7b3f4d4292458cd5445c3a559a2722f55ec82b5db15bb9ba88722eb37efb6616

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27ed23e399c2f23e5f9a74a014152a30_NeikiAnalytics.exe
Size

12KB
MD5

27ed23e399c2f23e5f9a74a014152a30
SHA1

0502f18d0cec37ac96344d50323f0d882d1e745c
SHA256

7b3f4d4292458cd5445c3a559a2722f55ec82b5db15bb9ba88722eb37efb6616
SHA512

248e35b0aeb8e0f7f263491475ada9c48de73d9b19d1d8ce1f25701e3afb7142fa9570d4ed36da32d0d957b7747fad5dd08a4682625908b7e963dafcf23fdffc
SSDEEP

192:QifT53MhoSK68kMkETb03RIB0FiN0wHI22Gb1rQWlJdxqHiYrS:XZkboipCxpDCWlJj+

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
4752	240607002212389.exe
3668	242607002223077.exe
384	242607002232858.exe
4144	242607002241811.exe
4484	242607002251468.exe
4428	242607002301061.exe
3704	242607002309968.exe
1576	242607002319749.exe
3952	242607002328811.exe
608	242607002338264.exe
3140	242607002348389.exe
4048	242607002358764.exe
2080	242607002408936.exe
820	242607002419046.exe
2644	242607002428514.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 2872	4900	27ed23e399c2f23e5f9a74a014152a30_NeikiAnalytics.exe	97
PID 4900 wrote to memory of 2872	4900	27ed23e399c2f23e5f9a74a014152a30_NeikiAnalytics.exe	97
PID 2872 wrote to memory of 4752	2872	cmd.exe	98
PID 2872 wrote to memory of 4752	2872	cmd.exe	98
PID 4752 wrote to memory of 1880	4752	240607002212389.exe	99
PID 4752 wrote to memory of 1880	4752	240607002212389.exe	99
PID 1880 wrote to memory of 3668	1880	cmd.exe	100
PID 1880 wrote to memory of 3668	1880	cmd.exe	100
PID 3668 wrote to memory of 4948	3668	242607002223077.exe	101
PID 3668 wrote to memory of 4948	3668	242607002223077.exe	101
PID 4948 wrote to memory of 384	4948	cmd.exe	102
PID 4948 wrote to memory of 384	4948	cmd.exe	102
PID 384 wrote to memory of 524	384	242607002232858.exe	105
PID 384 wrote to memory of 524	384	242607002232858.exe	105
PID 524 wrote to memory of 4144	524	cmd.exe	106
PID 524 wrote to memory of 4144	524	cmd.exe	106
PID 4144 wrote to memory of 2764	4144	242607002241811.exe	107
PID 4144 wrote to memory of 2764	4144	242607002241811.exe	107
PID 2764 wrote to memory of 4484	2764	cmd.exe	108
PID 2764 wrote to memory of 4484	2764	cmd.exe	108
PID 4484 wrote to memory of 4972	4484	242607002251468.exe	109
PID 4484 wrote to memory of 4972	4484	242607002251468.exe	109
PID 4972 wrote to memory of 4428	4972	cmd.exe	110
PID 4972 wrote to memory of 4428	4972	cmd.exe	110
PID 4428 wrote to memory of 2564	4428	242607002301061.exe	112
PID 4428 wrote to memory of 2564	4428	242607002301061.exe	112
PID 2564 wrote to memory of 3704	2564	cmd.exe	113
PID 2564 wrote to memory of 3704	2564	cmd.exe	113
PID 3704 wrote to memory of 2536	3704	242607002309968.exe	114
PID 3704 wrote to memory of 2536	3704	242607002309968.exe	114
PID 2536 wrote to memory of 1576	2536	cmd.exe	115
PID 2536 wrote to memory of 1576	2536	cmd.exe	115
PID 1576 wrote to memory of 3308	1576	242607002319749.exe	116
PID 1576 wrote to memory of 3308	1576	242607002319749.exe	116
PID 3308 wrote to memory of 3952	3308	cmd.exe	117
PID 3308 wrote to memory of 3952	3308	cmd.exe	117
PID 3952 wrote to memory of 1128	3952	242607002328811.exe	118
PID 3952 wrote to memory of 1128	3952	242607002328811.exe	118
PID 1128 wrote to memory of 608	1128	cmd.exe	119
PID 1128 wrote to memory of 608	1128	cmd.exe	119
PID 608 wrote to memory of 1940	608	242607002338264.exe	127
PID 608 wrote to memory of 1940	608	242607002338264.exe	127
PID 1940 wrote to memory of 3140	1940	cmd.exe	128
PID 1940 wrote to memory of 3140	1940	cmd.exe	128
PID 3140 wrote to memory of 3324	3140	242607002348389.exe	129
PID 3140 wrote to memory of 3324	3140	242607002348389.exe	129
PID 3324 wrote to memory of 4048	3324	cmd.exe	130
PID 3324 wrote to memory of 4048	3324	cmd.exe	130
PID 4048 wrote to memory of 3192	4048	242607002358764.exe	131
PID 4048 wrote to memory of 3192	4048	242607002358764.exe	131
PID 3192 wrote to memory of 2080	3192	cmd.exe	132
PID 3192 wrote to memory of 2080	3192	cmd.exe	132
PID 2080 wrote to memory of 3348	2080	242607002408936.exe	135
PID 2080 wrote to memory of 3348	2080	242607002408936.exe	135
PID 3348 wrote to memory of 820	3348	cmd.exe	136
PID 3348 wrote to memory of 820	3348	cmd.exe	136
PID 820 wrote to memory of 2512	820	242607002419046.exe	137
PID 820 wrote to memory of 2512	820	242607002419046.exe	137
PID 2512 wrote to memory of 2644	2512	cmd.exe	138
PID 2512 wrote to memory of 2644	2512	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\27ed23e399c2f23e5f9a74a014152a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\27ed23e399c2f23e5f9a74a014152a30_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240607002212389.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\240607002212389.exe
    C:\Users\Admin\AppData\Local\Temp\240607002212389.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002223077.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Users\Admin\AppData\Local\Temp\242607002223077.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002223077.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002232858.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\242607002232858.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002232858.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002241811.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\242607002241811.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002241811.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002251468.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\242607002251468.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002251468.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002301061.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\242607002301061.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002301061.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002309968.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\242607002309968.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002309968.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002319749.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\242607002319749.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002319749.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002328811.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\242607002328811.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002328811.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002338264.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\242607002338264.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002338264.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002348389.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\242607002348389.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002348389.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002358764.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\242607002358764.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002358764.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002408936.exe 00000d
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\242607002408936.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002408936.exe 00000d
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002419046.exe 00000e
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\242607002419046.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002419046.exe 00000e
        29⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607002428514.exe 00000f
        30⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\242607002428514.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607002428514.exe 00000f
        31⤵
        Executes dropped EXE
        
