Analysis
-
max time kernel
155s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 20:34
Static task
static1
Behavioral task
behavioral1
Sample
173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe
-
Size
13KB
-
MD5
173a6a2c9541cf72653bafe0928c2000
-
SHA1
cea6764f2f4efb655875ed90a1fc303c6751db9b
-
SHA256
69e08247421ab76a58969c63494783c861046ab39beeeede4c29bcb2be20a69c
-
SHA512
44a02915b74a9ef4b0fb4d2a98f1d6746f7bf678a084967ad4ceb9655dc77d0d9cf9125a35c8a3ae45a5c2e02d7b7b9579e1a644b28e94635346a9755c94e1df
-
SSDEEP
192:ZHe9I140C4yBzO6ImOrSOMUll4Dj1GUxPa/oj9+TtKuACyLTHTJWlJdxqHXe91xZ:+qC422lyEUQAT9WlJj+Y
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
pid Process 1688 242606203452446.exe 4520 242606203509165.exe 2724 242606203519930.exe 3580 242606203533524.exe 4308 242606203545289.exe 3444 242606203557430.exe 1424 242606203616008.exe 1040 242606203629946.exe 3792 242606203641227.exe 4016 242606203652258.exe 2120 242606203707055.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 4888 wrote to memory of 4468 4888 173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe 92 PID 4888 wrote to memory of 4468 4888 173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe 92 PID 4468 wrote to memory of 1688 4468 cmd.exe 93 PID 4468 wrote to memory of 1688 4468 cmd.exe 93 PID 1688 wrote to memory of 2764 1688 242606203452446.exe 99 PID 1688 wrote to memory of 2764 1688 242606203452446.exe 99 PID 2764 wrote to memory of 4520 2764 cmd.exe 100 PID 2764 wrote to memory of 4520 2764 cmd.exe 100 PID 4520 wrote to memory of 3980 4520 242606203509165.exe 105 PID 4520 wrote to memory of 3980 4520 242606203509165.exe 105 PID 3980 wrote to memory of 2724 3980 cmd.exe 106 PID 3980 wrote to memory of 2724 3980 cmd.exe 106 PID 2724 wrote to memory of 4372 2724 242606203519930.exe 107 PID 2724 wrote to memory of 4372 2724 242606203519930.exe 107 PID 4372 wrote to memory of 3580 4372 cmd.exe 108 PID 4372 wrote to memory of 3580 4372 cmd.exe 108 PID 3580 wrote to memory of 4656 3580 242606203533524.exe 109 PID 3580 wrote to memory of 4656 3580 242606203533524.exe 109 PID 4656 wrote to memory of 4308 4656 cmd.exe 110 PID 4656 wrote to memory of 4308 4656 cmd.exe 110 PID 4308 wrote to memory of 3120 4308 242606203545289.exe 111 PID 4308 wrote to memory of 3120 4308 242606203545289.exe 111 PID 3120 wrote to memory of 3444 3120 cmd.exe 112 PID 3120 wrote to memory of 3444 3120 cmd.exe 112 PID 3444 wrote to memory of 872 3444 242606203557430.exe 113 PID 3444 wrote to memory of 872 3444 242606203557430.exe 113 PID 872 wrote to memory of 1424 872 cmd.exe 114 PID 872 wrote to memory of 1424 872 cmd.exe 114 PID 1424 wrote to memory of 912 1424 242606203616008.exe 115 PID 1424 wrote to memory of 912 1424 242606203616008.exe 115 PID 912 wrote to memory of 1040 912 cmd.exe 116 PID 912 wrote to memory of 1040 912 cmd.exe 116 PID 1040 wrote to memory of 4612 1040 242606203629946.exe 117 PID 1040 wrote to memory of 4612 1040 242606203629946.exe 117 PID 4612 wrote to memory of 3792 4612 cmd.exe 118 PID 4612 wrote to memory of 3792 4612 cmd.exe 118 PID 3792 wrote to memory of 1260 3792 242606203641227.exe 119 PID 3792 wrote to memory of 1260 3792 242606203641227.exe 119 PID 1260 wrote to memory of 4016 1260 cmd.exe 120 PID 1260 wrote to memory of 4016 1260 cmd.exe 120 PID 4016 wrote to memory of 2980 4016 242606203652258.exe 121 PID 4016 wrote to memory of 2980 4016 242606203652258.exe 121 PID 2980 wrote to memory of 2120 2980 cmd.exe 122 PID 2980 wrote to memory of 2120 2980 cmd.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\173a6a2c9541cf72653bafe0928c2000_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203452446.exe 0000012⤵
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\242606203452446.exeC:\Users\Admin\AppData\Local\Temp\242606203452446.exe 0000013⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203509165.exe 0000024⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\242606203509165.exeC:\Users\Admin\AppData\Local\Temp\242606203509165.exe 0000025⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203519930.exe 0000036⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\242606203519930.exeC:\Users\Admin\AppData\Local\Temp\242606203519930.exe 0000037⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203533524.exe 0000048⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\242606203533524.exeC:\Users\Admin\AppData\Local\Temp\242606203533524.exe 0000049⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203545289.exe 00000510⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\242606203545289.exeC:\Users\Admin\AppData\Local\Temp\242606203545289.exe 00000511⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203557430.exe 00000612⤵
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\242606203557430.exeC:\Users\Admin\AppData\Local\Temp\242606203557430.exe 00000613⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203616008.exe 00000714⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Admin\AppData\Local\Temp\242606203616008.exeC:\Users\Admin\AppData\Local\Temp\242606203616008.exe 00000715⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203629946.exe 00000816⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\242606203629946.exeC:\Users\Admin\AppData\Local\Temp\242606203629946.exe 00000817⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203641227.exe 00000918⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\242606203641227.exeC:\Users\Admin\AppData\Local\Temp\242606203641227.exe 00000919⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203652258.exe 00000a20⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\242606203652258.exeC:\Users\Admin\AppData\Local\Temp\242606203652258.exe 00000a21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203707055.exe 00000b22⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\242606203707055.exeC:\Users\Admin\AppData\Local\Temp\242606203707055.exe 00000b23⤵
- Executes dropped EXE
PID:2120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:2068
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD55cc3c38bc39e074585094ae51d42ae8a
SHA12d4d6f82a6af720dfd20662467c84baca9e39fc9
SHA2561d109b9ff455f169a2c34792000023d0f5af1ee7c5da2ffc4f6d07fd83bf4ea1
