Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2024, 20:35

General

  • Target

    37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe

  • Size

    12KB

  • MD5

    37117d2d5f95c210b3ffb9c16cc93ce0

  • SHA1

    9c25453e3c2638f527a8b347dd5dcf13f2b82589

  • SHA256

    61acb95b77f53ad74c16ea0bcb40a1e2e0605198901ac798e8bb905a09138353

  • SHA512

    75784bcccbc8e24ac41156246ba1dc94c954ba974195efcb14fb6ce4202033a2553f2958100182cb6a87bb4cb1566f013a2e22cdceb523af0ace2a845717c3ae

  • SSDEEP

    192:4OCT55VDitib6Hf93Z7JYlvL7LwSkaHa3g9dm/H/WlJdxqHiaIy:W9i80OT+wKnWlJj+

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 12 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240606203549332.exe 000001
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Users\Admin\AppData\Local\Temp\240606203549332.exe
        C:\Users\Admin\AppData\Local\Temp\240606203549332.exe 000001
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203603050.exe 000002
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1428
          • C:\Users\Admin\AppData\Local\Temp\242606203603050.exe
            C:\Users\Admin\AppData\Local\Temp\242606203603050.exe 000002
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3504
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203616300.exe 000003
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2920
              • C:\Users\Admin\AppData\Local\Temp\242606203616300.exe
                C:\Users\Admin\AppData\Local\Temp\242606203616300.exe 000003
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4060
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203628253.exe 000004
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1464
                  • C:\Users\Admin\AppData\Local\Temp\242606203628253.exe
                    C:\Users\Admin\AppData\Local\Temp\242606203628253.exe 000004
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:2264
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203639503.exe 000005
                      10⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3340
                      • C:\Users\Admin\AppData\Local\Temp\242606203639503.exe
                        C:\Users\Admin\AppData\Local\Temp\242606203639503.exe 000005
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:1060
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203654003.exe 000006
                          12⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3224
                          • C:\Users\Admin\AppData\Local\Temp\242606203654003.exe
                            C:\Users\Admin\AppData\Local\Temp\242606203654003.exe 000006
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:3084
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203706019.exe 000007
                              14⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2960
                              • C:\Users\Admin\AppData\Local\Temp\242606203706019.exe
                                C:\Users\Admin\AppData\Local\Temp\242606203706019.exe 000007
                                15⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:1584
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203716785.exe 000008
                                  16⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:3748
                                  • C:\Users\Admin\AppData\Local\Temp\242606203716785.exe
                                    C:\Users\Admin\AppData\Local\Temp\242606203716785.exe 000008
                                    17⤵
                                    • Executes dropped EXE
                                    • Suspicious use of WriteProcessMemory
                                    PID:4644
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203726253.exe 000009
                                      18⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3972
                                      • C:\Users\Admin\AppData\Local\Temp\242606203726253.exe
                                        C:\Users\Admin\AppData\Local\Temp\242606203726253.exe 000009
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of WriteProcessMemory
                                        PID:1424
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203738175.exe 00000a
                                          20⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:5092
                                          • C:\Users\Admin\AppData\Local\Temp\242606203738175.exe
                                            C:\Users\Admin\AppData\Local\Temp\242606203738175.exe 00000a
                                            21⤵
                                            • Executes dropped EXE
                                            • Suspicious use of WriteProcessMemory
                                            PID:3288
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203749738.exe 00000b
                                              22⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:3596
                                              • C:\Users\Admin\AppData\Local\Temp\242606203749738.exe
                                                C:\Users\Admin\AppData\Local\Temp\242606203749738.exe 00000b
                                                23⤵
                                                • Executes dropped EXE
                                                • Suspicious use of WriteProcessMemory
                                                PID:3768
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203800050.exe 00000c
                                                  24⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:3952
                                                  • C:\Users\Admin\AppData\Local\Temp\242606203800050.exe
                                                    C:\Users\Admin\AppData\Local\Temp\242606203800050.exe 00000c
                                                    25⤵
                                                    • Executes dropped EXE
                                                    PID:4232

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\240606203549332.exe

          Filesize

          13KB

          MD5

          d0d6880502bbead351a87173675f31cf

          SHA1

          f02291544d27320015f247b83e4552f331b691ba

          SHA256

          ce29edcd61c8a701005bb11947708e5a99600e134ffb3e38ea8a2311217e71b5

          SHA512

          92f09ee8fa5e367f3fbf5a50ca3ac4f527c1de3993649b721302eb305ca431b79cf4713c3e55105bd6bbcde1a03094db7c70c1d85f4ba1eb4bcb5f9d0b97cd0f

        • C:\Users\Admin\AppData\Local\Temp\242606203603050.exe

          Filesize

          14KB

          MD5

          0a3a66d8ef2c9c35b3519e3d549004e5

          SHA1

          da2321bfbbae463b87d3627bc181645a1ff1b387

          SHA256

          d40b7ed908b8e8cab67f252619a419451b803429af67701cd320327f6ca46671

          SHA512

          e01b008db00c136e265f4a08fb2440bef58242ea701a72370d7db4df8e3b4548480d851e31cfb4a6f0c3886d4576a9734e4d80cca4d77442b48e0c9dbd8571e6

        • C:\Users\Admin\AppData\Local\Temp\242606203616300.exe

          Filesize

          12KB

          MD5

          6505c4bc05054c493fac20f93a3f0f52

          SHA1

          cd9de89f77cb12b3b2a8488601b07ee18b15ca0d

          SHA256

          df42bdd50be84a6bc8973b606742cdf0a09fb86f24ea7e04c82f10b26b547b29

          SHA512

          e482ddcbbd187761d31750605ad184f92438601aea30c35e0fabed01a68b40bc710b18a50e999a15ab33355ff214b47b99b893635742c175b9f30b5a908d6381

        • C:\Users\Admin\AppData\Local\Temp\242606203628253.exe

          Filesize

          13KB

          MD5

          2549561906a641061306e78b63d2d983

          SHA1

          c26bc557d91f4fd6fdce46e93f2ba7003c0dc3d5

          SHA256

          a3103bd409ae6e3c0180f582777753f6d05b91577316e546141bda02cb50faff

          SHA512

          edf56bf4c9cab93d20dfeae518b39f7a7ae107b61179fc74581758a3bfea4f209e81ad572ef53dd8c656b894109f33637a24719ceb9b1e6265e1ac20f7f8efa6

        • C:\Users\Admin\AppData\Local\Temp\242606203639503.exe

          Filesize

          13KB

          MD5

          1ace3fc93e32cb03229794e61d87d957

          SHA1

          444084812f62b2f19dea44ff780f3bd4303752b7

          SHA256

          14499598d5b6db4d58b11a9a374cf421961986a8f510cc6a667df02dee266edb

          SHA512

          5482483ce8500e85d24c221be665916a7fb890da528c8ab76a80902f48db10bfe4a45503006840675da4a653da726cc5e148f5838effcc75a3a305a4de2ebfd0

        • C:\Users\Admin\AppData\Local\Temp\242606203654003.exe

          Filesize

          13KB

          MD5

          caa9f6b2ff2839a4fc7c6f320138497e

          SHA1

          64770bd53e3919fa028f813ed010277ddc4b4aa2

          SHA256

          4ae6c3a6eecdb53f5eb27f1d3ee0c9d4d62124139201a406cb4938ae3551e2ad

          SHA512

          2068ee449b9f29a8e64448eccd4393fa681785992387e03080b8ab2edc5fddf93a410cc9d518c7a4a26bece729eaf851b40fe9f0f75d11e06c829e1bee783283

        • C:\Users\Admin\AppData\Local\Temp\242606203706019.exe

          Filesize

          13KB

          MD5

          6d5371a8b8c8c91e8d9ca5c67aa79a60

          SHA1

          91cfa80d93877823c919a76075d4127c787fb7de

          SHA256

          5f17e4c05642a6aacb1ae4b1525c3997113985406e675511e436be890b295891

          SHA512

          9488c5c90b783ce3b73ddb90a8c267bfce0723e2c6aadb31c10a7e4f41c5f9c899ca71343b16daf50162cb75fc5593df41d1efaf75899b63761385285f9a0562

        • C:\Users\Admin\AppData\Local\Temp\242606203716785.exe

          Filesize

          13KB

          MD5

          a6c44b70a42fb11b35c7b0dca7a29be0

          SHA1

          9a3cddd4978dbbb5ffa2447c38c7eeae11fbfc53

          SHA256

          988896b27b47f9293676e309eb65ee0f7db4b9b2805a07e56d47e62b79b41866

          SHA512

          2d195dba9e9a9b51a23f58f28f943e6f5ad710a9d3c6802f298cc893127c3b501954e0b2a2a6ec42a23c4fb36debc421a804f39b8835e63245829d059eb18dae

        • C:\Users\Admin\AppData\Local\Temp\242606203726253.exe

          Filesize

          13KB

          MD5

          74253133447a54e69353cbe68733de08

          SHA1

          c496e144f0b8e01c503a4b9e06fbeafa32078213

          SHA256

          737aeebfda2e705abf51345eba946ca697d317e410b0ef5480f3c0f82698ebd9

          SHA512

          cfc090a542400c2a0b049737c52047871ff220a2bce8ccd9555e358b5d9bbad480942ce1405aef2f71814c5b4864257de7c6f72f0adf26c54601c9b7e6fa3999

        • C:\Users\Admin\AppData\Local\Temp\242606203738175.exe

          Filesize

          13KB

          MD5

          63dc5e07b42a45c4b808d10fc861eafd

          SHA1

          18d43937cb1d7621daebb3fcb720f951414d91ce

          SHA256

          25d3d6f9c1f99dc8be1aa222e7778ba31ec9f3cffda327523c7fcbd13811ab3c

          SHA512

          296cd0297b18ce99ce515cfb54d4f8e76b7a6f6960862c9942ac4c2462731e799a7a04915f3a942e7178cb36f7af4d6b4cbb18a476729080b6282a0e74ae7092

        • C:\Users\Admin\AppData\Local\Temp\242606203749738.exe

          Filesize

          13KB

          MD5

          67ccad3da4d68c6bab572dd287c4582f

          SHA1

          026414056b7b209f46c7a16c294323fcb9182370

          SHA256

          e4f7ead7fd7023db96d8d37001da1036a77cbfa61bbafa781ef5599259bfa07f

          SHA512

          df1028c1439de83c33ec22ee759c979bd4a8995be97e3113c1012929ebc85f5b99ee2769628f18c1429659dd3785d3d62b50620601644bd462487d4d58884e57

        • C:\Users\Admin\AppData\Local\Temp\242606203800050.exe

          Filesize

          13KB

          MD5

          a89408d2e107392f85b87988dd7f40d5

          SHA1

          9e937c9906eeb7e1e889e1a4bee2942efa5dd8cb

          SHA256

          4748e8829507e99bfe75a9854e4ee459cd5a857aff3e1473b3313692bae0d18d

          SHA512

          02a23f1f002976d8614dfadf01228114ff049c7885efb3e0a68e827f2006e73aca20efccd5a7f46c5becac88969030bc74f033a3d2836fbe9138fe6ed8baba3b