d0689a3de1e1a400981c5d95ac46a1c6e33661e84a622c321cae415236151939

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f633ffcf8d07f4e170810114275267f0_NEIKI.exe
Size

61KB
MD5

f633ffcf8d07f4e170810114275267f0
SHA1

df131ed9140ae9a23aaea24931907e9a49a0ac0e
SHA256

d0689a3de1e1a400981c5d95ac46a1c6e33661e84a622c321cae415236151939
SHA512

cba58624714683094d8d9b13a2703b33732143c6c6d5b31904b8aea77e3b81279c997b8bf2c2ae70f716d47a002847b0c08b7a8eb2a0e43282a4f25b48eaf998
SSDEEP

1536:Ottdse4OcUmWQIvEPZo6E5sEFd29NQgA2wwle5:Wdse4OlQZo6EKEFdGM21le5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2168	ewiuer2.exe
1596	ewiuer2.exe
1908	ewiuer2.exe
928	ewiuer2.exe
2136	ewiuer2.exe
3012	ewiuer2.exe
692	ewiuer2.exe

Loads dropped DLL 14 IoCs

pid	Process
2184	f633ffcf8d07f4e170810114275267f0_NEIKI.exe
2184	f633ffcf8d07f4e170810114275267f0_NEIKI.exe
2168	ewiuer2.exe
2168	ewiuer2.exe
1596	ewiuer2.exe
1596	ewiuer2.exe
1908	ewiuer2.exe
1908	ewiuer2.exe
928	ewiuer2.exe
928	ewiuer2.exe
2136	ewiuer2.exe
2136	ewiuer2.exe
3012	ewiuer2.exe
3012	ewiuer2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2168	2184	f633ffcf8d07f4e170810114275267f0_NEIKI.exe	28
PID 2184 wrote to memory of 2168	2184	f633ffcf8d07f4e170810114275267f0_NEIKI.exe	28
PID 2184 wrote to memory of 2168	2184	f633ffcf8d07f4e170810114275267f0_NEIKI.exe	28
PID 2184 wrote to memory of 2168	2184	f633ffcf8d07f4e170810114275267f0_NEIKI.exe	28
PID 2168 wrote to memory of 1596	2168	ewiuer2.exe	32
PID 2168 wrote to memory of 1596	2168	ewiuer2.exe	32
PID 2168 wrote to memory of 1596	2168	ewiuer2.exe	32
PID 2168 wrote to memory of 1596	2168	ewiuer2.exe	32
PID 1596 wrote to memory of 1908	1596	ewiuer2.exe	33
PID 1596 wrote to memory of 1908	1596	ewiuer2.exe	33
PID 1596 wrote to memory of 1908	1596	ewiuer2.exe	33
PID 1596 wrote to memory of 1908	1596	ewiuer2.exe	33
PID 1908 wrote to memory of 928	1908	ewiuer2.exe	35
PID 1908 wrote to memory of 928	1908	ewiuer2.exe	35
PID 1908 wrote to memory of 928	1908	ewiuer2.exe	35
PID 1908 wrote to memory of 928	1908	ewiuer2.exe	35
PID 928 wrote to memory of 2136	928	ewiuer2.exe	36
PID 928 wrote to memory of 2136	928	ewiuer2.exe	36
PID 928 wrote to memory of 2136	928	ewiuer2.exe	36
PID 928 wrote to memory of 2136	928	ewiuer2.exe	36
PID 2136 wrote to memory of 3012	2136	ewiuer2.exe	38
PID 2136 wrote to memory of 3012	2136	ewiuer2.exe	38
PID 2136 wrote to memory of 3012	2136	ewiuer2.exe	38
PID 2136 wrote to memory of 3012	2136	ewiuer2.exe	38
PID 3012 wrote to memory of 692	3012	ewiuer2.exe	39
PID 3012 wrote to memory of 692	3012	ewiuer2.exe	39
PID 3012 wrote to memory of 692	3012	ewiuer2.exe	39
PID 3012 wrote to memory of 692	3012	ewiuer2.exe	39

C:\Users\Admin\AppData\Local\Temp\f633ffcf8d07f4e170810114275267f0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\f633ffcf8d07f4e170810114275267f0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:928
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        8⤵
        Executes dropped EXE
        
