a0e656a1efa3fb5100b849d2d4cff9564f19921a0f4a473e8835afe610de9189

Analysis

max time kernel
145s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2628b3b5d4e202457024cc9af84ca850_NeikiAnalytics.exe
Size

13KB
MD5

2628b3b5d4e202457024cc9af84ca850
SHA1

bca6dc95c350a124e60b43514fe978f66dde8aea
SHA256

a0e656a1efa3fb5100b849d2d4cff9564f19921a0f4a473e8835afe610de9189
SHA512

2e39ef7950c23daf54e58f23296d13c654e37bb09aade47f6b312809b404c75a727c0eef2ff77027d98aca711e74191adf294fe797e606f69cfcb82654c251af
SSDEEP

192:mB77I1fRivRgFxO6D79C8SZ++Xo4DeGysPstj8rhjCW/Y12yDzzz1K74WlJdxqHx:Wqiv6FxBXnTuyreEXDzzzHWlJj+nx

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
3756	242606235830345.exe
3504	242606235840236.exe
1796	242606235849892.exe
2080	242606235900142.exe
1904	242606235910033.exe
4940	242606235919205.exe
3852	242606235928752.exe
1588	242606235938002.exe
1336	242606235947064.exe
2484	242606235956986.exe
4428	242607000006830.exe
3952	242607000016423.exe
3628	242607000025705.exe
2444	242607000035752.exe
1120	242607000046158.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1912	1484	2628b3b5d4e202457024cc9af84ca850_NeikiAnalytics.exe	87
PID 1484 wrote to memory of 1912	1484	2628b3b5d4e202457024cc9af84ca850_NeikiAnalytics.exe	87
PID 1912 wrote to memory of 3756	1912	cmd.exe	88
PID 1912 wrote to memory of 3756	1912	cmd.exe	88
PID 3756 wrote to memory of 4048	3756	242606235830345.exe	91
PID 3756 wrote to memory of 4048	3756	242606235830345.exe	91
PID 4048 wrote to memory of 3504	4048	cmd.exe	92
PID 4048 wrote to memory of 3504	4048	cmd.exe	92
PID 3504 wrote to memory of 4544	3504	242606235840236.exe	94
PID 3504 wrote to memory of 4544	3504	242606235840236.exe	94
PID 4544 wrote to memory of 1796	4544	cmd.exe	95
PID 4544 wrote to memory of 1796	4544	cmd.exe	95
PID 1796 wrote to memory of 5024	1796	242606235849892.exe	96
PID 1796 wrote to memory of 5024	1796	242606235849892.exe	96
PID 5024 wrote to memory of 2080	5024	cmd.exe	97
PID 5024 wrote to memory of 2080	5024	cmd.exe	97
PID 2080 wrote to memory of 3344	2080	242606235900142.exe	98
PID 2080 wrote to memory of 3344	2080	242606235900142.exe	98
PID 3344 wrote to memory of 1904	3344	cmd.exe	99
PID 3344 wrote to memory of 1904	3344	cmd.exe	99
PID 1904 wrote to memory of 3584	1904	242606235910033.exe	100
PID 1904 wrote to memory of 3584	1904	242606235910033.exe	100
PID 3584 wrote to memory of 4940	3584	cmd.exe	101
PID 3584 wrote to memory of 4940	3584	cmd.exe	101
PID 4940 wrote to memory of 3108	4940	242606235919205.exe	102
PID 4940 wrote to memory of 3108	4940	242606235919205.exe	102
PID 3108 wrote to memory of 3852	3108	cmd.exe	103
PID 3108 wrote to memory of 3852	3108	cmd.exe	103
PID 3852 wrote to memory of 2772	3852	242606235928752.exe	104
PID 3852 wrote to memory of 2772	3852	242606235928752.exe	104
PID 2772 wrote to memory of 1588	2772	cmd.exe	105
PID 2772 wrote to memory of 1588	2772	cmd.exe	105
PID 1588 wrote to memory of 320	1588	242606235938002.exe	106
PID 1588 wrote to memory of 320	1588	242606235938002.exe	106
PID 320 wrote to memory of 1336	320	cmd.exe	107
PID 320 wrote to memory of 1336	320	cmd.exe	107
PID 1336 wrote to memory of 2160	1336	242606235947064.exe	108
PID 1336 wrote to memory of 2160	1336	242606235947064.exe	108
PID 2160 wrote to memory of 2484	2160	cmd.exe	109
PID 2160 wrote to memory of 2484	2160	cmd.exe	109
PID 2484 wrote to memory of 4360	2484	242606235956986.exe	110
PID 2484 wrote to memory of 4360	2484	242606235956986.exe	110
PID 4360 wrote to memory of 4428	4360	cmd.exe	111
PID 4360 wrote to memory of 4428	4360	cmd.exe	111
PID 4428 wrote to memory of 4224	4428	242607000006830.exe	112
PID 4428 wrote to memory of 4224	4428	242607000006830.exe	112
PID 4224 wrote to memory of 3952	4224	cmd.exe	113
PID 4224 wrote to memory of 3952	4224	cmd.exe	113
PID 3952 wrote to memory of 4640	3952	242607000016423.exe	114
PID 3952 wrote to memory of 4640	3952	242607000016423.exe	114
PID 4640 wrote to memory of 3628	4640	cmd.exe	115
PID 4640 wrote to memory of 3628	4640	cmd.exe	115
PID 3628 wrote to memory of 4204	3628	242607000025705.exe	116
PID 3628 wrote to memory of 4204	3628	242607000025705.exe	116
PID 4204 wrote to memory of 2444	4204	cmd.exe	117
PID 4204 wrote to memory of 2444	4204	cmd.exe	117
PID 2444 wrote to memory of 2060	2444	242607000035752.exe	118
PID 2444 wrote to memory of 2060	2444	242607000035752.exe	118
PID 2060 wrote to memory of 1120	2060	cmd.exe	119
PID 2060 wrote to memory of 1120	2060	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\2628b3b5d4e202457024cc9af84ca850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2628b3b5d4e202457024cc9af84ca850_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606235830345.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\242606235830345.exe
    C:\Users\Admin\AppData\Local\Temp\242606235830345.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606235840236.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Users\Admin\AppData\Local\Temp\242606235840236.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606235840236.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606235849892.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\242606235849892.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606235849892.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606235900142.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\242606235900142.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606235900142.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606235910033.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\242606235910033.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606235910033.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606235919205.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\242606235919205.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606235919205.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606235928752.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\242606235928752.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606235928752.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606235938002.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\242606235938002.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606235938002.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606235947064.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\242606235947064.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606235947064.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606235956986.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\242606235956986.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606235956986.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607000006830.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\242607000006830.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607000006830.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607000016423.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\242607000016423.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607000016423.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607000025705.exe 00000d
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\242607000025705.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607000025705.exe 00000d
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607000035752.exe 00000e
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\242607000035752.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607000035752.exe 00000e
        29⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607000046158.exe 00000f
        30⤵
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\242607000046158.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607000046158.exe 00000f
        31⤵
        Executes dropped EXE
        
        PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\242606235830345.exe

Filesize
14KB

MD5
d25e2f1a28d5f24f0803bbf954489435

SHA1
676aae5fa0d37b84e20baa9b48a7d1a1dd966ad9

SHA256
7ece98153e77610ad375c5ade58fe9ce0f6986a5f602f7f798348802fb3b5d8b

SHA512
d36e38121e3432fe5d33fd76d79f8d5212655578c3cd226d9b7baee218875b99fb2a545b802b7cd34b5479da1a8536cfa2574ec4a2aabba7414dbf0e4cd648c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606235840236.exe

Filesize
12KB

MD5
eb64bb839e2e39037c72c1bbb5f0aa3a

SHA1
5c4b5daf01702d4b429a074c9380b6a96c967652

SHA256
88de09b6ee59049d9d384ce760eaafa756a92066557cfff29e287ca02c74709b

SHA512
c2aefc05575b81d292fdbab0e70bedcf184265dde48817b2f477d4bdb788567daedfa1e6ef7185b054d362738bd9b5656aa93e36ad6ebd4d5987904de162e803

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606235849892.exe

Filesize
13KB

MD5
422c510ea4be8dc33a899ab49852a43b

SHA1
36019c368cfff1bd378c779f0c093dbd7d49bc59

SHA256
58e66a2a74a8833b874a4e5a73168f7f6459557c3a4eea3194f58459de824f7e

SHA512
3ada2b76e845c3054536e4333d6a0f46bff659723b5ef1324d18d34841cdc3bf9890aa3af832daa885a2e78440e3b8f865579495ad4e7fb1d738de89bddfd057

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606235900142.exe

Filesize
14KB

MD5
84acd1874964e9e6bd56b13e94511bdb

SHA1
9abb92b56be8326ce393d102e43c5eaaa9c01926

SHA256
d0c92b5dea68745c4b25529886886cde8e319f93a803f25056f3fa59bf0f155c

SHA512
5c818bacf2a6b0a29a35d072209a8365cfe2e0946f88e83ba4149f54c9e5658942454290a2455d4db9cecc67ed2a6f226c1012d142aa1375e84ed636958b7926

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606235910033.exe

Filesize
12KB

MD5
c34019a8fbd5e1242a115310983434d7

SHA1
0c63ecd6dd477b70545dcb76fcae2b01b59da379

SHA256
8fd5ad2c55895974c079f164cb6acd533d38c41e1d1bf97587492415e7a3edab

SHA512
7204e764aa9ab14fbc23041cc40f4c16478f8ea1e216da27a5247d3530b52a6594d8007a90de5193e8e31c4be8454ece9f90acfbea3b83562379b1006734294e

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606235919205.exe

Filesize
13KB

MD5
2a5085cba5fb392d0c996100bb1fbd27

SHA1
28f7dbed8357ba657e79421955958bc73a7fb640

SHA256
58522467b177bfe9019e854b0b774ef1dc28f2715b4c86e66bcd7c6dba816136

SHA512
35c6868a3ae4c4c8a9e332f392afe2f0b4cc9a05780317bf31a4ce1da8675673e6c8ef9ff01fa97b25dd0e4cb2c6356bf330c28159ff520d01a68ffc85adab60

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606235928752.exe

Filesize
13KB

MD5
b2a64f73c595d257961627aa004fe094

SHA1
0c6b9963f8121003f5330a82361bfee1e3ecbb2b

SHA256
6c6629575526e5c4b16b1735e61fab78e347e1a1b18024cf417ef4386325ddaa

SHA512
1b807d002570693c18a6948823ab681562388ffec23e4d4edb16b0239ca7b7453db8dfaf3862bd45bbd5bda8efafe7c54ed53e4d018b6702d6b257310474c7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606235938002.exe

Filesize
14KB

MD5
849423f8896da998cd8ea0733f4bbaf7

SHA1
d2b4375a48db321d9c1a2343509dbff9254ee845

SHA256
584c43457cef4343d0fb6c7968551916204142aac9e2de0ac8667002a98688f9

SHA512
1e30179b52842cff40bd5b760c3f187bc7ed6557780088c22d3bc2402eeb85c76b2d21292803aa6e6bae804e3f44e566e50bc6a2ffff726c87f85b950a92d0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606235947064.exe

Filesize
13KB

MD5
b71b546bef48e9e29db87545e88f8d54

SHA1
2b8f3fdb3e38bc1b9000f75c18ca8e3ae80e57fc

SHA256
0b7a3d0f00a2307ba54678dd8b07408cb5eeb4c5644a42ce03f4b425f6e523aa

SHA512
71f48a925403d88c72d0ba77667ebbe203fb6d5e8cbe8f6ef77de9898366d8c7935c6cd92a81eaf4bc41551e413720d8ac708877625062ed37fe5af1162fab7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606235956986.exe

Filesize
12KB

MD5
7006c58e79a70eb32070c0cec4146b3e

SHA1
aa0cf5e4886cfd6db57087e3ee19180658b2d3b2

SHA256
8746b5d79c90677230e9bf3243992b6e29dca9b82ab7a37d4d2f2b7e716b6f64

SHA512
d5a02a009471dee3f619e7cd1f7eeadf7ae427af0a30fbd8920c0f55d97448bd4f09151a5402e55e3678b8cdfbd5ec6ff0b249eebb280e867daaa72b224d216b

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607000006830.exe

Filesize
14KB

MD5
ea5ad711da72953c5f8b62f0ea923023

SHA1
fe38c3506c6da1467686a2ed030bf0cba673f4f6

SHA256
969d646d92735832b8caa4c2dd121c1fae60ed40e58e27c51e6e1911baa4b528

SHA512
c2f0eb4a9b5d453d41ebcb99966b9e2d2caf7aa0d7e77acf007c84f7e6289a431bf7c5e1ee6628036943df6ee94a64574edd44a0b6baea646e289bfc3a23dd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607000016423.exe

Filesize
13KB

MD5
07c8bb1f202b722ce4b795af5dd4d055

SHA1
e8f09fb49733cb5c03f92423345ed7950961050b

SHA256
5e6057730adbc623631f0e14778667597b65bb94736eaa8db767a5be3c1a1de7

SHA512
1ce7c5d897da9d4560155ed0386a5ae632a24a6a0ec406e29150fc22461d743fe99cce647adc75395725cc646c1bcb4006817ffd129c60a0bc4b404c397ae535

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607000025705.exe

Filesize
12KB

MD5
ccb12b070f0e5a222add44f2036d4afd

SHA1
9902785dcfeddd4acc5eee4b62570bc984287e3f

SHA256
6034a70ab23a8da85fbe000025a1f96ad4a58c2345505ad5c3371754e12c2c41

SHA512
9ba091e4b0ab57d833cb976657f6eab7016c5d5b0026f106b4a237f56393f8797ea978e93541f4ca5d4804a1b89405ea7af0a15df78dac7e12049442dd3f3d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607000035752.exe

Filesize
12KB

MD5
6587feff7796e53f769952739b838e1d

SHA1
c2b184b6befc3d3a637c7c0eca6a9ea7435bd7ab

SHA256
2425c3e75076746b42ae9f696d86417120edcc62655cc3593c494fc674326e9b

SHA512
f74f7bb6e403faabf7e3373152e584fbb8a1aa29f94dfc495cf4c9de659997a27bb89f73760a41e17b4066ba2a71f11336b396417c62f2521d10b4f7462a785a

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607000046158.exe

Filesize
13KB

MD5
53b68cba809113a225547895117e2d92

SHA1
f389800ee32e7d2a28dc841e79376ebc2ece4e30

SHA256
b03d77d5ab77b263e1173002060c3c74b44f91d606f400b0305bba84a73a6cf5

SHA512
ad5af6d3c607e7369a6e1500c61ff42c6e855fb28120196a8714a7dadb8cf5b80fe8bad3d8b5a7834f45ae96d1563c12fbb651278a1493bd74c0594df5195a6e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads