Analysis

  • max time kernel
    155s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2024, 20:34

General

  • Target

    173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe

  • Size

    13KB

  • MD5

    173a6a2c9541cf72653bafe0928c2000

  • SHA1

    cea6764f2f4efb655875ed90a1fc303c6751db9b

  • SHA256

    69e08247421ab76a58969c63494783c861046ab39beeeede4c29bcb2be20a69c

  • SHA512

    44a02915b74a9ef4b0fb4d2a98f1d6746f7bf678a084967ad4ceb9655dc77d0d9cf9125a35c8a3ae45a5c2e02d7b7b9579e1a644b28e94635346a9755c94e1df

  • SSDEEP

    192:ZHe9I140C4yBzO6ImOrSOMUll4Dj1GUxPa/oj9+TtKuACyLTHTJWlJdxqHXe91xZ:+qC422lyEUQAT9WlJj+Y

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 11 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203452446.exe 000001
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Users\Admin\AppData\Local\Temp\242606203452446.exe
        C:\Users\Admin\AppData\Local\Temp\242606203452446.exe 000001
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203509165.exe 000002
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2764
          • C:\Users\Admin\AppData\Local\Temp\242606203509165.exe
            C:\Users\Admin\AppData\Local\Temp\242606203509165.exe 000002
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4520
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203519930.exe 000003
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3980
              • C:\Users\Admin\AppData\Local\Temp\242606203519930.exe
                C:\Users\Admin\AppData\Local\Temp\242606203519930.exe 000003
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2724
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203533524.exe 000004
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4372
                  • C:\Users\Admin\AppData\Local\Temp\242606203533524.exe
                    C:\Users\Admin\AppData\Local\Temp\242606203533524.exe 000004
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:3580
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203545289.exe 000005
                      10⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4656
                      • C:\Users\Admin\AppData\Local\Temp\242606203545289.exe
                        C:\Users\Admin\AppData\Local\Temp\242606203545289.exe 000005
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:4308
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203557430.exe 000006
                          12⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3120
                          • C:\Users\Admin\AppData\Local\Temp\242606203557430.exe
                            C:\Users\Admin\AppData\Local\Temp\242606203557430.exe 000006
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:3444
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203616008.exe 000007
                              14⤵
                              • Suspicious use of WriteProcessMemory
                              PID:872
                              • C:\Users\Admin\AppData\Local\Temp\242606203616008.exe
                                C:\Users\Admin\AppData\Local\Temp\242606203616008.exe 000007
                                15⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:1424
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203629946.exe 000008
                                  16⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:912
                                  • C:\Users\Admin\AppData\Local\Temp\242606203629946.exe
                                    C:\Users\Admin\AppData\Local\Temp\242606203629946.exe 000008
                                    17⤵
                                    • Executes dropped EXE
                                    • Suspicious use of WriteProcessMemory
                                    PID:1040
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203641227.exe 000009
                                      18⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4612
                                      • C:\Users\Admin\AppData\Local\Temp\242606203641227.exe
                                        C:\Users\Admin\AppData\Local\Temp\242606203641227.exe 000009
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of WriteProcessMemory
                                        PID:3792
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203652258.exe 00000a
                                          20⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:1260
                                          • C:\Users\Admin\AppData\Local\Temp\242606203652258.exe
                                            C:\Users\Admin\AppData\Local\Temp\242606203652258.exe 00000a
                                            21⤵
                                            • Executes dropped EXE
                                            • Suspicious use of WriteProcessMemory
                                            PID:4016
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203707055.exe 00000b
                                              22⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:2980
                                              • C:\Users\Admin\AppData\Local\Temp\242606203707055.exe
                                                C:\Users\Admin\AppData\Local\Temp\242606203707055.exe 00000b
                                                23⤵
                                                • Executes dropped EXE
                                                PID:2120
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2068

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\242606203452446.exe

            Filesize

            13KB

            MD5

            5cc3c38bc39e074585094ae51d42ae8a

            SHA1

            2d4d6f82a6af720dfd20662467c84baca9e39fc9

            SHA256

            1d109b9ff455f169a2c34792000023d0f5af1ee7c5da2ffc4f6d07fd83bf4ea1

            SHA512

            76b6ac6ca9de4cd5085affac2342f1e6d930098143c20d451a47f3cdf02366a81b3b6e92d91e049b552b0c3a4766c965d9ca62367f0cd61a9da79f42f45b8359

          • C:\Users\Admin\AppData\Local\Temp\242606203509165.exe

            Filesize

            13KB

            MD5

            150c6b2b1120d3a52e450e8c2778b158

            SHA1

            af5c9cdd0f585ace8755c049b37cb9060aa9aa57

            SHA256

            450b9c768bed28fed87aba49b6d2d355ae758e17af61901adb4a47c5c2549254

            SHA512

            7c31fec64018348932f10f4eabfd73149cfe97ebb1883f7404862ce8c18f4d2da82e509e7ece2186697acc185d463eea9e41d707295b443eec32eba06e556efd

          • C:\Users\Admin\AppData\Local\Temp\242606203519930.exe

            Filesize

            13KB

            MD5

            59dbc86fbf1b220a5449403947e16397

            SHA1

            8cdbd1feefb0ccff759139bb225cff73a0be0c69

            SHA256

            30582a36a49b196f8f6007fa71901d183f7f968d561c7fc3ca88f0e3904fafc7

            SHA512

            95b2ccf9c311e2ca3e37caa3a86673e63e74c68bfac90e4261da57227fc8eb36745fd459013a8cb4dfe7b998c06fd4116f53776506f6a99ff0bfdd53516e0d58

          • C:\Users\Admin\AppData\Local\Temp\242606203533524.exe

            Filesize

            12KB

            MD5

            2085802bf8d0b85df86c2386271a6ed5

            SHA1

            a216407e260c069e27bb182dd6caa5801efe490c

            SHA256

            bf83e79568a8d34289c796858c0cd2bcca838f7f71e841a6862deeb258ff4ef5

            SHA512

            7a46c05670bf814a020607f3ee55c36f445905b6c59e2a5ff726d0ba746fa0e7c8747200ad999ce764f49e6d130a0cbd53b235ae66816a95df1b0a0c08d7e4a6

          • C:\Users\Admin\AppData\Local\Temp\242606203545289.exe

            Filesize

            12KB

            MD5

            cb964412424d7d0befac1b370f31f417

            SHA1

            a2c62671871b1b01843bf09d25d41acfcd2ed380

            SHA256

            798b31b735e1d09d4f6940f5a22c20842d3d57225b7f5dff9575b144299995fe

            SHA512

            f18d597dad944c79f9dd73d7bb18ecc3b476776e6b36b573601fb759c46630fce208e40994f5301d6b4837c63bdfb4ffd4ccf615d3cb05aeb2052719532e652c

          • C:\Users\Admin\AppData\Local\Temp\242606203557430.exe

            Filesize

            13KB

            MD5

            14b02fbc4c564c342df2d358a3453569

            SHA1

            5b36d8a983dcacfe3f24bf8c9a03fbd4a70401a0

            SHA256

            442ec87b0e8299aa94d5e455a816652d87a880dde2944057ff69d755b1dc504a

            SHA512

            482c236b5b61bd44e8517480f994aea764bb2f12e53254d496798b61649865ea2acee8349315795478e9987de1a5674aaafd38c73ef1ecd37f3f347a9dff7390

          • C:\Users\Admin\AppData\Local\Temp\242606203616008.exe

            Filesize

            13KB

            MD5

            8eb1b22528d943b8b08abeedb5be6633

            SHA1

            16d2a92e3746e6c73a148d01ebf24c34b3333234

            SHA256

            3d0475f6cc6e4ee292c484b60c00bd85be3ba338f75b929645a9d6920308bf0c

            SHA512

            3173a93ba527798d95cba94b092697cde2285702c3df595377460bd7bfd043e8de30fcb7b0b33cb9ac42e0d233d78b7d220172be502d4c14e26f5d47a2f8b09e

          • C:\Users\Admin\AppData\Local\Temp\242606203629946.exe

            Filesize

            13KB

            MD5

            82fc37db6e9728be89f708ca837a508f

            SHA1

            8a23fa9c53fe616ea07695f229d396495743a981

            SHA256

            9eb3b49151cb039d4897132ac7e15f203653acad5f06bb2c7c9dffac19a80daa

            SHA512

            24e6ea1399f8898a7190e8669e745eb451ea2ef3ee40d93dd26c961b764f0dbf3466f14bbf5ad4874a6f254220cee3847da8a1b7a0105e31ecdba03ef84bc635

          • C:\Users\Admin\AppData\Local\Temp\242606203641227.exe

            Filesize

            13KB

            MD5

            feecb3de0c5a07e4dda59a150000d48a

            SHA1

            c0d2d3c4437d8057a10e8e52868abc3ba66da39e

            SHA256

            9b7a49494bd2cb6207ef9310600745358223e237aaff2f1990aa9b21cb40d1c6

            SHA512

            b10f31648e336a351a3cb0801e34f81bd015e778fb263a71fbdfd7de73563d69f24d31806b3e323a70c6eebe6935e9783da6943cd02dd18cf26d9571ff8b9c3b

          • C:\Users\Admin\AppData\Local\Temp\242606203652258.exe

            Filesize

            13KB

            MD5

            699734ad4c389af02bdd7c1208116a69

            SHA1

            798f228b03b2628891e33b7d28665ef583289b95

            SHA256

            eb635420accdcca2c95262e60fcb98b3d3e57de8e551151e293abf9d9164cd4d

            SHA512

            34914e3dbed739c31c4016eaa8d78be0da0c3ecb0bfd937b2172b8f0f635256fda1d424a5cb23ab5d253c7aa86204b9f04b64b091e5f2be8437767a434eff9ab

          • C:\Users\Admin\AppData\Local\Temp\242606203707055.exe

            Filesize

            13KB

            MD5

            8dbb1498cb0cd7eadbcf0665fd246a5c

            SHA1

            42c7491035fd1af1aec68cc0326cfacd31e26113

            SHA256

            0df236f0527684758b44745f0361d94beadcf2d56c353ca65979d2a1c2436c37

            SHA512

            744e68f4a91db84751244352fbb7ea42c6cb5b0ccb35703470a78039f99bed6802197dd110f3812116f6b38b5ea428b871315a9f45f9ca33dba5cf1004aea321