9bc65d4bf809cb90eaaf8866c33324b19b3d78a6b06e223016870a4809f1f262

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 20:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4df62686efa57184259eb9e448a47ef0_NeikiAnalytics.exe
Size

13KB
MD5

4df62686efa57184259eb9e448a47ef0
SHA1

4b0d3eb87c8acbd64c26333293a98c4f16617d1b
SHA256

9bc65d4bf809cb90eaaf8866c33324b19b3d78a6b06e223016870a4809f1f262
SHA512

0999614bf7a9da35835ea3e72973d66b5f581589c5d04f7c513f39a82b393bd3cee4c9ac80c82410034ae0553b30ace328cba7676c7a0b9eb3439648fbfd69dc
SSDEEP

192:1B73I1fRivRgFxO6D79C8SZ++Xo4DeGLYisPidvi4aJwNL2yDzzzzWlJdxqHzVIv:Hqiv6FxBXnTuLYiPXDzzzzWlJj+Y

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
4512	242606204441372.exe
4176	242606204455763.exe
2764	242606204506638.exe
3764	242606204516325.exe
4532	242606204525278.exe
2592	242606204534559.exe
960	242606204543481.exe
1612	242606204555325.exe
1144	242606204605216.exe
2432	242606204614731.exe
5040	242606204624231.exe
4784	242606204634716.exe
3196	242606204643997.exe
776	242606204653356.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 4364	1976	4df62686efa57184259eb9e448a47ef0_NeikiAnalytics.exe	95
PID 1976 wrote to memory of 4364	1976	4df62686efa57184259eb9e448a47ef0_NeikiAnalytics.exe	95
PID 4364 wrote to memory of 4512	4364	cmd.exe	96
PID 4364 wrote to memory of 4512	4364	cmd.exe	96
PID 4512 wrote to memory of 1540	4512	242606204441372.exe	97
PID 4512 wrote to memory of 1540	4512	242606204441372.exe	97
PID 1540 wrote to memory of 4176	1540	cmd.exe	98
PID 1540 wrote to memory of 4176	1540	cmd.exe	98
PID 4176 wrote to memory of 2348	4176	242606204455763.exe	102
PID 4176 wrote to memory of 2348	4176	242606204455763.exe	102
PID 2348 wrote to memory of 2764	2348	cmd.exe	103
PID 2348 wrote to memory of 2764	2348	cmd.exe	103
PID 2764 wrote to memory of 5088	2764	242606204506638.exe	104
PID 2764 wrote to memory of 5088	2764	242606204506638.exe	104
PID 5088 wrote to memory of 3764	5088	cmd.exe	105
PID 5088 wrote to memory of 3764	5088	cmd.exe	105
PID 3764 wrote to memory of 756	3764	242606204516325.exe	106
PID 3764 wrote to memory of 756	3764	242606204516325.exe	106
PID 756 wrote to memory of 4532	756	cmd.exe	107
PID 756 wrote to memory of 4532	756	cmd.exe	107
PID 4532 wrote to memory of 496	4532	242606204525278.exe	108
PID 4532 wrote to memory of 496	4532	242606204525278.exe	108
PID 496 wrote to memory of 2592	496	cmd.exe	109
PID 496 wrote to memory of 2592	496	cmd.exe	109
PID 2592 wrote to memory of 3532	2592	242606204534559.exe	111
PID 2592 wrote to memory of 3532	2592	242606204534559.exe	111
PID 3532 wrote to memory of 960	3532	cmd.exe	112
PID 3532 wrote to memory of 960	3532	cmd.exe	112
PID 960 wrote to memory of 4052	960	242606204543481.exe	113
PID 960 wrote to memory of 4052	960	242606204543481.exe	113
PID 4052 wrote to memory of 1612	4052	cmd.exe	114
PID 4052 wrote to memory of 1612	4052	cmd.exe	114
PID 1612 wrote to memory of 3584	1612	242606204555325.exe	115
PID 1612 wrote to memory of 3584	1612	242606204555325.exe	115
PID 3584 wrote to memory of 1144	3584	cmd.exe	116
PID 3584 wrote to memory of 1144	3584	cmd.exe	116
PID 1144 wrote to memory of 244	1144	242606204605216.exe	124
PID 1144 wrote to memory of 244	1144	242606204605216.exe	124
PID 244 wrote to memory of 2432	244	cmd.exe	125
PID 244 wrote to memory of 2432	244	cmd.exe	125
PID 2432 wrote to memory of 3236	2432	242606204614731.exe	126
PID 2432 wrote to memory of 3236	2432	242606204614731.exe	126
PID 3236 wrote to memory of 5040	3236	cmd.exe	127
PID 3236 wrote to memory of 5040	3236	cmd.exe	127
PID 5040 wrote to memory of 4428	5040	242606204624231.exe	128
PID 5040 wrote to memory of 4428	5040	242606204624231.exe	128
PID 4428 wrote to memory of 4784	4428	cmd.exe	129
PID 4428 wrote to memory of 4784	4428	cmd.exe	129
PID 4784 wrote to memory of 1548	4784	242606204634716.exe	130
PID 4784 wrote to memory of 1548	4784	242606204634716.exe	130
PID 1548 wrote to memory of 3196	1548	cmd.exe	131
PID 1548 wrote to memory of 3196	1548	cmd.exe	131
PID 3196 wrote to memory of 2548	3196	242606204643997.exe	134
PID 3196 wrote to memory of 2548	3196	242606204643997.exe	134
PID 2548 wrote to memory of 776	2548	cmd.exe	135
PID 2548 wrote to memory of 776	2548	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\4df62686efa57184259eb9e448a47ef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4df62686efa57184259eb9e448a47ef0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204441372.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Users\Admin\AppData\Local\Temp\242606204441372.exe
    C:\Users\Admin\AppData\Local\Temp\242606204441372.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204455763.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\242606204455763.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606204455763.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4176
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204506638.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\242606204506638.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606204506638.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204516325.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\242606204516325.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606204516325.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204525278.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\242606204525278.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606204525278.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204534559.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\242606204534559.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606204534559.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204543481.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\242606204543481.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606204543481.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204555325.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\242606204555325.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606204555325.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204605216.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\242606204605216.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606204605216.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204614731.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\242606204614731.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606204614731.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204624231.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\242606204624231.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606204624231.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204634716.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\242606204634716.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606204634716.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204643997.exe 00000d
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\242606204643997.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606204643997.exe 00000d
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606204653356.exe 00000e
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\242606204653356.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606204653356.exe 00000e
        29⤵
        Executes dropped EXE
        
        PID:776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\242606204441372.exe

Filesize
13KB

MD5
987525987354f143766fc557a8ab0485

SHA1
219aa97284793d926fa489e1a6f69dd3e51f4a54

SHA256
450bbf5ea1b7a91b7056c79f18d392432de9436c06b1cfcd1ca5d87fe427118c

SHA512
84702681bb47282fd1eae69fee403b8d2cd5bda7029521ca850c83a89bcfd988f12fcf53fd2d583f376baf153322bce0d6e5727539c122ba46dc4faec9b319fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606204455763.exe

Filesize
13KB

MD5
fb0aab9daada2fa670819b5b003fbe3f

SHA1
18d275ac77d8d5e0293a9513938685e39c4ec9d3

SHA256
814743126f410db3d47a6fa82202e0c91deec1ce846a60e30c9872fd4c7c36ab

SHA512
b43c89d2365f8f7b4d27800ad3c177b1ef4b3990f05d49c4a1e25a4042dd507ccc9f33bfab15e19a3bd7f0293e1b7a07b0f3b99db3a06473848f302c14dddec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606204506638.exe

Filesize
12KB

MD5
2c38f0a09bc5e4fd0334b7b4a17fd482

SHA1
f2014779c0c622478df55c8f5e3ea265e8bb7199

SHA256
564dcfcfd5f81f9000038a79d2cfc361a6d510428693cbffba7c01047b580ad8

SHA512
5ecbe422c0a9df62875e8140cf4089c3fec524aac9ddd6093d2abf70d28aaa1f19044bc01c973e42285b81e065ec2f38fd90a3eb8effdd0ab473fb78fcc543bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606204516325.exe

Filesize
13KB

MD5
9e5bed01eb26c8396a35d8d1d9b5d95b

SHA1
192e117c4c3c5bc8a198eaeb8856d8a6f9ec920d

SHA256
ae212d319ce3f2109989617bf55214f16968d6d75549a3b7c53bf92bddba1024

SHA512
bed55a29ba05503faad1bae80f394b33c9b82c44292d01fcd09a34254dd8ef72cd00a03001893410fc872ad634f7e8617d3636629f6c768f0e0af475e654849b

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606204525278.exe

Filesize
12KB

MD5
a4969cb91f670fff2961ad7c1f2f30b0

SHA1
c094aa2bdfaa11824fb093f23fdb53c49e08a808

SHA256
9b5faa71250a46615417282f7034049c7a16bed88fd90528549fbabe540cf884

SHA512
20670be93a156653bdf250a11e4f006a13a699b7a1a44beb3f442121dc10f7a9ac8cb417085f139abf93cec293b979f303fab63c83b6a6fd0a78b30937804b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606204534559.exe

Filesize
13KB

MD5
15e293a0b9f277c586c3712530888148

SHA1
e70183f190b9095b2d8071368675e9ec23a691ae

SHA256
521638f29083d92bfa092e1996f3f26fedbb6d5f5535d4c6f013516dc1b13862

SHA512
6ea90f1dcb108ee54aac1c93b4492d8dd75e2c3252890ea36161ce089c7be13790c1e79147794cfa640cb60a2ad1a974d915e482d1baf8ad6b1a8df5be4fd5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606204543481.exe

Filesize
12KB

MD5
e3a8dd869d67c33ed39e4a207bdb5ab0

SHA1
cebc45860c022fa4a564bb484d1275df380a0807

SHA256
998b1058cd8e704713a2e1ed103ebc3f7ec9e619fa570426fa22d2d5ea68b98c

SHA512
49c8d18e67e9566de4f890ce7ea30872beb0103ae4c76bf041980bfa1ee6a0820c4e3597a27ffe6c480a4584c499f08bfff9058bbda530a2ce4c2bd14bf5e96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606204555325.exe

Filesize
13KB

MD5
f08150738977f7f087475dd09d73e4b9

SHA1
1a85356df26b5538ce04167e9e22855fc1f6c084

SHA256
5817b43e70fc8fb248ec27e70c336662baaaaa00ae0b17ace632cae77def117c

SHA512
d018f73e669b4c001b782aeb436a6714d14462af78670b56bafce11fd2275cfe8db50d11524628eba4c1595d8ee86e8499dc0061e27b03416e3bf7b09210f8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606204605216.exe

Filesize
13KB

MD5
7d09c994c285196b63ccb2070e3aadfa

SHA1
918dad5a9ace1e9ef82b84fcfd9b9cbc105bd853

SHA256
00b07a34a2749b129eea05ca8265abb85e500a30501daa5789c87506690a3a93

SHA512
103d365246df926ba60bc4e0fc53aa4f87f10501478ca5fe6a3e1320f808095540b6dede75c32516a8e0521f8b8c476451efeaf0180797fd9869242cabdc8c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606204614731.exe

Filesize
13KB

MD5
5b2817dc6aaf163d15204413a14b946e

SHA1
109c090abcac6edc2f97f3f857134f37b2a5378b

SHA256
9211814fc4b7fccd93dbdb2bee1a2c2c1cac5921c7081500c5abaab83154ae80

SHA512
54bcc2026f49ecf0163b48dc179154395f85d583ef818ee42fc961fbeb8661d29494226d6084cd9903a4f631c212318a9fbb1d8501fa3ff5c97296c09e364b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606204624231.exe

Filesize
13KB

MD5
a5e18c8855f96ad9efefbdcb46a41d00

SHA1
31fa67238bd91f8b989aedbe707cf0cb341032e6

SHA256
7c838a3f978d4257094e083b9014475b8c20309e6d9be3436f54d6880e70ec65

SHA512
000c2df45fde34d861e496a5074c2b127a5ed4280ffa85bbb703927f5e08bad368733333dfdd6bedcc58b719653112883c349a768ea2f1f45d9e8eeca7a30698

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606204634716.exe

Filesize
13KB

MD5
2ff3231afa48b68d4ea4b6007a9d7aee

SHA1
f9696c2feb04bc033cec472bff216684f52eaff1

SHA256
0a3cfb49b875ec33b6030dab7f5ecc2abe8d156bda5a399b7c8c31569419de63

SHA512
9c679460877ed6265f3f40c5f36cd56d4e0b6a342b40d568edf3b77da3875657cf6769c48dc570e5b91f87ff72fabc7411c80da71d099ece0a8e3b85c97bbc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606204643997.exe

Filesize
13KB

MD5
085d4641388c8988338058ea97349b07

SHA1
905d714621dbf9e11e6277f61952ffc9ba2a6f98

SHA256
ce895edf414acf04703d6912e36bda64a972f9badb06b4e7e33121c450e6a37e

SHA512
c216a3944061f777d29125dc0690c5ee1cad5b3e1f36ab8f38b9c0bc2a44c711da9926c9cf23a5456767285b4849301a17f293473e16800e142f5f27e9231ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606204653356.exe

Filesize
13KB

MD5
70c04a332d07c033eadcbdd53b956960

SHA1
4872cde129322a6383fee56ba6f163ee57c72241

SHA256
660ee3a74812264129bd57a13c5f3423500d4341c0112cc5b49b5b023dd2dd9d

SHA512
421a697e9b8034fad23fac788f4a3b1982087cd6e04b345bc054b93de6282eadc2f4f28caace4412f9a57d85e3cc3ecb16b67454b073783291877505c34c5ffb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads