c6d48781d0360a88ca0b559a29d14bd71f2b20ae7f482903e65e9096

SHA512
98c94db390095ee05641a50e0919ef176ec0017229790aaa33fc67d228f1a0cccc47b81fbe916d88d9725a891eff59ea01b0d9851c927985fcb3fd209c7b234e

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606231449528.exe

Filesize
13KB

MD5
10ec1c4d817c1d54c8d4eaa51dbf2dba

SHA1
2a65a19b329c2d920bdbecb268c0a23641fd51bf

SHA256
3ce4d7cd683e2e96fba6b72015bcef1084f2472ef4b4df1e433f2a438b84a0ef

SHA512
9f53dc50675fa61a62d3b83aa438a26431182f9bbfd96346bbca73a04ebb3066ef3405d1b099c3988b31eb6f75d811f9d724636740d7c5cb234ec8b897a63449

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606231459262.exe

Filesize
13KB

MD5
c8101a82b91c029bc8087d6c036e7794

SHA1
89c11c4fb70c46e6eb79d5eac08178751c36c150

SHA256
53a8f1b900fa27ef059874e63bd3b4ba410e836c76abcfa23faa5d9cbf6daf4b

SHA512
1ec820ec1b7ee344b6a4ddb57eb402ce8c5e0916874e0f6dc88e979219520562f44624cf6e4664c98c8f634352f7975aabc89b9d9bd975787c330328860f61e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606231509669.exe

Filesize
13KB

MD5
dea762eed4fed29d56c9226325b633a4

SHA1
85dcee90437cf592b04f72cd684eaaf8025bf74e

SHA256
98587486e0ab2cb80e26db1df57c986599161cd494af9f97a9d1ecdc37013ccc

SHA512
3bc63166467d9ebfbcadd50a7f454f4faefd6701eea8da3b5609e4bd2b583779fd48bd74cde5e3ddb428e1c5c6deadd4bca1e4fb8d36e9521a3b852892b54c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606231519825.exe

Filesize
13KB

MD5
541af6177712b14efe066a724d601000

SHA1
d91338baca8506db793010d9868d43a02b491ae6

SHA256
c75cc64997f4446106c95d8d954b3d9baab47d22825aa7c6d9b6349bf005cd16

SHA512
75a8ed3fad9adae6a422d450d4bb3819320c72486e08f6fd13856edcf1f79fac30dbf92b2ff8a3000064bdf317ffe86a0a217c302e4797c4d4a66bafc5c418ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606231529872.exe

Filesize
13KB

MD5
32a1187abcdc9f6ed96d1a4463280fcc

SHA1
80c9cc2c89643a434c7d5afeb55cfe2d4fbb1371

SHA256
4018810bf60ebcf350dc35ea6059d6674cd42418b2f455c943ce6896b5126a2a

SHA512
7064735232e170ee56589ef9daa4e256afaf4159a74ea25faa101ad7103ec2da1228b04d9e731cb9c7184897f8472f22dc45ac19818fe144f5a22b76e0752615

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606231539684.exe

Filesize
12KB

MD5
ab3f1b4b65970963575fd0377dbc1dff

SHA1
db814a928dfa374e3721a3011fa4d05373586340

SHA256
e1e1c64e901c0a13191333bab6658191345b96d14a87c5d41afbbd3676e43f96

SHA512
b2d8d00c81c658edfac0890127e3664e14fd517f3af87d8c7781400d717ed31f122d77266c242d3898f30a05f4e7c5afaf1dedcb282667b50a160a66ac4b8e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606231549731.exe

Filesize
13KB

MD5
7de47afc096236398ba7bfcaa20c4c32

SHA1
f2155c52b334b4cd55239e46872240d3917c9ecd

SHA256
57cca158d31808a1da25ff39a2445fc3913b835c3966756f51320f4bba5ab0af

SHA512
94448591c71ccba461368ff7bae78d16029c55664587cc2239309c2f9035cbfb778409fe986ae20c8070fda784910b14eae79d83bf1abc6b792cc95cc2fb7736

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606231559591.exe

Filesize
13KB

MD5
525cbe9f2c8b337e47cd2d92718f17cc

SHA1
39d0bce5a8dbf4431313eec8296c298260d59af8

SHA256
bc0c4481a85cdea6c2f3967ef2ea29bc7be0dd5dc0035f0cb2515259a357c25b

SHA512
0368f51882ea1a9cd6d1fc71a37f83501d1f60580e6787c282dc80428a9e6410190eca61820f19f2650fea5ee15b48784c1a6279e2851ded6006671e2245d4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606231610981.exe

Filesize
12KB

MD5
ff658deaf9831578f7f3a0fca81b279e

SHA1
7c7cd9b14ceebb61ea570443dabc50b76ff800a6

SHA256
ae6549e0296dce05dd20af346f90dce3b1026ae599d4fc9494fe1304f58d9e54

SHA512
98223c1233c9e493fd3cce8c677e8a4b693699059ee07499b87e4c57ded473b73a64353236a622dc5354528de0b600a98c2a6a6076aa03b7591edddde96c943b

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606231620637.exe

Filesize
12KB

MD5
25baf1888f6d8092ed970f3c73039ef2

SHA1
7daf8225bbc2f001e81e6e80720a2c7b1ab20aab

SHA256
e1a8b2d62f4d8b7d5955abd30147d3505d6fcafa71b627bb532570ca6f34a482

SHA512
386e23bddec3ba40cfbd0b8011a4f82949351d237e2352d2eef3e02693c050c10651a86ce3546c22f0393d9d9274e4a45669e600e7176883380227006df32b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606231631731.exe

Filesize
13KB

MD5
6416a039a3b1f14911f90d717d6f2ac3

SHA1
d86c0fa0d48e4a36d90a390cacc99a1f4cef04f1

SHA256
2c4feedc1bd0e310695407463dda056ea3bf238a4d7bff9abf29bbfef8576fba

SHA512
d15d33456f014f628a4100aaf7de67ddf7a13a4158ac3fea10c20b699477098be6b4e6c3d497eff3a3079675b9b29a9168c8928b9b2154b3af935d4ed3d2bd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606231642309.exe

Filesize
13KB

MD5
cc7fabbb1d473c994bc8cd498d53af22

SHA1
4566506faa9289fbd1d80f5dcb10e03ff8739969

SHA256
dfc9e58fa24b9d1dec2e19cc810ef7860bbdd9cabeb0d76ad66267100362efab

SHA512
3489f0609851564ef343fe5d6dfc399d6cdadfb14e0841f892a0bd8a2fb93cc9aeb7bf3120c920839998316b0756d35b2e3ab9f772dc1d035d96327a5e421cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606231652247.exe

Filesize
13KB

MD5
79acb1294ea71d9fd8ea8b2222cd2800

SHA1
19755bb67a1d515e5fa14fc94e4315f6196515e9

SHA256
c87158ff15827c668ff44d890274c096963648219a365cba9fc4d300e5fc4e61

SHA512
13d50d8cd8fbda488d826275bc512f8f044237950995a669b8bf93e2afd25a9391457ea7cab5426841bb11d4177f6b1b1415f502a391e357695e4f444de7ad8a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads