Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 06:21
Static task
static1
Behavioral task
behavioral1
Sample
8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe
-
Size
65KB
-
MD5
8d86161d793f1c2be42d59c0b524f5c0
-
SHA1
3a3cdd7a14a2e5c908ef4c4ce8f81bf68607d379
-
SHA256
8dba6062c01d81955d0ebeb280a292d794e136abe8fb7ddf10c191c8bf15a036
-
SHA512
adea21be9a1ff1e1fb5b2ec61b3c1aeb17373f97452fb45677ef4b5f4ee9dd19f30ec8f07ab4240d8748df7fbcc4acd9ab041530f402b5cde4b33cacbc16d7f4
-
SSDEEP
768:9eQIvFKPZo2smEasjcj29NWngAHxcw9ppEaxglaX5uAS:99IvEPZo6Ead29NQgA2wQle56
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3028 ewiuer2.exe 2516 ewiuer2.exe 2968 ewiuer2.exe 2864 ewiuer2.exe -
Loads dropped DLL 8 IoCs
pid Process 1584 8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe 1584 8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe 3028 ewiuer2.exe 3028 ewiuer2.exe 2516 ewiuer2.exe 2516 ewiuer2.exe 2968 ewiuer2.exe 2968 ewiuer2.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe File opened for modification C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe File opened for modification C:\Windows\SysWOW64\viesazm.mpk ewiuer2.exe File created C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1584 wrote to memory of 3028 1584 8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe 28 PID 1584 wrote to memory of 3028 1584 8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe 28 PID 1584 wrote to memory of 3028 1584 8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe 28 PID 1584 wrote to memory of 3028 1584 8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe 28 PID 3028 wrote to memory of 2516 3028 ewiuer2.exe 30 PID 3028 wrote to memory of 2516 3028 ewiuer2.exe 30 PID 3028 wrote to memory of 2516 3028 ewiuer2.exe 30 PID 3028 wrote to memory of 2516 3028 ewiuer2.exe 30 PID 2516 wrote to memory of 2968 2516 ewiuer2.exe 31 PID 2516 wrote to memory of 2968 2516 ewiuer2.exe 31 PID 2516 wrote to memory of 2968 2516 ewiuer2.exe 31 PID 2516 wrote to memory of 2968 2516 ewiuer2.exe 31 PID 2968 wrote to memory of 2864 2968 ewiuer2.exe 35 PID 2968 wrote to memory of 2864 2968 ewiuer2.exe 35 PID 2968 wrote to memory of 2864 2968 ewiuer2.exe 35 PID 2968 wrote to memory of 2864 2968 ewiuer2.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8d86161d793f1c2be42d59c0b524f5c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230B
MD5eed4a7cf41b261a802242a4c0bd5dd76
SHA12d61859b12674308ea46e82e0c2c854246f5c355
SHA256833445e4073c5ee60be4e7d0925f97f2ad7863d2388ec0fdf18d54977a842a18
SHA512bddf7ffeecbbcb404f94891128777f1948dbd8519cfa2967a8c05f19074d61c53fa645c6985e3e144f08716ee423c6c8ecdf4bd0b44f613842e4e0f7bf623bb5
-
Filesize
229B
MD5e9db8228a2966e7ff22f19ebc069610d
SHA11d5d24f91d3c06af06d1b3e15fddeec37fadc5f1
SHA25694600664cb168a1fde6936968ced38802441379dfc3a291598dd44cec8d90fea
SHA512eca66eb2f26c6fa9579f10da076a470db9f9bd468934d1ec9359639d40672b378ff516df2158ae6915ef523062d3a6d396a136d599bce784fd17a0c98ba9b5db
-
Filesize
65KB
MD5234a9e28c24db3c941fb617e5889500d
SHA1a378ca5d6352e00441b668243b877b3aaf3f8f7f
SHA256ce6c8be7adb18593b029319e23c1a833527842cf6f7d65c523a44978cde671b2
SHA512f683a204cf0a8cdf20d5ac7dbbe4b4a24fda602567b381f84e602398eb8ae67b6615fea7a65f1fde468c3f44410791761fbaeea4fd18ef00e51a7a260096b482
-
Filesize
65KB
MD5ee6701cbe43eb1d3325a91fd2225b0a0
SHA12573a4c1966ab4c1eeb8fbc2c93eb67bf45217b3
SHA256bf99a40d240aae29a4cadda339067be8e2b0da04ac04584adbbf0c044239225c
SHA5123d32a2602ff23fab1e30befc3d146eee4196678ca531e62f9f1ce334d0825aa4bfaaca4060a9e28eefbd65fa3e19d4f255bb3c153b7427555e9b32f73c3e0ab1
-
Filesize
65KB
MD5bc6fcfadc15b518b378cfef405de48b6
SHA1a04c5e80c37db839c9017e2a20b454fd3d18d09b
SHA256025db59030d99c6300829b66c773102ff215a65cf5dd550900d96d5ba5b0e74c
SHA51252645d093b0c33f74365caab6a28a7351e9db8f3e21ea6f9e0880262697864b089b67e6a19ef3344ba350d7af7db36fe0d6f1e66e141fe0046a9855a68c09805
-
Filesize
65KB
MD54ca1dcc60952377ccb70ef3704dcaa1e
SHA156383d72a716e2588a7c55b4a2f6bb017b508482
SHA256414a943fb1826c4170691a40c4fddc200023156f6600b33dd1da444960d162cc
SHA512785b7e709fa5175dfdf20f042145740817a357d4830549bc481b2672778e800f4503b6f93d1355ee5277d5c93b75c0d40d484a69d820b8663403f6ec6e08b03c