        PID:2644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240607002212389.exe

Filesize
12KB

MD5
f4d5610a0d3e5e70640fd29ad0be47bb

SHA1
affca7004cf32fcd89945e8b89b175f43a81d57b

SHA256
5150d35d201fe8d7f8639fdfdae7940769ba3e9301258bbd151e9857c27b5bb1

SHA512
4236ab0cc6daacd1387220ef42ce0ae85e30e7afe8b20d95f946d77e9a7c883fdc9d5db19f96312656e82a841e685b1a325b1c99a65a3871578683744bb4030a

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002223077.exe

Filesize
12KB

MD5
676b910d576136cfdff05cfa76c8a7e0

SHA1
5e8c712a4beb542dd88640e903cb177e6be5d852

SHA256
000126cd9fc0676df7256e7396c155ab3e786423ca03a360b81ce72e40251f31

SHA512
e14ab436d987427852c1b6fd0367e5d3ab029aedc4b7a950fc2dab0355c0ae76f7661a046d7e07168e156bdc8a53354278c755be3186e4cdb2ebb97b1ca6411d

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002232858.exe

Filesize
12KB

MD5
4e946d72d1d034fa82511cccf8d7302e

SHA1
d1ab3459ec3f82823064ca86becbb6482f802da3

SHA256
4163993f19a13ee06cf51974b5963e26ad5d12ba2ecb4604d0e02cf7bf018e5c

SHA512
2fc0cf56e85bb861454f5c23aed5e20ca75db3d8c5d0831ef04392fa16aabadee379f05d2576a411e578ca47b2dec7a76230a8c9099a4e9f54d24ab5d30288f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002241811.exe

Filesize
12KB

MD5
caa09102f727a5e4028371170c3ed098

SHA1
b3b33ee2b5ecc008af0fb2b674262399d18276c1

SHA256
c0f05e694b48e2816e2fd27ada1b1f33d502cbb4841d07c34c1e8e6fcc7bbe4b

SHA512
6129ba2e4294db63bd4efc4a53823e2660e0e033a5b3fff5b1d298afa9532a3092c118df0eb1addf484acbb2a93151cfda78039a40f5bbcfeaada519b4b36198

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002251468.exe

Filesize
13KB

MD5
6acf0696b15d9e7623a4a84ed32c1bf7

SHA1
054bdbd656dc3c6a30ad8605c614732b4d61f5bc

SHA256
bf7dbf1c005eeaa0feccada169ff96e4f222589d1240f44101f5822bdfa0423b

SHA512
d74d34ec5bc66df1a9a8db8a860a0649f5ea491a9bd881ff0dcdd8cf0c2b0ef3e2bbb35985deda20d3b373f95e5dc47c348931d7b18e947d88a43dd180d0f39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002301061.exe

Filesize
12KB

MD5
560a620d6c8c9ed160a591d85d7d9687

SHA1
f5eeae9c6f47c46a4a4670a62de8b6b147108a18

SHA256
8a2bff6ee636274c02b93b71eba11f9b2e62635ff073e4433a3c288023c44287

SHA512
6b5a85e098df5bf7cd36f6c3f9a2509779a4d6db62e0cb22932e31aac485403fb14f15a73dcc9baf829cef3a02851cabc50a79f6819be3798e54cf4f037b9e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002309968.exe

Filesize
13KB

MD5
bc58649592f497932ab93dcdef929627

SHA1
1246df680f3a1c59f1367cc6f609aa1b54c98501

SHA256
e7a57012cd340ac44184b7a3b6213d7f65838aaae4b8b8c1ff93f904be8d1690

SHA512
d41cf6580126390dd1e4c76a3de58e30adade80007b959d94ace97e36faa8a8ffb022a977011a8e8d9603524f918482c1cbc33241abfa2eac1fdf2e958af3c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002319749.exe

Filesize
13KB

MD5
0709f72dcd0a03150910fcfee577676e

SHA1
d1b35520c784170b1e39eb14acd0810a459baa78

SHA256
b20059c3c4c83608cc109b179f2da3fefd656f372d3e8e89df09bf7f1d19c290

SHA512
8378f38578c2dca3665ba28a958ad0fa3f22a4c06d7f44a3d18c03c1a1d76ec65be75e48e8af8760d29137057aee58623af8818844d902af01f8854757749722

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002328811.exe

Filesize
13KB

MD5
e96a2b8b39b2711ce28006d25eb24fc4

SHA1
8e1452c33984a674e582c568ea86ae1d7856c780

SHA256
4a320b824704de45a992f18827bf8bdeb178b0bd2df8556176d7a52d0246edde

SHA512
4a6fc17c21c928010c2ffcf2ab0cbce30c53745b8e0539f8b706110fc00787e88f5281aa508179b2d439eda56965dbb0fc276dc5ecd9feb63a23e4fa4307a236

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002338264.exe

Filesize
13KB

MD5
dc39555a43104908ad8155452813b531

SHA1
47b2283964fcf518b095a1e6c86a0c97a784a4e3

SHA256
b2bf4ca08c2a60b48febb938a0a044348efffe37bc03def18c564d6ed5bed4b9

SHA512
688e5cc2167834b25f05a7c06fc2f52ae0c071de02c008a3c3f3e4fb451d228a6875032fb714cfa3b1dd5bcfd5b8e279ee1c604455a2486ae9eb570a45816145

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002348389.exe

Filesize
13KB

MD5
0c434f065fae911bd7737e0756d797ab

SHA1
d4d8b5148d995fe1b16e49135b09dd30dc43f2a7

SHA256
9d347c0db573d00d440f8f104bfdbe4da629784dd5480deaf0e66468a1f77bba

SHA512
5fcff7dc039fa41b09fd5fbe3b05c10596cbefdd7c6e29b26e41e326993d252250e7d9b9c45ba98c7e6cd3b328503fc25b15d964fa18d9131fece09d60efaf9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002358764.exe

Filesize
13KB

MD5
ad377c98bfa852d21b699f1bec258e25

SHA1
ed1a372ec60acc6960d0cac685eeef1bf8f81e31

SHA256
87de3686cf0a88627929d81900b317ddf6903dac48dae9645cd09c9f99640129

SHA512
f4621d72bdd3e3c0f606fc69e15d91f9863019cbdbed2b01fd3468aba8a60d31b7a09860e7bb3f8ba21ce4ab137cd9571b0798add49f678671d96548735bfd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002408936.exe

Filesize
13KB

MD5
6ff9f5b13aa72c6ec55a4241e2e23631

SHA1
6c489e1e35d28392bf7de7047373e59de441182f

SHA256
75ae987d92bea1984cb8d9ef1b36682419483deeac5a3f230bbad987017260bd

SHA512
dfe5a6898ea2e4340cca9e45f5cc35bff6d20971dc1473d7563b406e4b61a4a3d8ca59afdb3f9dbd9ad105335100484e10ef105cd0236d4b8efdf07bab37ef7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002419046.exe

Filesize
12KB

MD5
b85f01bba8dfd3d2a2df94de2802b94f

SHA1
5eda622cb5750fe841aa313c4ffad80a717a7154

SHA256
e1aeb152d450226a9b8be599ff5ff6a6571e934f47ffbb1a54a5b9c4877db293

SHA512
fe45ddac723b873b156d2747670674bbe6c217cecdddfc49e5b5fa2897a5e92e4b420bd875b834801c72232b3c92b6b033268db98f1fe57ddf965e6ce1f50d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607002428514.exe

Filesize
13KB

MD5
83d1ea78baae42682f7607a479d9cd37

SHA1
e93e44644a98f692a43d38ef75cf9f6083d30fb1

SHA256
ed0328e22961535a3eb13a89ec6439dc71a794acfb4db7a20e196d25be126582

SHA512
fa415039b9733dc665aa7b64f27590132d8f9026de5b1179e85ca554db42050526ac4a2b8715c010f65938440478bed83eb1af6c095303a4939b614580125253

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads