80e8e3e96767ef4ba7b4b019871b700241c4a14987e6b948f56cdadd60a479cc

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 10:58

Target

80e8e3e96767ef4ba7b4b019871b700241c4a14987e6b948f56cdadd60a479cc_NeikiAnalytics.exe
Size

79KB
MD5

7e33bfca482387db6265036f8d132200
SHA1

92459dda0b168d161676801ec95366f5662eb6b8
SHA256

80e8e3e96767ef4ba7b4b019871b700241c4a14987e6b948f56cdadd60a479cc
SHA512

6740830b1c961c3012bb221aff3af38f120fdc14c820884b08abeb98e4829527aa04e075d2241b0cd214f679c67c31025805dfa60d05aa4b09b8b53a1b8948e3
SSDEEP

1536:zvL86ZhAVxtzE8OQA8AkqUhMb2nuy5wgIP0CSJ+5yuB8GMGlZ5G:zvL8yhOxtzkGdqU7uy5w9WMyuN5G

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2656	[email protected]

Loads dropped DLL 2 IoCs

pid	Process
1740	cmd.exe
1740	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1740	1948	80e8e3e96767ef4ba7b4b019871b700241c4a14987e6b948f56cdadd60a479cc_NeikiAnalytics.exe	29
PID 1948 wrote to memory of 1740	1948	80e8e3e96767ef4ba7b4b019871b700241c4a14987e6b948f56cdadd60a479cc_NeikiAnalytics.exe	29
PID 1948 wrote to memory of 1740	1948	80e8e3e96767ef4ba7b4b019871b700241c4a14987e6b948f56cdadd60a479cc_NeikiAnalytics.exe	29
PID 1948 wrote to memory of 1740	1948	80e8e3e96767ef4ba7b4b019871b700241c4a14987e6b948f56cdadd60a479cc_NeikiAnalytics.exe	29
PID 1740 wrote to memory of 2656	1740	cmd.exe	30
PID 1740 wrote to memory of 2656	1740	cmd.exe	30
PID 1740 wrote to memory of 2656	1740	cmd.exe	30
PID 1740 wrote to memory of 2656	1740	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\80e8e3e96767ef4ba7b4b019871b700241c4a14987e6b948f56cdadd60a479cc_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\80e8e3e96767ef4ba7b4b019871b700241c4a14987e6b948f56cdadd60a479cc_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    PID:2656

\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
79KB

MD5
cdc4e69c728ed721a2ac2d86f35e7ecc

SHA1
b9e626df765dbfaeb2712db760de3c657d41a598

SHA256
09be4716c7a0eac551be2b4f24f380fee41c52a49f9475a055e656b3773b5018

SHA512
dba17a7c3192a64625d72a164187d78a31e5928e59915b53603aaa10e2f4dd1f1e6611e09d87da9c7ccd82042d3cbd086c5c18a73deb84f90bfcbcc7b11e93ab

Download Submit
memory/1948-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2656-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download