Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 20:35
Static task
static1
Behavioral task
behavioral1
Sample
37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe
-
Size
12KB
-
MD5
37117d2d5f95c210b3ffb9c16cc93ce0
-
SHA1
9c25453e3c2638f527a8b347dd5dcf13f2b82589
-
SHA256
61acb95b77f53ad74c16ea0bcb40a1e2e0605198901ac798e8bb905a09138353
-
SHA512
75784bcccbc8e24ac41156246ba1dc94c954ba974195efcb14fb6ce4202033a2553f2958100182cb6a87bb4cb1566f013a2e22cdceb523af0ace2a845717c3ae
-
SSDEEP
192:4OCT55VDitib6Hf93Z7JYlvL7LwSkaHa3g9dm/H/WlJdxqHiaIy:W9i80OT+wKnWlJj+
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 12 IoCs
pid Process 2568 240606203549332.exe 3504 242606203603050.exe 4060 242606203616300.exe 2264 242606203628253.exe 1060 242606203639503.exe 3084 242606203654003.exe 1584 242606203706019.exe 4644 242606203716785.exe 1424 242606203726253.exe 3288 242606203738175.exe 3768 242606203749738.exe 4232 242606203800050.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4996 wrote to memory of 4672 4996 37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe 93 PID 4996 wrote to memory of 4672 4996 37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe 93 PID 4672 wrote to memory of 2568 4672 cmd.exe 94 PID 4672 wrote to memory of 2568 4672 cmd.exe 94 PID 2568 wrote to memory of 1428 2568 240606203549332.exe 95 PID 2568 wrote to memory of 1428 2568 240606203549332.exe 95 PID 1428 wrote to memory of 3504 1428 cmd.exe 96 PID 1428 wrote to memory of 3504 1428 cmd.exe 96 PID 3504 wrote to memory of 2920 3504 242606203603050.exe 98 PID 3504 wrote to memory of 2920 3504 242606203603050.exe 98 PID 2920 wrote to memory of 4060 2920 cmd.exe 99 PID 2920 wrote to memory of 4060 2920 cmd.exe 99 PID 4060 wrote to memory of 1464 4060 242606203616300.exe 100 PID 4060 wrote to memory of 1464 4060 242606203616300.exe 100 PID 1464 wrote to memory of 2264 1464 cmd.exe 101 PID 1464 wrote to memory of 2264 1464 cmd.exe 101 PID 2264 wrote to memory of 3340 2264 242606203628253.exe 102 PID 2264 wrote to memory of 3340 2264 242606203628253.exe 102 PID 3340 wrote to memory of 1060 3340 cmd.exe 103 PID 3340 wrote to memory of 1060 3340 cmd.exe 103 PID 1060 wrote to memory of 3224 1060 242606203639503.exe 104 PID 1060 wrote to memory of 3224 1060 242606203639503.exe 104 PID 3224 wrote to memory of 3084 3224 cmd.exe 105 PID 3224 wrote to memory of 3084 3224 cmd.exe 105 PID 3084 wrote to memory of 2960 3084 242606203654003.exe 106 PID 3084 wrote to memory of 2960 3084 242606203654003.exe 106 PID 2960 wrote to memory of 1584 2960 cmd.exe 107 PID 2960 wrote to memory of 1584 2960 cmd.exe 107 PID 1584 wrote to memory of 3748 1584 242606203706019.exe 108 PID 1584 wrote to memory of 3748 1584 242606203706019.exe 108 PID 3748 wrote to memory of 4644 3748 cmd.exe 109 PID 3748 wrote to memory of 4644 3748 cmd.exe 109 PID 4644 wrote to memory of 3972 4644 242606203716785.exe 110 PID 4644 wrote to memory of 3972 4644 242606203716785.exe 110 PID 3972 wrote to memory of 1424 3972 cmd.exe 111 PID 3972 wrote to memory of 1424 3972 cmd.exe 111 PID 1424 wrote to memory of 5092 1424 242606203726253.exe 112 PID 1424 wrote to memory of 5092 1424 242606203726253.exe 112 PID 5092 wrote to memory of 3288 5092 cmd.exe 113 PID 5092 wrote to memory of 3288 5092 cmd.exe 113 PID 3288 wrote to memory of 3596 3288 242606203738175.exe 114 PID 3288 wrote to memory of 3596 3288 242606203738175.exe 114 PID 3596 wrote to memory of 3768 3596 cmd.exe 115 PID 3596 wrote to memory of 3768 3596 cmd.exe 115 PID 3768 wrote to memory of 3952 3768 242606203749738.exe 116 PID 3768 wrote to memory of 3952 3768 242606203749738.exe 116 PID 3952 wrote to memory of 4232 3952 cmd.exe 117 PID 3952 wrote to memory of 4232 3952 cmd.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\37117d2d5f95c210b3ffb9c16cc93ce0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240606203549332.exe 0000012⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\240606203549332.exeC:\Users\Admin\AppData\Local\Temp\240606203549332.exe 0000013⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203603050.exe 0000024⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\242606203603050.exeC:\Users\Admin\AppData\Local\Temp\242606203603050.exe 0000025⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203616300.exe 0000036⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\242606203616300.exeC:\Users\Admin\AppData\Local\Temp\242606203616300.exe 0000037⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203628253.exe 0000048⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\242606203628253.exeC:\Users\Admin\AppData\Local\Temp\242606203628253.exe 0000049⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203639503.exe 00000510⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\242606203639503.exeC:\Users\Admin\AppData\Local\Temp\242606203639503.exe 00000511⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203654003.exe 00000612⤵
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\242606203654003.exeC:\Users\Admin\AppData\Local\Temp\242606203654003.exe 00000613⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203706019.exe 00000714⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\242606203706019.exeC:\Users\Admin\AppData\Local\Temp\242606203706019.exe 00000715⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203716785.exe 00000816⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\242606203716785.exeC:\Users\Admin\AppData\Local\Temp\242606203716785.exe 00000817⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203726253.exe 00000918⤵
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\242606203726253.exeC:\Users\Admin\AppData\Local\Temp\242606203726253.exe 00000919⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203738175.exe 00000a20⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\242606203738175.exeC:\Users\Admin\AppData\Local\Temp\242606203738175.exe 00000a21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203749738.exe 00000b22⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\242606203749738.exeC:\Users\Admin\AppData\Local\Temp\242606203749738.exe 00000b23⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203800050.exe 00000c24⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\242606203800050.exeC:\Users\Admin\AppData\Local\Temp\242606203800050.exe 00000c25⤵
- Executes dropped EXE
PID:4232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5d0d6880502bbead351a87173675f31cf
SHA1f02291544d27320015f247b83e4552f331b691ba
SHA256ce29edcd61c8a701005bb11947708e5a99600e134ffb3e38ea8a2311217e71b5
SHA51292f09ee8fa5e367f3fbf5a50ca3ac4f527c1de3993649b721302eb305ca431b79cf4713c3e55105bd6bbcde1a03094db7c70c1d85f4ba1eb4bcb5f9d0b97cd0f
-
Filesize
14KB
MD50a3a66d8ef2c9c35b3519e3d549004e5
SHA1da2321bfbbae463b87d3627bc181645a1ff1b387
SHA256d40b7ed908b8e8cab67f252619a419451b803429af67701cd320327f6ca46671
SHA512e01b008db00c136e265f4a08fb2440bef58242ea701a72370d7db4df8e3b4548480d851e31cfb4a6f0c3886d4576a9734e4d80cca4d77442b48e0c9dbd8571e6
-
Filesize
12KB
MD56505c4bc05054c493fac20f93a3f0f52
SHA1cd9de89f77cb12b3b2a8488601b07ee18b15ca0d
SHA256df42bdd50be84a6bc8973b606742cdf0a09fb86f24ea7e04c82f10b26b547b29
SHA512e482ddcbbd187761d31750605ad184f92438601aea30c35e0fabed01a68b40bc710b18a50e999a15ab33355ff214b47b99b893635742c175b9f30b5a908d6381
-
Filesize
13KB
MD52549561906a641061306e78b63d2d983
SHA1c26bc557d91f4fd6fdce46e93f2ba7003c0dc3d5
SHA256a3103bd409ae6e3c0180f582777753f6d05b91577316e546141bda02cb50faff
SHA512edf56bf4c9cab93d20dfeae518b39f7a7ae107b61179fc74581758a3bfea4f209e81ad572ef53dd8c656b894109f33637a24719ceb9b1e6265e1ac20f7f8efa6
-
Filesize
13KB
MD51ace3fc93e32cb03229794e61d87d957
SHA1444084812f62b2f19dea44ff780f3bd4303752b7
SHA25614499598d5b6db4d58b11a9a374cf421961986a8f510cc6a667df02dee266edb
SHA5125482483ce8500e85d24c221be665916a7fb890da528c8ab76a80902f48db10bfe4a45503006840675da4a653da726cc5e148f5838effcc75a3a305a4de2ebfd0
-
Filesize
13KB
MD5caa9f6b2ff2839a4fc7c6f320138497e
SHA164770bd53e3919fa028f813ed010277ddc4b4aa2
SHA2564ae6c3a6eecdb53f5eb27f1d3ee0c9d4d62124139201a406cb4938ae3551e2ad
SHA5122068ee449b9f29a8e64448eccd4393fa681785992387e03080b8ab2edc5fddf93a410cc9d518c7a4a26bece729eaf851b40fe9f0f75d11e06c829e1bee783283
-
Filesize
13KB
MD56d5371a8b8c8c91e8d9ca5c67aa79a60
SHA191cfa80d93877823c919a76075d4127c787fb7de
SHA2565f17e4c05642a6aacb1ae4b1525c3997113985406e675511e436be890b295891
SHA5129488c5c90b783ce3b73ddb90a8c267bfce0723e2c6aadb31c10a7e4f41c5f9c899ca71343b16daf50162cb75fc5593df41d1efaf75899b63761385285f9a0562
-
Filesize
13KB
MD5a6c44b70a42fb11b35c7b0dca7a29be0
SHA19a3cddd4978dbbb5ffa2447c38c7eeae11fbfc53
SHA256988896b27b47f9293676e309eb65ee0f7db4b9b2805a07e56d47e62b79b41866
SHA5122d195dba9e9a9b51a23f58f28f943e6f5ad710a9d3c6802f298cc893127c3b501954e0b2a2a6ec42a23c4fb36debc421a804f39b8835e63245829d059eb18dae
-
Filesize
13KB
MD574253133447a54e69353cbe68733de08
SHA1c496e144f0b8e01c503a4b9e06fbeafa32078213
SHA256737aeebfda2e705abf51345eba946ca697d317e410b0ef5480f3c0f82698ebd9
SHA512cfc090a542400c2a0b049737c52047871ff220a2bce8ccd9555e358b5d9bbad480942ce1405aef2f71814c5b4864257de7c6f72f0adf26c54601c9b7e6fa3999
-
Filesize
13KB
MD563dc5e07b42a45c4b808d10fc861eafd
SHA118d43937cb1d7621daebb3fcb720f951414d91ce
SHA25625d3d6f9c1f99dc8be1aa222e7778ba31ec9f3cffda327523c7fcbd13811ab3c
SHA512296cd0297b18ce99ce515cfb54d4f8e76b7a6f6960862c9942ac4c2462731e799a7a04915f3a942e7178cb36f7af4d6b4cbb18a476729080b6282a0e74ae7092
-
Filesize
13KB
MD567ccad3da4d68c6bab572dd287c4582f
SHA1026414056b7b209f46c7a16c294323fcb9182370
SHA256e4f7ead7fd7023db96d8d37001da1036a77cbfa61bbafa781ef5599259bfa07f
SHA512df1028c1439de83c33ec22ee759c979bd4a8995be97e3113c1012929ebc85f5b99ee2769628f18c1429659dd3785d3d62b50620601644bd462487d4d58884e57
-
Filesize
13KB
MD5a89408d2e107392f85b87988dd7f40d5
SHA19e937c9906eeb7e1e889e1a4bee2942efa5dd8cb
SHA2564748e8829507e99bfe75a9854e4ee459cd5a857aff3e1473b3313692bae0d18d
SHA51202a23f1f002976d8614dfadf01228114ff049c7885efb3e0a68e827f2006e73aca20efccd5a7f46c5becac88969030bc74f033a3d2836fbe9138fe6ed8baba3b