fe6db207e456f8b81d2e0fb2d4320b460e5ad37bf464b20fd0df7ea0b57f7da8

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29266e2f82c49a19a41d0360c99224a0_NeikiAnalytics.exe
Size

65KB
MD5

29266e2f82c49a19a41d0360c99224a0
SHA1

88ca8019b485cde54af9fddab00169e53e59ee6f
SHA256

fe6db207e456f8b81d2e0fb2d4320b460e5ad37bf464b20fd0df7ea0b57f7da8
SHA512

bed94fd6e73b6b900ce47023942780f7a1f443e13eb17711e946c1889bd295cfca71aea121c7814be9acdbc9934f845a4c030b1c463943d6b88e2faf4ca8c257
SSDEEP

768:0o5JIvFKPZo2sFEasjcj29NWngAHxcw9ppEaxglaX5uAj4:vvIvEPZoZEad29NQgA2wQle5M

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2232	ewiuer2.exe
2464	ewiuer2.exe
2756	ewiuer2.exe
2092	ewiuer2.exe
2096	ewiuer2.exe
3012	ewiuer2.exe
1580	ewiuer2.exe

Loads dropped DLL 14 IoCs

pid	Process
2188	29266e2f82c49a19a41d0360c99224a0_NeikiAnalytics.exe
2188	29266e2f82c49a19a41d0360c99224a0_NeikiAnalytics.exe
2232	ewiuer2.exe
2232	ewiuer2.exe
2464	ewiuer2.exe
2464	ewiuer2.exe
2756	ewiuer2.exe
2756	ewiuer2.exe
2092	ewiuer2.exe
2092	ewiuer2.exe
2096	ewiuer2.exe
2096	ewiuer2.exe
3012	ewiuer2.exe
3012	ewiuer2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2232	2188	29266e2f82c49a19a41d0360c99224a0_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2232	2188	29266e2f82c49a19a41d0360c99224a0_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2232	2188	29266e2f82c49a19a41d0360c99224a0_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 2232	2188	29266e2f82c49a19a41d0360c99224a0_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2464	2232	ewiuer2.exe	30
PID 2232 wrote to memory of 2464	2232	ewiuer2.exe	30
PID 2232 wrote to memory of 2464	2232	ewiuer2.exe	30
PID 2232 wrote to memory of 2464	2232	ewiuer2.exe	30
PID 2464 wrote to memory of 2756	2464	ewiuer2.exe	31
PID 2464 wrote to memory of 2756	2464	ewiuer2.exe	31
PID 2464 wrote to memory of 2756	2464	ewiuer2.exe	31
PID 2464 wrote to memory of 2756	2464	ewiuer2.exe	31
PID 2756 wrote to memory of 2092	2756	ewiuer2.exe	35
PID 2756 wrote to memory of 2092	2756	ewiuer2.exe	35
PID 2756 wrote to memory of 2092	2756	ewiuer2.exe	35
PID 2756 wrote to memory of 2092	2756	ewiuer2.exe	35
PID 2092 wrote to memory of 2096	2092	ewiuer2.exe	36
PID 2092 wrote to memory of 2096	2092	ewiuer2.exe	36
PID 2092 wrote to memory of 2096	2092	ewiuer2.exe	36
PID 2092 wrote to memory of 2096	2092	ewiuer2.exe	36
PID 2096 wrote to memory of 3012	2096	ewiuer2.exe	38
PID 2096 wrote to memory of 3012	2096	ewiuer2.exe	38
PID 2096 wrote to memory of 3012	2096	ewiuer2.exe	38
PID 2096 wrote to memory of 3012	2096	ewiuer2.exe	38
PID 3012 wrote to memory of 1580	3012	ewiuer2.exe	39
PID 3012 wrote to memory of 1580	3012	ewiuer2.exe	39
PID 3012 wrote to memory of 1580	3012	ewiuer2.exe	39
PID 3012 wrote to memory of 1580	3012	ewiuer2.exe	39

C:\Users\Admin\AppData\Local\Temp\29266e2f82c49a19a41d0360c99224a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\29266e2f82c49a19a41d0360c99224a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        8⤵
        Executes dropped EXE
        
        PID:1580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8UDEUOQJ.txt

Filesize
230B

MD5
7e6352c56661328cb1969044b1bde286

SHA1
e5e9dc01bd2cedaaf825316ee159d7e91b3eb483

SHA256
e3ca70ae2eeb52a3a2d8d2d9862da2dab053ffc14a7bcada3ec8fc9bfaaeb3f7

SHA512
74bfbb026d20d555eebd249553babc7642cecd9c59f77d2d0450d8a23704c7a6f116bfd68ac213a7f99e94c573c9cdc9810cd3fefc6a9aee2b4f1b3152136126

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AG48ZRLN.txt

Filesize
229B

MD5
c02b5e50dfcc1bef6f7ce7744a8467ff

SHA1
3f9297f0e89e5ab7c6a1e09d8feb2d7ce7b45cbc

SHA256
2ff1f8791d4162c8e5d78884c36abda50492e9c88d2b63134a1a5253e788d81b

SHA512
d8522666815fcc3f14aed4beb722df119a5ebe38203ca2d6a84d9a1adf56215984a222e3343e416368036a12196a894f4aeebd9abd15aa10fc1a922fa98ce64b

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
84c4bd9dcedb67d7a4f21e550526e381

SHA1
cd378ab72ba43303a7672ef353ccda21d3789fcb

SHA256
8936cba9435b373607a8d1ded5f4339f3a7e187f431503f9027f9c20da9ec9ea

SHA512
f5828ecc22095cdf13ab4dba1b6ce82df2b806e896f3951e7fdf482360a3ee89cc130b0ce0cf5028e948b5851216543d4a26d90f40f06c2cb1bd8f1b2ddb4344

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
440fa27c0de38c5b6b2c71a4cb6ba680

SHA1
9787cbc4bb0b4009c05302d4db8b567b84dbd22d

SHA256
7de97cd73ebc9791424d28fbf959162f078afe6297df670fa8173987bfad4bb5

SHA512
17217521cd50945700d307ffb33299a2e39092a5685f3877fe01e9cd5f0889a7df8d2936b79d060fffa86d83d670bd43d5cc334154ce40706b440d30109b7b68

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
9da7f908d70bd1d130d5bb45f9212c3f

SHA1
51c12295b6394a8d87655bd552c07469275c32e3

SHA256
5aa90c948803895ef8ddbdd2891b374f7b02e304a4ba3fc3e7945413d7d2b840

SHA512
614ade69b01e2e0907c6eae6283cafaab9b87db48735830141a4f6f1260f5e03d82ec75a4185c1e9cd11f163220d9c85a60f85eaa4a9fa90bf689809cadb6b80

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
d48a928069acf21acd013cf195b5ea6c

SHA1
54372b54cf0ca53c72b561dd58ff9bc3b4838db0

SHA256
e72ca671f04e4b81e9e9d333c96569598093bba5a200e2bf895c157f2df58d72

SHA512
5ea0f479e560701e1782750a81066d696ce429015591511f1b6f5f18f8f9b4418ad20e7296132edf16447d3f9e55b537617be829a67b2e558bf3573f5191e543

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
9a0b4d9e6112e7ae82d9cb56dc9db368

SHA1
98e2ebef502cb4546a16eb58beaec42b5491e5d5

SHA256
9610e64a3c77e177e05265fd68b7d4bbec4615888576821fa18f7c5e7cbda311

SHA512
161f88aef78a3f0a35973dde86e5f99840124336ed0a765087d4075e39aeb36f6e95b58899ca3c5cbe5f74e3763d0743cea142b35275fff72a90eab442acf4d3

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
1f476c979792b8f9b109011b84c95e2f

SHA1
3e51d29eacb5530639fa05d432e48bcdf4402f2b

SHA256
bbaa7379f674ac3fcfd92f7da097904a7937e5f02a9943088e87e6ed19c631a6

SHA512
5af07750e37dd5e0bfc9e80be9e412c652da0b837a86f5491a9e414eb40c3f85da0f2e5f07b216e6ba2475b19c68ed1eedb2a0400935ae3bac0259487bcec735

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
1fcc54e9270b9bc4db7cdefefa6e7817

SHA1
ef92d7cc8d319907bb1bb14c94c4e9510eb6c39b

SHA256
ef89de85c6eb96ac4a61008a9bd9a30980108262bede808db50cecc91997a0d0

SHA512
e411875bf858d278ef7800c846e5a687fd1e1e1abccabcfbb8404c941a6dafa3955e5c3d1badf2c082572abb8906977e7edd7c5fb290ad99cabeaf38dbcd5fba

Download Submit
memory/1580-88-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2092-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2092-57-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/2092-52-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2096-77-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2096-66-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2096-65-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2188-9-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2188-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2188-8-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2188-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2232-19-0x0000000002570000-0x000000000259A000-memory.dmp

Filesize
168KB

Download
memory/2232-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2464-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2464-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2756-51-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2756-40-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2756-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3012-80-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads