8dba6062c01d81955d0ebeb280a292d794e136abe8fb7ddf10c191c8bf15a036

General

Target

8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe
Size

65KB
MD5

8d86161d793f1c2be42d59c0b524f5c0
SHA1

3a3cdd7a14a2e5c908ef4c4ce8f81bf68607d379
SHA256

8dba6062c01d81955d0ebeb280a292d794e136abe8fb7ddf10c191c8bf15a036
SHA512

adea21be9a1ff1e1fb5b2ec61b3c1aeb17373f97452fb45677ef4b5f4ee9dd19f30ec8f07ab4240d8748df7fbcc4acd9ab041530f402b5cde4b33cacbc16d7f4
SSDEEP

768:9eQIvFKPZo2smEasjcj29NWngAHxcw9ppEaxglaX5uAS:99IvEPZo6Ead29NQgA2wQle56

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3028	ewiuer2.exe
2516	ewiuer2.exe
2968	ewiuer2.exe
2864	ewiuer2.exe

Loads dropped DLL 8 IoCs

pid	Process
1584	8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe
1584	8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe
3028	ewiuer2.exe
3028	ewiuer2.exe
2516	ewiuer2.exe
2516	ewiuer2.exe
2968	ewiuer2.exe
2968	ewiuer2.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 3028	1584	8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe	28
PID 1584 wrote to memory of 3028	1584	8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe	28
PID 1584 wrote to memory of 3028	1584	8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe	28
PID 1584 wrote to memory of 3028	1584	8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe	28
PID 3028 wrote to memory of 2516	3028	ewiuer2.exe	30
PID 3028 wrote to memory of 2516	3028	ewiuer2.exe	30
PID 3028 wrote to memory of 2516	3028	ewiuer2.exe	30
PID 3028 wrote to memory of 2516	3028	ewiuer2.exe	30
PID 2516 wrote to memory of 2968	2516	ewiuer2.exe	31
PID 2516 wrote to memory of 2968	2516	ewiuer2.exe	31
PID 2516 wrote to memory of 2968	2516	ewiuer2.exe	31
PID 2516 wrote to memory of 2968	2516	ewiuer2.exe	31
PID 2968 wrote to memory of 2864	2968	ewiuer2.exe	35
PID 2968 wrote to memory of 2864	2968	ewiuer2.exe	35
PID 2968 wrote to memory of 2864	2968	ewiuer2.exe	35
PID 2968 wrote to memory of 2864	2968	ewiuer2.exe	35

C:\Users\Admin\AppData\Local\Temp\8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\15CWZQ54.txt

Filesize
230B

MD5
eed4a7cf41b261a802242a4c0bd5dd76

SHA1
2d61859b12674308ea46e82e0c2c854246f5c355

SHA256
833445e4073c5ee60be4e7d0925f97f2ad7863d2388ec0fdf18d54977a842a18

SHA512
bddf7ffeecbbcb404f94891128777f1948dbd8519cfa2967a8c05f19074d61c53fa645c6985e3e144f08716ee423c6c8ecdf4bd0b44f613842e4e0f7bf623bb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8CW4L4DU.txt

Filesize
229B

MD5
e9db8228a2966e7ff22f19ebc069610d

SHA1
1d5d24f91d3c06af06d1b3e15fddeec37fadc5f1

SHA256
94600664cb168a1fde6936968ced38802441379dfc3a291598dd44cec8d90fea

SHA512
eca66eb2f26c6fa9579f10da076a470db9f9bd468934d1ec9359639d40672b378ff516df2158ae6915ef523062d3a6d396a136d599bce784fd17a0c98ba9b5db

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
234a9e28c24db3c941fb617e5889500d

SHA1
a378ca5d6352e00441b668243b877b3aaf3f8f7f

SHA256
ce6c8be7adb18593b029319e23c1a833527842cf6f7d65c523a44978cde671b2

SHA512
f683a204cf0a8cdf20d5ac7dbbe4b4a24fda602567b381f84e602398eb8ae67b6615fea7a65f1fde468c3f44410791761fbaeea4fd18ef00e51a7a260096b482

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
ee6701cbe43eb1d3325a91fd2225b0a0

SHA1
2573a4c1966ab4c1eeb8fbc2c93eb67bf45217b3

SHA256
bf99a40d240aae29a4cadda339067be8e2b0da04ac04584adbbf0c044239225c

SHA512
3d32a2602ff23fab1e30befc3d146eee4196678ca531e62f9f1ce334d0825aa4bfaaca4060a9e28eefbd65fa3e19d4f255bb3c153b7427555e9b32f73c3e0ab1

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
bc6fcfadc15b518b378cfef405de48b6

SHA1
a04c5e80c37db839c9017e2a20b454fd3d18d09b

SHA256
025db59030d99c6300829b66c773102ff215a65cf5dd550900d96d5ba5b0e74c

SHA512
52645d093b0c33f74365caab6a28a7351e9db8f3e21ea6f9e0880262697864b089b67e6a19ef3344ba350d7af7db36fe0d6f1e66e141fe0046a9855a68c09805

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
4ca1dcc60952377ccb70ef3704dcaa1e

SHA1
56383d72a716e2588a7c55b4a2f6bb017b508482

SHA256
414a943fb1826c4170691a40c4fddc200023156f6600b33dd1da444960d162cc

SHA512
785b7e709fa5175dfdf20f042145740817a357d4830549bc481b2672778e800f4503b6f93d1355ee5277d5c93b75c0d40d484a69d820b8663403f6ec6e08b03c

Download Submit
memory/1584-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2516-28-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2516-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2864-49-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2864-50-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-46-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3028-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3028-16-0x0000000002610000-0x000000000263A000-memory.dmp

Filesize
168KB

Download
memory/3028-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3028-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads