f67e8d1a1b4b786698e36b906ba8f17dd649272fb4a4c413eb6f1f0be8249e75

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 17:00

Target

065bf1f241ee1acdfa21a1f399cf6340_NeikiAnalytics.exe
Size

61KB
MD5

065bf1f241ee1acdfa21a1f399cf6340
SHA1

039e03ad925b2dc043363d7259d73ae03cdc12ae
SHA256

f67e8d1a1b4b786698e36b906ba8f17dd649272fb4a4c413eb6f1f0be8249e75
SHA512

e8a87699dbbaad9a51616554612190eadc830912df373f929c2b71a970e7c0b2eb0531fe847d538610b6bf021e411452fedc4453a6df3981e0ed32e643e1bab7
SSDEEP

1536:fttdse4OcUmWQIvEPZo6E5sEFd29NQgA2wnle5:Xdse4OlQZo6EKEFdGM2+le5

Score

7^/10

Executes dropped EXE 3 IoCs

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\viesazm.mpk	ewiuer2.exe
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4892	4192	065bf1f241ee1acdfa21a1f399cf6340_NeikiAnalytics.exe	84
PID 4192 wrote to memory of 4892	4192	065bf1f241ee1acdfa21a1f399cf6340_NeikiAnalytics.exe	84
PID 4192 wrote to memory of 4892	4192	065bf1f241ee1acdfa21a1f399cf6340_NeikiAnalytics.exe	84
PID 4892 wrote to memory of 3152	4892	ewiuer2.exe	100
PID 4892 wrote to memory of 3152	4892	ewiuer2.exe	100
PID 4892 wrote to memory of 3152	4892	ewiuer2.exe	100
PID 3152 wrote to memory of 4064	3152	ewiuer2.exe	109
PID 3152 wrote to memory of 4064	3152	ewiuer2.exe	109
PID 3152 wrote to memory of 4064	3152	ewiuer2.exe	109

C:\Users\Admin\AppData\Local\Temp\065bf1f241ee1acdfa21a1f399cf6340_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\065bf1f241ee1acdfa21a1f399cf6340_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\SysWOW64\ewiuer2.exe
      C:\Windows\SysWOW64\ewiuer2.exe /nomove
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:4064

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
61KB

MD5
68b3986110d28056835cf25aab0fa3e0

SHA1
aac6402f9249e8e432a10139ecb95d0e9fc1fca2

SHA256
90938ee8cceea36bfe0dcd3b42adbd9e950c0c7308f189ce285a28ee67eecf26

SHA512
27bc3860a708510ebdd7e39af3e2b84b4b99ec78c001273c01c05fd57a8e69fc5d56ea353e08c20fb9c5149df9cad840c23e65d6924330cb0e8396b8d5668ddc

Download Submit
C:\Windows\SysWOW64\ewiuer2.exe

Filesize
61KB

MD5
417cbe9ed7f8a16777880f18e11ede53

SHA1
eb392bb754e08405b80e6fc6a6dafcd171e02ab2

SHA256
7e632919de793ed9391a15278dcc83c1e07cc3819bd3db509e6211ba38775216

SHA512
a0e2a5ee2f00be3b66f68c85066ece6f3f880e3ab0086049214413bc48658c90fbdd4ddcded89c295c774038261fc9c542c6df2f669823e6c192f65f2065d778

Download Submit