Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 13:24
Static task
static1
Behavioral task
behavioral1
Sample
a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe
-
Size
65KB
-
MD5
a4e237a5a1080b5b99eaa2c44d3bf7e0
-
SHA1
b488109999ec57f1d49f1c37a2ca51f64d3d5278
-
SHA256
ca8ba75a4d230be1962d338e1bf8af0450e9f0b4654691f17d3aa95a3ea498fe
-
SHA512
778c475c16c6f707e8e1f24667463dc7db4d37662fbaf7c89fcb660e8bcd5f901251e5721c20a85d08f4401304465e769a1f3f95addaeab4d53613560cd01838
-
SSDEEP
768:0eQIvFKPZo2smEasjcj29NWngAHxcw9ppEaxglaX5uAS:09IvEPZo6Ead29NQgA2wQle56
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 2084 ewiuer2.exe 2776 ewiuer2.exe 324 ewiuer2.exe 1928 ewiuer2.exe 956 ewiuer2.exe 1844 ewiuer2.exe 1160 ewiuer2.exe -
Loads dropped DLL 14 IoCs
pid Process 2812 a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe 2812 a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe 2084 ewiuer2.exe 2084 ewiuer2.exe 2776 ewiuer2.exe 2776 ewiuer2.exe 324 ewiuer2.exe 324 ewiuer2.exe 1928 ewiuer2.exe 1928 ewiuer2.exe 956 ewiuer2.exe 956 ewiuer2.exe 1844 ewiuer2.exe 1844 ewiuer2.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe File created C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe File opened for modification C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2812 wrote to memory of 2084 2812 a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe 28 PID 2812 wrote to memory of 2084 2812 a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe 28 PID 2812 wrote to memory of 2084 2812 a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe 28 PID 2812 wrote to memory of 2084 2812 a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe 28 PID 2084 wrote to memory of 2776 2084 ewiuer2.exe 32 PID 2084 wrote to memory of 2776 2084 ewiuer2.exe 32 PID 2084 wrote to memory of 2776 2084 ewiuer2.exe 32 PID 2084 wrote to memory of 2776 2084 ewiuer2.exe 32 PID 2776 wrote to memory of 324 2776 ewiuer2.exe 33 PID 2776 wrote to memory of 324 2776 ewiuer2.exe 33 PID 2776 wrote to memory of 324 2776 ewiuer2.exe 33 PID 2776 wrote to memory of 324 2776 ewiuer2.exe 33 PID 324 wrote to memory of 1928 324 ewiuer2.exe 35 PID 324 wrote to memory of 1928 324 ewiuer2.exe 35 PID 324 wrote to memory of 1928 324 ewiuer2.exe 35 PID 324 wrote to memory of 1928 324 ewiuer2.exe 35 PID 1928 wrote to memory of 956 1928 ewiuer2.exe 36 PID 1928 wrote to memory of 956 1928 ewiuer2.exe 36 PID 1928 wrote to memory of 956 1928 ewiuer2.exe 36 PID 1928 wrote to memory of 956 1928 ewiuer2.exe 36 PID 956 wrote to memory of 1844 956 ewiuer2.exe 38 PID 956 wrote to memory of 1844 956 ewiuer2.exe 38 PID 956 wrote to memory of 1844 956 ewiuer2.exe 38 PID 956 wrote to memory of 1844 956 ewiuer2.exe 38 PID 1844 wrote to memory of 1160 1844 ewiuer2.exe 39 PID 1844 wrote to memory of 1160 1844 ewiuer2.exe 39 PID 1844 wrote to memory of 1160 1844 ewiuer2.exe 39 PID 1844 wrote to memory of 1160 1844 ewiuer2.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe8⤵
- Executes dropped EXE
PID:1160
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229B
MD5c170b08f9e069b63c55a58c5c31f16f3
SHA18e17928f7eecb8f7960f3aeca1334fa861aa0a39
SHA256ae49a30fc5010d5857ecf575db8f5903fe23b7616d9e299af627bd2f743f5f48
SHA512f8d38b41d571a9ccfaf0dc1731cf71957f459d9b5ea837d7e9ddc40a25f914b0664db2fee5cd8990ba8c7b203124314bc06cce95478ae5d274c097444deb60a4
-
Filesize
230B
MD557c0ace28eabe941ed06cb8a7c0ff76f
SHA1dc8f5769f57f4cbf5140b0254f8c6194f157780b
SHA25625094d1ef522cea52f3b84301cbf45aa79d9ed6c4680cd3a527202b9784725a8
SHA512dc2a48e8573abc3fd59833349e4209381b84c626c742f33efaef5825e04e025e773931b203949ae326d5f41fa91242943afab8e5b8f8311af491dc9b53c04ba1
-
Filesize
65KB
MD56e416b440ecec8ed685fb589da3b02b0
SHA11fbc94cf2485e4e2f9c9e9e54cf4ee88e11281a5
SHA2567dce6d4d13c02f43483d382ee0e4ba44ecb2512808b010b03e81424cc09604df
SHA5123f8f38184f3de425f46457f6b82ccd07051d0d80de8caefd4efcf03666e703311c259982b8b493050209c96591edb2393d247686d85bead6c0cb6b3ac3a2f72b
-
Filesize
65KB
MD522baa22fb2dc1600939b793612adc98c
SHA1dba20e5aa89b40040cc299577a0670b9065083d1
SHA256563c9cbb976ecf818ddd0846b54e227cc0cc1ff90f498d4f97c0ab8f2ce478e6
SHA512deedf690e03d7044a8c6a1a9420cc4f7213ab37497a078cd1a981855d6fae3142e5d58c5aa82df9ccf32de77848f0fb9d39ad3ed1818f2ec0a1bd4867757fc1f
-
Filesize
65KB
MD58e0a227d63cd8bca66fa17eaa43c1e52
SHA159d30606ff8964c90b939ce65b035ecff653ce28
SHA256443adf970bee30d334167a1fe3bd961db97b289d83f15dfaecd3d12f67de5d6e
SHA512bf0f1b5f7aebd5f0335a16012b4c5f547af2d3043651a4f0e7dd5bc735a6b462f1b6e9f12b24dd8d4520c144453b13d1bc25b98c1bd399a9151315ee5ee841b5
-
Filesize
65KB
MD5ab48b6ea5a64d9ad2ab90660a83c8638
SHA198b8292517ee1a9bdfdf28f9a4856c61cab38b65
SHA256d3602fc894e656847a6e8ed77ada37e99cab733dc7b622a1c33349c5e06c9a0a
SHA512b10d0ddbfa5c066a882ffbcc0c470b8cfae1145fc1c82e1190ba57d57521dd36ff6d23840073082501d78d33d82f23d0dff892174ed89327130dacf06eb5e842
-
Filesize
65KB
MD5c133b07e8c5a6862e141bdc3c2a0492e
SHA11a380b2efcd872b15e71485ba1c231db8357585f
SHA256b53f7b30e6684ec44a11e7f858fdb241533476dcedec057d10d685a45bbc5fc5
SHA512a79eef221d4dbbd72d2567e42e7be907a3ae8f5449a922373a453102bc0f49315e271e7b16595bcc5ba97190501d4f2597ba5e9abfa8879706c07e1daa51e167
-
Filesize
65KB
MD524e80da598e4389efa99017feadb5bf6
SHA112e8caacaf2c32f5b21a8c75b9fe21c8aa948a58
SHA256db49ce11843b456856afe16700cf21d4610cd29e2e77c9a7b71b8cbef62f69ed
SHA512f42652300ec3dc3b9f8164fa3a75e935c4dc6bb375309f94afd5612949cca4604bcdb7eed63c1c9dbb6ef30736e089c117b7973b291e69580c5633446de01c6c
-
Filesize
65KB
MD50b15ac961754306b89304090864ada55
SHA1d365851b43c08542d77a81c7bb4ff47c5a5a2645
SHA2562fdff959b0370bce182795ffd258ef293b3d7fc91de44a2ce31cb3fcf29332be
SHA512e6fc40489d51a432c5de441ed4c6fa1379d89d745dac3ae7b261f43331b3f5ed6afaba7a42cad06de54c8a28740318455c0a2f287dcb5a850e1a8b1a9b6050cf