b672884046c8e9e4ffa18aa00b9a65e36d7fa10490e5427bf91c1b8f807d1c6e

Analysis

max time kernel
143s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 23:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0ad4fa0f053bc4aa9d337137081f9fb0_NeikiAnalytics.exe
Size

65KB
MD5

0ad4fa0f053bc4aa9d337137081f9fb0
SHA1

1993e98b059b45b5534ae995b73dc14397730c7a
SHA256

b672884046c8e9e4ffa18aa00b9a65e36d7fa10490e5427bf91c1b8f807d1c6e
SHA512

5de2a481f611ef63c86691a859d24d96b73328be54948eabb5c9f3e432de44ada583513a767459b8d7fdd2eb557b6939badcc834ad7aba1bca1f1ac799e2e349
SSDEEP

768:c5JIvFKPZo2sFEasjcj29NWngAHxcw9ppEaxglaX5uAj4:cvIvEPZoZEad29NQgA2wQle5M

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2968	ewiuer2.exe
2476	ewiuer2.exe
2164	ewiuer2.exe
1444	ewiuer2.exe
2508	ewiuer2.exe
1100	ewiuer2.exe
1472	ewiuer2.exe

Loads dropped DLL 14 IoCs

pid	Process
2964	0ad4fa0f053bc4aa9d337137081f9fb0_NeikiAnalytics.exe
2964	0ad4fa0f053bc4aa9d337137081f9fb0_NeikiAnalytics.exe
2968	ewiuer2.exe
2968	ewiuer2.exe
2476	ewiuer2.exe
2476	ewiuer2.exe
2164	ewiuer2.exe
2164	ewiuer2.exe
1444	ewiuer2.exe
1444	ewiuer2.exe
2508	ewiuer2.exe
2508	ewiuer2.exe
1100	ewiuer2.exe
1100	ewiuer2.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe
File opened for modification	C:\Windows\SysWOW64\ewiuer2.exe	ewiuer2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2968	2964	0ad4fa0f053bc4aa9d337137081f9fb0_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2968	2964	0ad4fa0f053bc4aa9d337137081f9fb0_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2968	2964	0ad4fa0f053bc4aa9d337137081f9fb0_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2968	2964	0ad4fa0f053bc4aa9d337137081f9fb0_NeikiAnalytics.exe	28
PID 2968 wrote to memory of 2476	2968	ewiuer2.exe	30
PID 2968 wrote to memory of 2476	2968	ewiuer2.exe	30
PID 2968 wrote to memory of 2476	2968	ewiuer2.exe	30
PID 2968 wrote to memory of 2476	2968	ewiuer2.exe	30
PID 2476 wrote to memory of 2164	2476	ewiuer2.exe	31
PID 2476 wrote to memory of 2164	2476	ewiuer2.exe	31
PID 2476 wrote to memory of 2164	2476	ewiuer2.exe	31
PID 2476 wrote to memory of 2164	2476	ewiuer2.exe	31
PID 2164 wrote to memory of 1444	2164	ewiuer2.exe	35
PID 2164 wrote to memory of 1444	2164	ewiuer2.exe	35
PID 2164 wrote to memory of 1444	2164	ewiuer2.exe	35
PID 2164 wrote to memory of 1444	2164	ewiuer2.exe	35
PID 1444 wrote to memory of 2508	1444	ewiuer2.exe	36
PID 1444 wrote to memory of 2508	1444	ewiuer2.exe	36
PID 1444 wrote to memory of 2508	1444	ewiuer2.exe	36
PID 1444 wrote to memory of 2508	1444	ewiuer2.exe	36
PID 2508 wrote to memory of 1100	2508	ewiuer2.exe	38
PID 2508 wrote to memory of 1100	2508	ewiuer2.exe	38
PID 2508 wrote to memory of 1100	2508	ewiuer2.exe	38
PID 2508 wrote to memory of 1100	2508	ewiuer2.exe	38
PID 1100 wrote to memory of 1472	1100	ewiuer2.exe	39
PID 1100 wrote to memory of 1472	1100	ewiuer2.exe	39
PID 1100 wrote to memory of 1472	1100	ewiuer2.exe	39
PID 1100 wrote to memory of 1472	1100	ewiuer2.exe	39

C:\Users\Admin\AppData\Local\Temp\0ad4fa0f053bc4aa9d337137081f9fb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ad4fa0f053bc4aa9d337137081f9fb0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\ewiuer2.exe
    C:\Windows\System32\ewiuer2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\ewiuer2.exe
        
        C:\Windows\System32\ewiuer2.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        
        C:\Users\Admin\AppData\Roaming\ewiuer2.exe
        8⤵
        Executes dropped EXE
        
        PID:1472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L15VPK3F.txt

Filesize
230B

MD5
269644a73b351e18d66762a744378170

SHA1
e02f0feecc9bde8e1a0c7e02c341eddf96d24113

SHA256
65b0b1c809a12f5e9f90a3e2c49550a5be371cc0fecb2bca933a2a876a3e22b9

SHA512
9f7b9e6920a3f4ac7fac5fc73fbee198b599e5b4e6d41d0d9c834043dedadcd8eb6dcfefe8d709b24e2a32563c9d5ae306bff2fe44df16cfe821321ac6f6bba6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SHGBUNQB.txt

Filesize
229B

MD5
2e3eea2f0058cf08e0689aae6388db4f

SHA1
08a9e81b7cc4e00fd482387bb1fd06df1878ed5c

SHA256
7f45f704f78b08a0f17895abec56ba9d3f11f8a1a9d1ddb10ba668324d274cc7

SHA512
31aa286803855d9460eb04a7013364e76855c2aed70cae12ca085a12ba6dc035988f43c6f47cc3621a1bef79659a9a72a32a771a98ca463aff7365834d7b6a09

Download Submit
C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
f7fa68fd8bd58289a1cf9a03bc3b3e58

SHA1
99c6ef1ca8dfae00e9329ffce46079aae7be58db

SHA256
47ea5144edd93d89276fd2453ed0abac3561aeb7a45411b059a5522f92247668

SHA512
6f303a158650e4e06f393fa4d20aec0d97fa6874b16a038e301285fb7470c22f03bfb017ccd7f35dbaba0a84c8c468938127e7fff3be54e58f6f23b03c95aded

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
27b71158be08f178622dc0d28b0534b3

SHA1
d04673a8e54fcc5055670cb0bc851969ccbb6786

SHA256
5ca44966497b621acbe86449bc598ec38fee33cd2cab0803abdc6ba0f7e87d11

SHA512
0c3c24a81de46ba181aa181dc4cf018209b86939cfd0a8eb6e34019de49c3f0af470fbde6095039e05a78d2625b3831f3f2a2883a884d902f041838358f2033c

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
a7ca03364ea1f53ccd35a03339877bf7

SHA1
a803af618fbac582429945edb71edac32d48ce7a

SHA256
d673e3d97a7ec83bf5b81fbce17b1bf672212f5ff047384a07cb4d1226dd8d3d

SHA512
d77e4e30ace4deb2ef89ee2ae14dcf71d422fc1cc8f327b4b635d340c7f3c3faec81b3cf68c27464dc2e1f0adb3d9147a265c5a6d4ac8fda52759901ed89a514

Download Submit
\Users\Admin\AppData\Roaming\ewiuer2.exe

Filesize
65KB

MD5
e7d43f6d73bc6e1ed46a5a0db17c1328

SHA1
dc1555c44f1b7e5212d60a3438bf9ef57bf3f389

SHA256
bf43069c998e7b7ffa356b415e3e8c304248b28fd770e050cb7b364f14d1d3b9

SHA512
df4a5a3ecaa0ac6fde361fdfdfd76c73aff46741169e4b5a477df747a287530f010b4a34189c36677fb1494c5b9cf3ef3b7541198d87c10c29b7d1e834676ea7

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
09f5ec2286e48cda848410518c5f1dc3

SHA1
744dcb266616d1a1383bcd7e48c322a543bb2d0d

SHA256
5b68a623ae26196c3bd1ffe6f0c3c5da01f9f592f074aebcedf8e01a4ffd0bbe

SHA512
b866f62793409fe459a60adb5a4d7f813701028813723be9dc60ef9c90caf40cf568f00735a0c10113a0dbd1feada3684f4ea7a5403375128c246f6d230bd2fa

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
5b773305d4b24271ec400857ab7e217b

SHA1
5b74cf991d05353b2c241fc59935b800ecc1fe5d

SHA256
8a96100ac235ce1a80a1860c02c7cff046ed12d682142830cc69987981bcacfd

SHA512
cc882009d3484c40f1a2cbb02fb6a0680fb647e7b15717de721119acd08a9cce209a6489b6fdcbc3bd27358aba890c30d859affec36b0cb86edb1976b3903ed9

Download Submit
\Windows\SysWOW64\ewiuer2.exe

Filesize
65KB

MD5
7784c3b1570f6ae27872021b32263d4f

SHA1
6d644fb32505a8a4a9c22abf4a93291e155830eb

SHA256
a646e58fa101d7259a3203c2bd0ee6fc47de22780820c68efb87b5dcf60560c8

SHA512
031462c7ff0e16e2d5d217a532907038fe8fbf6961a8dd11cd6317be34e102354326af8a789fc6cd0e9408e5598d7478d675f928370a98e6bc490f246300cfb1

Download Submit
memory/1100-80-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1100-77-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1444-49-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1444-54-0x0000000000430000-0x000000000045A000-memory.dmp

Filesize
168KB

Download
memory/1444-60-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1472-86-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2164-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2164-47-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2164-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2476-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2508-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2508-63-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2508-74-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2964-4-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/2964-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-17-0x00000000027B0000-0x00000000027DA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads