Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:37
Static task
static1
Behavioral task
behavioral1
Sample
1d8539b07f6768fa73906b1a6b3d6450_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1d8539b07f6768fa73906b1a6b3d6450_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1d8539b07f6768fa73906b1a6b3d6450_NeikiAnalytics.exe
-
Size
65KB
-
MD5
1d8539b07f6768fa73906b1a6b3d6450
-
SHA1
88cdcb016a86bb8236680212e0a1a425651d1cc0
-
SHA256
89cff9ef03cc8f94ed69b7a9d4bc25b460a5277e37c579d1d749f960c5c10719
-
SHA512
725a91604f77b6ab4b5d276116dd20d66f2534240dc8d50afa5665756fd952439877124df638c5ed5819107b3dfb963502197bf855c21628cdf2038900ac632e
-
SSDEEP
768:KeJIvFKPZo2rmEasjcj29NWngAHxcw9ppEaxglaX5uA6:KQIvEPZovEad29NQgA2wQle5i
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 2060 ewiuer2.exe 2008 ewiuer2.exe 1572 ewiuer2.exe 2808 ewiuer2.exe 1768 ewiuer2.exe 1688 ewiuer2.exe 1312 ewiuer2.exe -
Loads dropped DLL 14 IoCs
pid Process 2244 1d8539b07f6768fa73906b1a6b3d6450_NeikiAnalytics.exe 2244 1d8539b07f6768fa73906b1a6b3d6450_NeikiAnalytics.exe 2060 ewiuer2.exe 2060 ewiuer2.exe 2008 ewiuer2.exe 2008 ewiuer2.exe 1572 ewiuer2.exe 1572 ewiuer2.exe 2808 ewiuer2.exe 2808 ewiuer2.exe 1768 ewiuer2.exe 1768 ewiuer2.exe 1688 ewiuer2.exe 1688 ewiuer2.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe File opened for modification C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe File opened for modification C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2060 2244 1d8539b07f6768fa73906b1a6b3d6450_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 2060 2244 1d8539b07f6768fa73906b1a6b3d6450_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 2060 2244 1d8539b07f6768fa73906b1a6b3d6450_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 2060 2244 1d8539b07f6768fa73906b1a6b3d6450_NeikiAnalytics.exe 28 PID 2060 wrote to memory of 2008 2060 ewiuer2.exe 32 PID 2060 wrote to memory of 2008 2060 ewiuer2.exe 32 PID 2060 wrote to memory of 2008 2060 ewiuer2.exe 32 PID 2060 wrote to memory of 2008 2060 ewiuer2.exe 32 PID 2008 wrote to memory of 1572 2008 ewiuer2.exe 33 PID 2008 wrote to memory of 1572 2008 ewiuer2.exe 33 PID 2008 wrote to memory of 1572 2008 ewiuer2.exe 33 PID 2008 wrote to memory of 1572 2008 ewiuer2.exe 33 PID 1572 wrote to memory of 2808 1572 ewiuer2.exe 35 PID 1572 wrote to memory of 2808 1572 ewiuer2.exe 35 PID 1572 wrote to memory of 2808 1572 ewiuer2.exe 35 PID 1572 wrote to memory of 2808 1572 ewiuer2.exe 35 PID 2808 wrote to memory of 1768 2808 ewiuer2.exe 36 PID 2808 wrote to memory of 1768 2808 ewiuer2.exe 36 PID 2808 wrote to memory of 1768 2808 ewiuer2.exe 36 PID 2808 wrote to memory of 1768 2808 ewiuer2.exe 36 PID 1768 wrote to memory of 1688 1768 ewiuer2.exe 38 PID 1768 wrote to memory of 1688 1768 ewiuer2.exe 38 PID 1768 wrote to memory of 1688 1768 ewiuer2.exe 38 PID 1768 wrote to memory of 1688 1768 ewiuer2.exe 38 PID 1688 wrote to memory of 1312 1688 ewiuer2.exe 39 PID 1688 wrote to memory of 1312 1688 ewiuer2.exe 39 PID 1688 wrote to memory of 1312 1688 ewiuer2.exe 39 PID 1688 wrote to memory of 1312 1688 ewiuer2.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d8539b07f6768fa73906b1a6b3d6450_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1d8539b07f6768fa73906b1a6b3d6450_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe8⤵
- Executes dropped EXE
PID:1312
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230B
MD565cf5faa9355f5807dbe3cab8633629a
SHA145a603c07b09e2d092c4eb034ab5df1c6e988789
SHA2566f04d3a4e1b1da91d569d527b9faa08d72d6936799eb31bfc8d4dc95b16bcace
SHA51271553cca332c2cb9af7bf1f8c3123c4095f0751a13ab4e2fa45d416c21745762d91670ed556462e8d005de1d519522662620b662cc1b508e57ee5013d4ce6d8d
-
Filesize
229B
MD54117ec59dc739d045122aea40abaa392
SHA1cd730ca1204bbe6073daa776ee5a9b5a5d6bb82e
SHA25672f676a2766e386cf012ca66e49f6c07645feace33e25e0de4b5cb6ad9cf6c63
SHA5124008a3736f6c6f3a8156672d4a861711f2d9cbf8bf88fc4a6da139202631360e1ed6955a59df2353b0f0ef14d6567e4b4e4178812e7f0298c908fe2854e685b3
-
Filesize
65KB
MD562cb01da2fba5d38d973c0f27546d711
SHA13cce415bd0233501ed5887883dce9cccd171efe5
SHA256c86c55e8b8eeb513e2d5bbc292695a0a33b772502de3ad48b02f764577e983cb
SHA51276b51122f44f238b32e7c7feb6b9c2b20318dfcd5e595eb7f18641e7414bf38bb8880a78e043f820879346850a8ef910fe99beef2abf1d1d0c9d9a8b18675c17
-
Filesize
65KB
MD556dd12ad0d4b7e3f516a9d95b2746ebf
SHA134e9b24bbf96764bc9f9f259a67ae5317946360e
SHA256c3acc4402c55e2437b1b9ceef2ce2717cf422411a216efee99eeb500cfcde6d0
SHA512482d253111a4144b396a563819ff979f6a86e47401b2308540caaa2b9a694af3e865ddb7d10a2df24e526c3c58a19be32dbdb48109cfff2dd0b56a667d1b11dd
-
Filesize
65KB
MD55cddf4395fd1eb84a79c625c38656429
SHA1adba53037bfbd6e8b5d9ac6302bab3b360f19c2a
SHA2569fde515cd2b5c4d0614ae1799f0a24b6a0fe0bc29d15c5336b046f2a70c52b96
SHA512cb897ff497a634e4ee7a93745e46c3ed47aa739958be0addf2544e200792f5c0799908466e8b0665d391c9f377fb1767192c2fe7807e04ee3efbb017cc32257d
-
Filesize
65KB
MD5da4753b13adf70b18bacda7358d93822
SHA12713dfa12266fdb7314763c5e4ea713175973f14
SHA256a847e6193453e083be9ee6f3ffa9521e46b122f9691a17478366a78a8d1a8be9
SHA5124e0ae1dae2e82129b49fb0822dd497a031885a527468b1f5f61c29216108cbcee7192d343441788a0cc4c176d5060be37bf988cda099b5867b012f0a6baac9fb
-
Filesize
65KB
MD550b1fddfccde719a73e8e5c716f82031
SHA1a5a51115cae7ee2df0345986c69e007558350129
SHA256edc3d1651c57feff59130ae558778282e2742f07bd7e818a528f18151666a894
SHA5126ed81e87c712e04cac9213722e042f04dfc8255f953ab8137cdbb83fd1ba745a5f2d9577e6ac5fad14ab3d06b0b3dc0389eb2b6e47afa15ad8ade95edb342454
-
Filesize
65KB
MD5570e6a07572e529bf18f27141efb4297
SHA1d398339f1e2693e55c0872deb94861cc767ef9de
SHA256d101768a58649bdf78ab89e165df1b3fb6bc679a53fe3d90bc6053d7e460a18b
SHA51298904fcfb7266cca929dff24ae244c0b03d21f21b21175f1114252b34853fbf50a4605878c16683a24812afdd38b2d3bb5a10e4e94a72220a284b719668d933a
-
Filesize
65KB
MD5490bba717832caa978d823a58908dd3c
SHA1d1f0e7ccdd122066e8dcea7395289c59385112f7
SHA2566a6d4cd561add1346b918bbef2567d20f47c6a2c249d9230b36c9c33fe4adbb8
SHA5121c0d88762e1d4a4a8710e38a22c374ac69939d8be751ce80f56c43acb01cb65fcd4c4dfe3c893de61ea419ff587d137fe180e065a76c49fae2b069c004a7cee5