Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe
-
Size
65KB
-
MD5
78212682e8630cff3380ba7684d296d0
-
SHA1
879f0ceed063ec2d6cd59ac0b1d61e70270c508e
-
SHA256
1edd34321d435b4e30564f4cc801647385ffeb15f5f027f94cd946671acaad82
-
SHA512
2489d1629a1d52599c030853fc0824dffaa26927314e17b40a28090eb44051377b21e29ada9f570008e4b581a454c3ebc29288089a3e0a91c76aeb2a31cda265
-
SSDEEP
768:heQIvFKPZo2smEasjcj29NWngAHxcw9ppEaxglaX5uAS:h9IvEPZo6Ead29NQgA2wQle56
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 2272 ewiuer2.exe 2464 ewiuer2.exe 1020 ewiuer2.exe 840 ewiuer2.exe 2108 ewiuer2.exe 1804 ewiuer2.exe 788 ewiuer2.exe -
Loads dropped DLL 14 IoCs
pid Process 2156 78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe 2156 78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe 2272 ewiuer2.exe 2272 ewiuer2.exe 2464 ewiuer2.exe 2464 ewiuer2.exe 1020 ewiuer2.exe 1020 ewiuer2.exe 840 ewiuer2.exe 840 ewiuer2.exe 2108 ewiuer2.exe 2108 ewiuer2.exe 1804 ewiuer2.exe 1804 ewiuer2.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe File opened for modification C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe File opened for modification C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2272 2156 78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe 28 PID 2156 wrote to memory of 2272 2156 78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe 28 PID 2156 wrote to memory of 2272 2156 78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe 28 PID 2156 wrote to memory of 2272 2156 78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe 28 PID 2272 wrote to memory of 2464 2272 ewiuer2.exe 30 PID 2272 wrote to memory of 2464 2272 ewiuer2.exe 30 PID 2272 wrote to memory of 2464 2272 ewiuer2.exe 30 PID 2272 wrote to memory of 2464 2272 ewiuer2.exe 30 PID 2464 wrote to memory of 1020 2464 ewiuer2.exe 31 PID 2464 wrote to memory of 1020 2464 ewiuer2.exe 31 PID 2464 wrote to memory of 1020 2464 ewiuer2.exe 31 PID 2464 wrote to memory of 1020 2464 ewiuer2.exe 31 PID 1020 wrote to memory of 840 1020 ewiuer2.exe 35 PID 1020 wrote to memory of 840 1020 ewiuer2.exe 35 PID 1020 wrote to memory of 840 1020 ewiuer2.exe 35 PID 1020 wrote to memory of 840 1020 ewiuer2.exe 35 PID 840 wrote to memory of 2108 840 ewiuer2.exe 36 PID 840 wrote to memory of 2108 840 ewiuer2.exe 36 PID 840 wrote to memory of 2108 840 ewiuer2.exe 36 PID 840 wrote to memory of 2108 840 ewiuer2.exe 36 PID 2108 wrote to memory of 1804 2108 ewiuer2.exe 38 PID 2108 wrote to memory of 1804 2108 ewiuer2.exe 38 PID 2108 wrote to memory of 1804 2108 ewiuer2.exe 38 PID 2108 wrote to memory of 1804 2108 ewiuer2.exe 38 PID 1804 wrote to memory of 788 1804 ewiuer2.exe 39 PID 1804 wrote to memory of 788 1804 ewiuer2.exe 39 PID 1804 wrote to memory of 788 1804 ewiuer2.exe 39 PID 1804 wrote to memory of 788 1804 ewiuer2.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe8⤵
- Executes dropped EXE
PID:788
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230B
MD50f11c962ec209a06f79abb4fcec58d47
SHA1057d30367488ecdac94ddc0a942ffaa6e88f1bd1
SHA2562cd810e4e860198188dcfc66a50decb58a0b60949ba0d53371d52aa9d0d52b47
SHA5120936c1a54ee309dae147df9734b001df1ccc69ab3b32cbf0ed02f5a504751b1b3417774c00c9a418acabaf1cf407bddf7199902264f2fcabc1f97d2f6247ebb7
-
Filesize
229B
MD5499c0cb09c48da7ebea2f855c99e4a02
SHA199ea86e6a84b798942d305d5ec3aa62e5cca312c
SHA2561cb3e31f6c1255730056281bf98de63a7b2e8df1a283d9257016569fd26b6857
SHA512095c1fc3c89405a781d40f69503694288af0d7f64f15b35fc6b143df7fbcf764b304cef5a5980fd0dfba0af391afc3f2b9a786f4578c7877db2744493e1c67af
-
Filesize
65KB
MD50d510d7c7812e00ec9b90b4dd6d4863d
SHA1f9499d7bf709a3f7b04aa00044d2a630666cceee
SHA256d9639cb203b712647dfeb9455341ab24c77d6eb66b0c05c7e6b6c2d3a7bde5ff
SHA5124e0bdbba5d792627c94d0cacff4e97a8210bb74330518a45b5d6a62b45d3735560a2b21935f4e6a71f1eb2e303029b2b7e37a297d475a6e4bfcfc7737d495597
-
Filesize
65KB
MD56499f64fab8dd4b58c706ca56f94ace0
SHA176eb7cf03aecd96e2fea9d8a39371066a219a40f
SHA25673ca80345a85b108e30f95b36ff9e3e7d07de85b039170f6678ad53995dae660
SHA51266b21920d970f5713cb77b1ced9e6cb44315af1a9080a0bd083297dd036b53b48aca6f2a8d23c9845a39a23fbdd42a94118af8c1bf9f405342e14bdbaf627d7e
-
Filesize
65KB
MD5c44dfb17e069b6e69544b058b109ba1e
SHA1134d12f97d45b62d523c850696f319cf875ca5f6
SHA25641b3d5a6d250a05e8d9e5c737fa4fcf67c9f02705932eb3b91539af0cc2c145b
SHA512e147138231264d4ba36ff8576ce2ec5d39dcdf9c156be991e860d1aa4dfbf3fa1d0bf5a15cc99b23ece75db0a866410dd8301fee5a5161bcb079adb69610165d
-
Filesize
65KB
MD5bdbe3ec483abee529bec6a3d2b1a029e
SHA18d3321864e57470949e7d20053d8df4e3becd812
SHA256585552d657ed9e9dc710605c21f6b4db2587ec0fa8c10b227482c19b1486dd73
SHA512472ac3900bd21b0ee0699577e6b59b8f4c5e3cbb478d6df2a351eb69d35575315303f3e484964bb5d5229620a4c7c513d1d10eec44b94d96274b90f4fa53b980
-
Filesize
65KB
MD58bdd3f7adcfeb51edddeadb9eb427b67
SHA15c9b3e1831344a283929c8042e5869cf3e8afadd
SHA2560fbe5f47d9f0fa3706d4a18fcd861af96d78b0de5a5c14e363727c8bb633fb54
SHA51280fbe454566aae6f229846d8260aec8a34226461582446152f42c689030c4bf3ce1eac303403f721a0f05d1cda959fd7da1886f8cecd4e1fffb8a774dd77411c
-
Filesize
65KB
MD52beb1999a3c3c9a1baa9d353747517d2
SHA11dcd82b3e906619fd85bd8f3ece15d930717e89f
SHA2568562fcd81d715fcd1428aef53cbe3a6bc1e9867ce3608648827ec4e85921ce6e
SHA512edebc902ba182bf3d21f1b4ddadc4774ad9b25a2060914fb906d01eb72fe15bc429b2f13a82104acf58522924e0177c2998dcd40a3cc502afc6aceddcfcc26fe
-
Filesize
65KB
MD539bc26ce4685e1fb96db3972f927fb3a
SHA1d4c8de33cdb978c627814d19e6fa5b7a07180010
SHA256e1223ec26634ad326200835fd3d3844194a5e9da10d8445b3894fb1c934e13ae
SHA51211b5e6f478d7bbd3cd9fef7ecccd4392aeec8dc275617fad462c44850baf7607252507ca884e757b03d10efd20d4aa4a3b5c5b7d25dd7445c73cbefe413e8023