        PID:692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LGOO5ULW.txt

Filesize
227B

MD5
8ee640bf7ba78cf141d05a56892a7d1b

SHA1
6be92b22a6a48df5ab14accac71d2e147691dfc9

SHA256
e6dc9ec58b799283b7db62bec3ba456d2d10bfea74ce4d4c1a1f24d25ea1b134

SHA512
cfca4db711bd7c062e93980c75d6fe7ddc5a5269c4bb6c0698ed1e4b5788b337d1858f7dda9ef00a1418f7fc4ae357f2faa8a5e4cdb6c32a253878bc630bd4a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PK06EMFF.txt

Filesize
228B

MD5
6ef7b0afb83fd6120795fe97c0cd3686

SHA1
b736949ab4dbc652c423b3e10c20b3e7baba3305

SHA256
4cf93de15a770ca2b4269b6e83c82d8b19e5e84ac25ad92f5eaab1980b8ce19c

SHA512
e9b837aafb02b67f47e22824169de286f21dbae156391586f89169c6b0b763ac964aed73890a0f164fc3fb1f0e3775df9a4c1524c28ec5cc974aa6a2e4766057

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
42721f6e3007171e0c2478925df80786

SHA1
f99e8f2b797e6c0f86c9174aa19a1b2586cbbf9a

SHA256
f5acdfc3440ae0582cd4f4ca12c5a7aabde339ad1f8ad7c6ded706d34c9b4b79

SHA512
bdcb268843f7057e817ba4d06fc8e18fa6cca58069ab10c513ba579e35b3a8b3ac39e6b1332158ee0372f84da2163aade8e4d1f4999405c074160967ec1d2f4e

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
2c32ce4bccb09899948bd3338d22cea9

SHA1
56ffa7d28b0c67bfae064315195612077e263d70

SHA256
4fd79e70598a1f2db4397de5e6a99d5fb98d632f7c29a98e863f442ab3185fd4

SHA512
cfa46433b7864f7520da94830d0a96b618cb801f4c4f7d99425dd590655b3e2de9f75caee54b50ae2369dcda36232b831e9b7e0d18cd3d8c3a25c2ce6d89efc9

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
a84ff7e56bb578935771d73523e90a19

SHA1
82af4b7b41c1a118f104a498057282f4e4518b63

SHA256
f1f32c383bbc305053aae0a8dfda2a2a804fce92ea1a273224c0e3c78df2a17f

SHA512
337927df9201a85409925e880e3bf73436ad3fd0da62184b1ae9ae22ff5160a410e22dcc9fd53bec82cd4cd9c14022b8f06bcc1607a776b460433b49f56eb775

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
db971480a8389911e20e833b725dcb17

SHA1
7fbf85b398dbf97293783355acd7228f087f9e88

SHA256
c905e24f449ec343f0279545850bb5bb4e711c1304b464af3bfe43a79cb93e1e

SHA512
d78372caf23e2b88fa536187b7b3ecca596aa26c0d5224885d943d9dd7bbf5f956f62ed8e284af841ccc7dd38ba4d6308218e28434b459e1bbc245f9bb1842c8

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
db12ada3a6ffcd3d10d2c79d0a928cd3

SHA1
6f8ec093ca171024089807f939e7484ee28630cc

SHA256
17d0dbbb0916033abf88bd242eca51d39d27ec4c7ba1bb1202db956608195d06

SHA512
5a661e7f9e35143c9b89dd210cef3e7cec570c2ad8f11c7b24ed5a4c6b70f33803eb363c6bd67f48130d76b7636fe994d74251729c9434464fe0760e2b47610f

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
1bef5f407d5b1c9b4db989213f4860aa

SHA1
20d670205654bc49d3939d2a167d8b818cc44b54

SHA256
40113322215a782bc64f1aea8cb336df6c4074b8f53e19e22c609a5177e3dd5a

SHA512
a2d2cbf86273bc1e33dfd526ae4cf638a3346905dfa961bcd5750e28e86c75a0b03265939a265c7c07d304c090db89e728dca9e5cc15b89f07daec286706c312

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
d4014d6af2ea24aabb32af9b1e636a2c

SHA1
04506f45f120ecf4d787d391cc3d6f0c979f2515

SHA256
9b6ce5de9ed1cfa12dc2cbd51fc5f876b4c60c6d9dd68eaf000172ef79161c6f

SHA512
41a06a4fc0c67337e2bc531dd5acede75549c5c0741b23069db772866708b45a3d63a95f1c8ad3872a55c692ed6b47dd2f1869891b79f19f10ee4c56c908560c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads