29fdafc4d5b401d4be302bebd9634b5c42f82a902f51d920b9eea76e94ec3493

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c7c754a59028061e902e56f53060540_NeikiAnalytics.exe
Size

12KB
MD5

3c7c754a59028061e902e56f53060540
SHA1

fcb35e5349d4a29076398f2283153e718a4b6c7a
SHA256

29fdafc4d5b401d4be302bebd9634b5c42f82a902f51d920b9eea76e94ec3493
SHA512

403dc8e115af47445995ae7304c5a00c52a3950798345f2e7324ca92f9ec0fed9d2bb25aac2ee9c506afff7bf98394689f33ba51b6fb2c49636c8addbbfde2d0
SSDEEP

192:AlYI1svc6+aN6e8O/Rig6sS2MuYYuwPVOfNkVGcLJ7m7gWlJdxqHiYraT1x:Vz06ptkFqueYc9yMWlJj+Y

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
4316	242607055108577.exe
3992	242607055118796.exe
4200	242607055129233.exe
4296	242607055139093.exe
3008	242607055149265.exe
2808	242607055200124.exe
892	242607055209999.exe
812	242607055220050.exe
3888	242607055230202.exe
2036	242607055241468.exe
3316	242607055251702.exe
1120	242607055302062.exe
2156	242607055312108.exe
3500	242607055322734.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 3548	3404	3c7c754a59028061e902e56f53060540_NeikiAnalytics.exe	92
PID 3404 wrote to memory of 3548	3404	3c7c754a59028061e902e56f53060540_NeikiAnalytics.exe	92
PID 3548 wrote to memory of 4316	3548	cmd.exe	93
PID 3548 wrote to memory of 4316	3548	cmd.exe	93
PID 4316 wrote to memory of 4268	4316	242607055108577.exe	99
PID 4316 wrote to memory of 4268	4316	242607055108577.exe	99
PID 4268 wrote to memory of 3992	4268	cmd.exe	100
PID 4268 wrote to memory of 3992	4268	cmd.exe	100
PID 3992 wrote to memory of 4864	3992	242607055118796.exe	104
PID 3992 wrote to memory of 4864	3992	242607055118796.exe	104
PID 4864 wrote to memory of 4200	4864	cmd.exe	105
PID 4864 wrote to memory of 4200	4864	cmd.exe	105
PID 4200 wrote to memory of 3412	4200	242607055129233.exe	106
PID 4200 wrote to memory of 3412	4200	242607055129233.exe	106
PID 3412 wrote to memory of 4296	3412	cmd.exe	107
PID 3412 wrote to memory of 4296	3412	cmd.exe	107
PID 4296 wrote to memory of 1184	4296	242607055139093.exe	109
PID 4296 wrote to memory of 1184	4296	242607055139093.exe	109
PID 1184 wrote to memory of 3008	1184	cmd.exe	110
PID 1184 wrote to memory of 3008	1184	cmd.exe	110
PID 3008 wrote to memory of 1624	3008	242607055149265.exe	111
PID 3008 wrote to memory of 1624	3008	242607055149265.exe	111
PID 1624 wrote to memory of 2808	1624	cmd.exe	112
PID 1624 wrote to memory of 2808	1624	cmd.exe	112
PID 2808 wrote to memory of 4652	2808	242607055200124.exe	113
PID 2808 wrote to memory of 4652	2808	242607055200124.exe	113
PID 4652 wrote to memory of 892	4652	cmd.exe	114
PID 4652 wrote to memory of 892	4652	cmd.exe	114
PID 892 wrote to memory of 3668	892	242607055209999.exe	115
PID 892 wrote to memory of 3668	892	242607055209999.exe	115
PID 3668 wrote to memory of 812	3668	cmd.exe	116
PID 3668 wrote to memory of 812	3668	cmd.exe	116
PID 812 wrote to memory of 2680	812	242607055220050.exe	117
PID 812 wrote to memory of 2680	812	242607055220050.exe	117
PID 2680 wrote to memory of 3888	2680	cmd.exe	118
PID 2680 wrote to memory of 3888	2680	cmd.exe	118
PID 3888 wrote to memory of 3048	3888	242607055230202.exe	119
PID 3888 wrote to memory of 3048	3888	242607055230202.exe	119
PID 3048 wrote to memory of 2036	3048	cmd.exe	120
PID 3048 wrote to memory of 2036	3048	cmd.exe	120
PID 2036 wrote to memory of 5032	2036	242607055241468.exe	121
PID 2036 wrote to memory of 5032	2036	242607055241468.exe	121
PID 5032 wrote to memory of 3316	5032	cmd.exe	122
PID 5032 wrote to memory of 3316	5032	cmd.exe	122
PID 3316 wrote to memory of 4800	3316	242607055251702.exe	123
PID 3316 wrote to memory of 4800	3316	242607055251702.exe	123
PID 4800 wrote to memory of 1120	4800	cmd.exe	124
PID 4800 wrote to memory of 1120	4800	cmd.exe	124
PID 1120 wrote to memory of 4188	1120	242607055302062.exe	125
PID 1120 wrote to memory of 4188	1120	242607055302062.exe	125
PID 2156 wrote to memory of 1432	2156	242607055312108.exe	127
PID 2156 wrote to memory of 1432	2156	242607055312108.exe	127
PID 1432 wrote to memory of 3500	1432	cmd.exe	128
PID 1432 wrote to memory of 3500	1432	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\3c7c754a59028061e902e56f53060540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3c7c754a59028061e902e56f53060540_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055108577.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\242607055108577.exe
    C:\Users\Admin\AppData\Local\Temp\242607055108577.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055118796.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\Users\Admin\AppData\Local\Temp\242607055118796.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607055118796.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3992
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055129233.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\242607055129233.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607055129233.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055139093.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\242607055139093.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607055139093.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055149265.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\242607055149265.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607055149265.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055200124.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\242607055200124.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607055200124.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055209999.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\242607055209999.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607055209999.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055220050.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\242607055220050.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607055220050.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055230202.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\242607055230202.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607055230202.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055241468.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\242607055241468.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607055241468.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055251702.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\242607055251702.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607055251702.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055302062.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\242607055302062.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607055302062.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055312108.exe 00000d
        26⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\242607055312108.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607055312108.exe 00000d
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242607055322734.exe 00000e
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\242607055322734.exe
        
