Analysis Overview
SHA256
1edd34321d435b4e30564f4cc801647385ffeb15f5f027f94cd946671acaad82
Threat Level: Shows suspicious behavior
The file 78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-02 22:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 22:36
Reported
2024-06-02 22:39
Platform
win7-20240221-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
Files
memory/2156-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2156-8-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2272-11-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 0d510d7c7812e00ec9b90b4dd6d4863d |
| SHA1 | f9499d7bf709a3f7b04aa00044d2a630666cceee |
| SHA256 | d9639cb203b712647dfeb9455341ab24c77d6eb66b0c05c7e6b6c2d3a7bde5ff |
| SHA512 | 4e0bdbba5d792627c94d0cacff4e97a8210bb74330518a45b5d6a62b45d3735560a2b21935f4e6a71f1eb2e303029b2b7e37a297d475a6e4bfcfc7737d495597 |
memory/2272-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\ewiuer2.exe
| MD5 | 8bdd3f7adcfeb51edddeadb9eb427b67 |
| SHA1 | 5c9b3e1831344a283929c8042e5869cf3e8afadd |
| SHA256 | 0fbe5f47d9f0fa3706d4a18fcd861af96d78b0de5a5c14e363727c8bb633fb54 |
| SHA512 | 80fbe454566aae6f229846d8260aec8a34226461582446152f42c689030c4bf3ce1eac303403f721a0f05d1cda959fd7da1886f8cecd4e1fffb8a774dd77411c |
memory/2272-17-0x0000000002340000-0x000000000236A000-memory.dmp
memory/2464-25-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2272-23-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 6499f64fab8dd4b58c706ca56f94ace0 |
| SHA1 | 76eb7cf03aecd96e2fea9d8a39371066a219a40f |
| SHA256 | 73ca80345a85b108e30f95b36ff9e3e7d07de85b039170f6678ad53995dae660 |
| SHA512 | 66b21920d970f5713cb77b1ced9e6cb44315af1a9080a0bd083297dd036b53b48aca6f2a8d23c9845a39a23fbdd42a94118af8c1bf9f405342e14bdbaf627d7e |
memory/2464-34-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1020-36-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1020-38-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4KO0XM1A.txt
| MD5 | 499c0cb09c48da7ebea2f855c99e4a02 |
| SHA1 | 99ea86e6a84b798942d305d5ec3aa62e5cca312c |
| SHA256 | 1cb3e31f6c1255730056281bf98de63a7b2e8df1a283d9257016569fd26b6857 |
| SHA512 | 095c1fc3c89405a781d40f69503694288af0d7f64f15b35fc6b143df7fbcf764b304cef5a5980fd0dfba0af391afc3f2b9a786f4578c7877db2744493e1c67af |
\Windows\SysWOW64\ewiuer2.exe
| MD5 | 2beb1999a3c3c9a1baa9d353747517d2 |
| SHA1 | 1dcd82b3e906619fd85bd8f3ece15d930717e89f |
| SHA256 | 8562fcd81d715fcd1428aef53cbe3a6bc1e9867ce3608648827ec4e85921ce6e |
| SHA512 | edebc902ba182bf3d21f1b4ddadc4774ad9b25a2060914fb906d01eb72fe15bc429b2f13a82104acf58522924e0177c2998dcd40a3cc502afc6aceddcfcc26fe |
memory/1020-48-0x0000000000400000-0x000000000042A000-memory.dmp
memory/840-50-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | c44dfb17e069b6e69544b058b109ba1e |
| SHA1 | 134d12f97d45b62d523c850696f319cf875ca5f6 |
| SHA256 | 41b3d5a6d250a05e8d9e5c737fa4fcf67c9f02705932eb3b91539af0cc2c145b |
| SHA512 | e147138231264d4ba36ff8576ce2ec5d39dcdf9c156be991e860d1aa4dfbf3fa1d0bf5a15cc99b23ece75db0a866410dd8301fee5a5161bcb079adb69610165d |
memory/2108-61-0x0000000000400000-0x000000000042A000-memory.dmp
memory/840-60-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2108-63-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\37JUVY7G.txt
| MD5 | 0f11c962ec209a06f79abb4fcec58d47 |
| SHA1 | 057d30367488ecdac94ddc0a942ffaa6e88f1bd1 |
| SHA256 | 2cd810e4e860198188dcfc66a50decb58a0b60949ba0d53371d52aa9d0d52b47 |
| SHA512 | 0936c1a54ee309dae147df9734b001df1ccc69ab3b32cbf0ed02f5a504751b1b3417774c00c9a418acabaf1cf407bddf7199902264f2fcabc1f97d2f6247ebb7 |
\Windows\SysWOW64\ewiuer2.exe
| MD5 | 39bc26ce4685e1fb96db3972f927fb3a |
| SHA1 | d4c8de33cdb978c627814d19e6fa5b7a07180010 |
| SHA256 | e1223ec26634ad326200835fd3d3844194a5e9da10d8445b3894fb1c934e13ae |
| SHA512 | 11b5e6f478d7bbd3cd9fef7ecccd4392aeec8dc275617fad462c44850baf7607252507ca884e757b03d10efd20d4aa4a3b5c5b7d25dd7445c73cbefe413e8023 |
memory/1804-75-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2108-74-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | bdbe3ec483abee529bec6a3d2b1a029e |
| SHA1 | 8d3321864e57470949e7d20053d8df4e3becd812 |
| SHA256 | 585552d657ed9e9dc710605c21f6b4db2587ec0fa8c10b227482c19b1486dd73 |
| SHA512 | 472ac3900bd21b0ee0699577e6b59b8f4c5e3cbb478d6df2a351eb69d35575315303f3e484964bb5d5229620a4c7c513d1d10eec44b94d96274b90f4fa53b980 |
memory/1804-84-0x0000000000400000-0x000000000042A000-memory.dmp
memory/788-86-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 22:36
Reported
2024-06-02 22:39
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
146s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\viesazm.mpk | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| File created | C:\Windows\SysWOW64\ewiuer2.exe | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\78212682e8630cff3380ba7684d296d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
Files
memory/4376-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4592-5-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4376-4-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 0d510d7c7812e00ec9b90b4dd6d4863d |
| SHA1 | f9499d7bf709a3f7b04aa00044d2a630666cceee |
| SHA256 | d9639cb203b712647dfeb9455341ab24c77d6eb66b0c05c7e6b6c2d3a7bde5ff |
| SHA512 | 4e0bdbba5d792627c94d0cacff4e97a8210bb74330518a45b5d6a62b45d3735560a2b21935f4e6a71f1eb2e303029b2b7e37a297d475a6e4bfcfc7737d495597 |
memory/4592-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\ewiuer2.exe
| MD5 | e11cbfe9c818b3e5ae1e234d9eee66c2 |
| SHA1 | 1797bd6fb5b8cb7d1d68d4ffdb6e98e64a74dec2 |
| SHA256 | e47f98310c583afb634334a90a974c996658ba5b92ead276c299869d8e6acc25 |
| SHA512 | fa8fc0442b42484c18b4a37c21f34df6d43ee7cbb56d4e8ff2c1ec65aefe9521a7130cb89d230c45c429557ae421ff7e2faee759d1b363d5a598d7565d493cf1 |
memory/4592-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1128-13-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 7b69c3994c5d7bf45923675b3688045e |
| SHA1 | 153e7ba17dd912b1478bec690019ee311b25271e |
| SHA256 | 879daaf764189ad17a4a0ef9e59594625d87cdd2d46833f22a6373d7d71c26ac |
| SHA512 | 817f6a985ead5ed8b80900c4f074eb9f0ce9fcab2c3f73ea81741810a6c52877f12bc1aa7300f8d15c12616ce76ab761a9b2a75831d24281e76828a06d0a2d0d |
memory/1128-19-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1988-18-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1988-20-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\ewiuer2.exe
| MD5 | 6811be0044bd871352d12470d7a39650 |
| SHA1 | 14d7cf356e39d75ac4c9175996e02797fd94a4c1 |
| SHA256 | b5197c41096ed331af7f041de8efac831875086ae4207fabe5fa6885acb06dfa |
| SHA512 | a1794f5cc27787d8c09a21cde7d6a76826122232cb9e26d9b96fa470e3e990742087a1e94bb7797122a64a4c0bf950076797ef0065d4b084326be301fc3087c7 |
memory/1988-25-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1096-26-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1096-27-0x0000000000400000-0x000000000042A000-memory.dmp