SHA51276b6ac6ca9de4cd5085affac2342f1e6d930098143c20d451a47f3cdf02366a81b3b6e92d91e049b552b0c3a4766c965d9ca62367f0cd61a9da79f42f45b8359
-
Filesize
13KB
MD5150c6b2b1120d3a52e450e8c2778b158
SHA1af5c9cdd0f585ace8755c049b37cb9060aa9aa57
SHA256450b9c768bed28fed87aba49b6d2d355ae758e17af61901adb4a47c5c2549254
SHA5127c31fec64018348932f10f4eabfd73149cfe97ebb1883f7404862ce8c18f4d2da82e509e7ece2186697acc185d463eea9e41d707295b443eec32eba06e556efd
-
Filesize
13KB
MD559dbc86fbf1b220a5449403947e16397
SHA18cdbd1feefb0ccff759139bb225cff73a0be0c69
SHA25630582a36a49b196f8f6007fa71901d183f7f968d561c7fc3ca88f0e3904fafc7
SHA51295b2ccf9c311e2ca3e37caa3a86673e63e74c68bfac90e4261da57227fc8eb36745fd459013a8cb4dfe7b998c06fd4116f53776506f6a99ff0bfdd53516e0d58
-
Filesize
12KB
MD52085802bf8d0b85df86c2386271a6ed5
SHA1a216407e260c069e27bb182dd6caa5801efe490c
SHA256bf83e79568a8d34289c796858c0cd2bcca838f7f71e841a6862deeb258ff4ef5
SHA5127a46c05670bf814a020607f3ee55c36f445905b6c59e2a5ff726d0ba746fa0e7c8747200ad999ce764f49e6d130a0cbd53b235ae66816a95df1b0a0c08d7e4a6
-
Filesize
12KB
MD5cb964412424d7d0befac1b370f31f417
SHA1a2c62671871b1b01843bf09d25d41acfcd2ed380
SHA256798b31b735e1d09d4f6940f5a22c20842d3d57225b7f5dff9575b144299995fe
SHA512f18d597dad944c79f9dd73d7bb18ecc3b476776e6b36b573601fb759c46630fce208e40994f5301d6b4837c63bdfb4ffd4ccf615d3cb05aeb2052719532e652c
-
Filesize
13KB
MD514b02fbc4c564c342df2d358a3453569
SHA15b36d8a983dcacfe3f24bf8c9a03fbd4a70401a0
SHA256442ec87b0e8299aa94d5e455a816652d87a880dde2944057ff69d755b1dc504a
SHA512482c236b5b61bd44e8517480f994aea764bb2f12e53254d496798b61649865ea2acee8349315795478e9987de1a5674aaafd38c73ef1ecd37f3f347a9dff7390
-
Filesize
13KB
MD58eb1b22528d943b8b08abeedb5be6633
SHA116d2a92e3746e6c73a148d01ebf24c34b3333234
SHA2563d0475f6cc6e4ee292c484b60c00bd85be3ba338f75b929645a9d6920308bf0c
SHA5123173a93ba527798d95cba94b092697cde2285702c3df595377460bd7bfd043e8de30fcb7b0b33cb9ac42e0d233d78b7d220172be502d4c14e26f5d47a2f8b09e
-
Filesize
13KB
MD582fc37db6e9728be89f708ca837a508f
SHA18a23fa9c53fe616ea07695f229d396495743a981
SHA2569eb3b49151cb039d4897132ac7e15f203653acad5f06bb2c7c9dffac19a80daa
SHA51224e6ea1399f8898a7190e8669e745eb451ea2ef3ee40d93dd26c961b764f0dbf3466f14bbf5ad4874a6f254220cee3847da8a1b7a0105e31ecdba03ef84bc635
-
Filesize
13KB
MD5feecb3de0c5a07e4dda59a150000d48a
SHA1c0d2d3c4437d8057a10e8e52868abc3ba66da39e
SHA2569b7a49494bd2cb6207ef9310600745358223e237aaff2f1990aa9b21cb40d1c6
SHA512b10f31648e336a351a3cb0801e34f81bd015e778fb263a71fbdfd7de73563d69f24d31806b3e323a70c6eebe6935e9783da6943cd02dd18cf26d9571ff8b9c3b
-
Filesize
13KB
MD5699734ad4c389af02bdd7c1208116a69
SHA1798f228b03b2628891e33b7d28665ef583289b95
SHA256eb635420accdcca2c95262e60fcb98b3d3e57de8e551151e293abf9d9164cd4d
SHA51234914e3dbed739c31c4016eaa8d78be0da0c3ecb0bfd937b2172b8f0f635256fda1d424a5cb23ab5d253c7aa86204b9f04b64b091e5f2be8437767a434eff9ab
-
Filesize
13KB
MD58dbb1498cb0cd7eadbcf0665fd246a5c
SHA142c7491035fd1af1aec68cc0326cfacd31e26113
SHA2560df236f0527684758b44745f0361d94beadcf2d56c353ca65979d2a1c2436c37
SHA512744e68f4a91db84751244352fbb7ea42c6cb5b0ccb35703470a78039f99bed6802197dd110f3812116f6b38b5ea428b871315a9f45f9ca33dba5cf1004aea321