        C:\Users\Admin\AppData\Local\Temp\242607055322734.exe 00000e
        29⤵
        Executes dropped EXE
        
        PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:1972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\242607055108577.exe

Filesize
13KB

MD5
1943c16e57f112a51150b95c47427f48

SHA1
ddeb54406fc4ac4d6a2e0e69765fc3d6063b8185

SHA256
8bde9af009056bfde49dbef8cfa315430e5e610e39f7e9d06d8c456b9ebce87b

SHA512
bb305acef5e67210866d681ab0e132fefdcdeeeb695e891a6b082fe097cb62e2f9e73ba213b809e7c3e27fc9ffa41d8661eef4dade3fdcfbbafff4a107628777

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607055118796.exe

Filesize
13KB

MD5
9d69a6b420d74d97fcd628a68e602637

SHA1
d6dc34701498ebf98b48e12fb671869ca6504784

SHA256
a39535b7a9d1230ca0d37474bcbb9ea09d7bbad6ce61ea1357e27b8cb23c4058

SHA512
a6c27cf25771285927547be58de54d6a03ebf396108712a9b9233a2b15c22acbb9dd625c9426d855eb467fe4b825d2567df72221ffc094a1f51066ffd0ec9270

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607055129233.exe

Filesize
13KB

MD5
fa7dcf865b8144e3fe20f40b451d2c4a

SHA1
5b0d02df198c4752aa66c91df415e04bf190ffc5

SHA256
e5d6605c9f7a513642c99a9f5aa54fb0a5a131421344a0464c87bbfc017948b3

SHA512
218178caec09b58a6051320a754fdf27d960b23a4d43f7248b03a1bad93d98c663508961766b55b92aaaf6ec00660f3f5b82fc5fb61643e3e6add67cbc466b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607055139093.exe

Filesize
13KB

MD5
47530de0f6be8757675462680546aad1

SHA1
65f6ee1320c178d12feb76998268bb96a70e54af

SHA256
0261224eb7dfb2c348a76d84182d56eef07078ccfe96179327ef21d59d8f220c

SHA512
96d0dbf41c506867df950efcf87799541835d4bf0f7b733b4881995e51ff43036aa03c7697909ba9905e417707e4dc9132b9890f7c2da7bebc19e98a90ec3c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607055149265.exe

Filesize
13KB

MD5
1dbeaa78c8df06541502e20be0ddd908

SHA1
df77deaa22c88713a190796a1b81eb62a807328c

SHA256
76d4395a707ec9e68b1e22a472827003ed873e8927f3aa9e19ed4012ee982f1b

SHA512
96c1a94a5f52ae4d127c6df9e9eef59f78c883742875ad1ec9cadf21cfe3c569c0c45777d9f93f023b696de4c4d4fc3cd060693566ebe75ec5b29e7c092dc36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607055200124.exe

Filesize
12KB

MD5
c3d2086295578d3bc4e45d961dc87ccb

SHA1
52e03a701741586bdf1411a1d9ec114c39318d1d

SHA256
44d85ca7820d8707384545ad58324b86fe5c188a11de9d88c6f56a4685c1235b

SHA512
9cbae164aa454cc7e92f0dddb244f98ddf34c37fc910779d22350683e3183f34eb1037e7a4625a4918e5b0d7bbbb569964e4c1fd5066a45635b9a97d30027f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607055209999.exe

Filesize
13KB

MD5
41ba3ef43bc1b72ac02c14f329567c34

SHA1
51e5130891cbb0a12c826ae6189b3902323335f4

SHA256
babae2540ac6d47f7d0ec7f16029f905c7dc1d79a98af1d414cf8dbf0b1d2637

SHA512
8441bc6d49aac24f9263072dddb3c890b525f6c416c98372b77f495a35d58fdcf513cfebd8d988ff24edae1be241ad9b9dba6f26e815bdb59d8b5b012d2bcb65

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607055220050.exe

Filesize
14KB

MD5
18c259de285c0faf9696f7bc8250190e

SHA1
aaf3062f1752434c14693d9d1c65c19ea7ecad23

SHA256
90f255863b9a82c2a54be2c5baa8e564ac6ef60f04adb2160a24135e11f3cc56

SHA512
32c09cbe67a79afb4567b32b945d08ca0110adf0576f3add19f2f39c1a653f959eb3bde3c8c2e8b346fa3a70ae499653ce9fd45e152dad908f8347f9f0e30d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607055230202.exe

Filesize
13KB

MD5
cee5964890793bcc659af5043bd55729

SHA1
ef93cae2231b340cfcf216e7641581e561527de2

SHA256
4cb4ec9d4b9947f863c636ab5d4cf22596f9acb1ce5b313297a5476d1d720c54

SHA512
839ee8ba19257c26eb77b091266b58f52a1ae8a41783c263e10c4d953ebd403054d63940bd05bf61d0f8140ce9cc7f927069f1f6d8cb6542541abef1ad9e72f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607055241468.exe

Filesize
12KB

MD5
4b8d9a043152e0d57b790c21ad25ebdd

SHA1
455c322d2cf39161555a284cad664b076a0aeb7f

SHA256
0d6a6fb22e4b21a0f2f8656a1eb01e14f82aa248f07ce6de5ecc66b670c59b4f

SHA512
6ceee2358b932905b30e7b0da7f22e3e8c36c247d52436d3d51afb36bf14938f93af303946e715dc452ce14a054005a5861e86ebba5b8bf4f383008ab6b0d9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607055251702.exe

Filesize
14KB

MD5
e76d5655f6717c32fd72315668d1ad62

SHA1
caf79bf332fb66d29f2e34ddc3ba4baf2dd557de

SHA256
0f4c6c475d750bae3be7a0964de42343b067b7e1cafaa6b6913756c9fc4ae12b

SHA512
7b634a8c018317881fe6a1435dd32a94f3f6a81b2856f81c6cf3e8f99f5f23d39c5b5af30654b8694ed73a3244a427d772df81b7933835ef495cc1a89cf34c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607055302062.exe

Filesize
13KB

MD5
acccb15dfc85d309424fcee8215c3afb

SHA1
033c5f4eac42a4c0c72ab52010b6256e336c96e8

SHA256
977b4abe640964fd6202340a1e934c1cef2075d0da938ef4a83c201d0c8f3fed

SHA512
75a6e92429a8b483cd81ffe244d18829d4e21f976d57241f314c9a6fa621bce82772addbd3c3504225800ba634f12c9f5943ba741a3ab5e7089e0eada714444e

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607055312108.exe

Filesize
13KB

MD5
77877692530008894ddf3dc95398f18d

SHA1
8c1dc484a0fe64d38a11c827f1e0a72a24227462

SHA256
74e2fb81037dd8810128e4551b2816effa88fa5505c8e2d839ec6d463ef992a6

SHA512
68c8e8e7835314ad0fec587c3c0429a4e2049a740a2468d5e4afd1dd6396fe1718c80da794bbc9f5871c4ece126953d869aa908fe2a6a78d41ea92ac0cb8c539

Download Submit
C:\Users\Admin\AppData\Local\Temp\242607055322734.exe

Filesize
12KB

MD5
b54a7422a3cea4393eb89ca6d0d833ca

SHA1
672a582e0b769a17d3be795ab7c2cb7e4250af4b

SHA256
0906bb303ee6403fbc78aa77b1d2228627887bdfca3e772a12ad78a2a473becd

SHA512
b8351cae2498175826de4824a5c0f04e02847690759839e98ab61f6c91ffa8d9ffb2dab80662ac0c9cb9391cd54d7b90d4a5fd66efbbd1a0b9a65b0f90d687e8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads