Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 13:24
Static task
static1
Behavioral task
behavioral1
Sample
a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe
-
Size
65KB
-
MD5
a4e237a5a1080b5b99eaa2c44d3bf7e0
-
SHA1
b488109999ec57f1d49f1c37a2ca51f64d3d5278
-
SHA256
ca8ba75a4d230be1962d338e1bf8af0450e9f0b4654691f17d3aa95a3ea498fe
-
SHA512
778c475c16c6f707e8e1f24667463dc7db4d37662fbaf7c89fcb660e8bcd5f901251e5721c20a85d08f4401304465e769a1f3f95addaeab4d53613560cd01838
-
SSDEEP
768:0eQIvFKPZo2smEasjcj29NWngAHxcw9ppEaxglaX5uAS:09IvEPZo6Ead29NQgA2wQle56
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 3680 ewiuer2.exe 60 ewiuer2.exe 4436 ewiuer2.exe 2220 ewiuer2.exe 2672 ewiuer2.exe 2368 ewiuer2.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe File opened for modification C:\Windows\SysWOW64\viesazm.mpk ewiuer2.exe File created C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe File opened for modification C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2440 wrote to memory of 3680 2440 a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe 82 PID 2440 wrote to memory of 3680 2440 a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe 82 PID 2440 wrote to memory of 3680 2440 a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe 82 PID 3680 wrote to memory of 60 3680 ewiuer2.exe 100 PID 3680 wrote to memory of 60 3680 ewiuer2.exe 100 PID 3680 wrote to memory of 60 3680 ewiuer2.exe 100 PID 60 wrote to memory of 4436 60 ewiuer2.exe 101 PID 60 wrote to memory of 4436 60 ewiuer2.exe 101 PID 60 wrote to memory of 4436 60 ewiuer2.exe 101 PID 4436 wrote to memory of 2220 4436 ewiuer2.exe 103 PID 4436 wrote to memory of 2220 4436 ewiuer2.exe 103 PID 4436 wrote to memory of 2220 4436 ewiuer2.exe 103 PID 2220 wrote to memory of 2672 2220 ewiuer2.exe 104 PID 2220 wrote to memory of 2672 2220 ewiuer2.exe 104 PID 2220 wrote to memory of 2672 2220 ewiuer2.exe 104 PID 2672 wrote to memory of 2368 2672 ewiuer2.exe 112 PID 2672 wrote to memory of 2368 2672 ewiuer2.exe 112 PID 2672 wrote to memory of 2368 2672 ewiuer2.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2368
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5dd0a7ea75a9eb2e8a7279dd99a91fc7d
SHA102fb27c4d66e19e8d27b5cbbd5a717bd7c683e00
SHA2567b942635a73a4e5852736c41f4e39b394c54a34ed380b7ab7cfb9b90ef736436
SHA5126be74b3b90b1690d12d19873154bdd20a44098891396b3a17a352877fed8d57ab844cd9208a6d0294e0623a12660b7bbb107df123df8a55be140c0f36fcfc9e6
-
Filesize
65KB
MD588fa05572e553be108898cbbfcca1e50
SHA14a392964aaeb6f961b6a9c957ce80e2e8b8fd05c
SHA256890c74aa67f22cdd6577e405cf6c6ce3e7604a54a4cc0d12dff3f126f00b2e60
SHA512357f93ed03676d9b11168512e870ef2778ae15fcf1c9cc0bf7a149fd9fa40644a0ab14b1ef88ca6fb5b852bee5c7670185de988f03218ef305fb1bba0d9f7c84
-
Filesize
65KB
MD56e416b440ecec8ed685fb589da3b02b0
SHA11fbc94cf2485e4e2f9c9e9e54cf4ee88e11281a5
SHA2567dce6d4d13c02f43483d382ee0e4ba44ecb2512808b010b03e81424cc09604df
SHA5123f8f38184f3de425f46457f6b82ccd07051d0d80de8caefd4efcf03666e703311c259982b8b493050209c96591edb2393d247686d85bead6c0cb6b3ac3a2f72b
-
Filesize
65KB
MD56a4806f7e8d82d7d5a2795e382c662bc
SHA108c1f4caa61e86e5283f9c4cedf6903f7b606887
SHA256f736fead572ece200d5787e91670d520671b5ceb41b9fce5bcfb4b705b45b664
SHA512a451b6f5edd1c0c414401919f7e904faaffe5a9ba3bc08cfc284a31608e67ca9130b72c7a511da6ea5be7d450bfd3fcb4fba727bd54b0a06e6ffc8dcdaad267b
-
Filesize
65KB
MD575b1755ed8ff3bba763a7535cbbd3026
SHA1b942c55d144e7a9f77288624843d80c926cfdd6c
SHA2565675f4f9d70a1af604032cd714e1f92f926078b3a89e55da75a2d7f892a5224d
SHA512a987707946f388e218eff43216f9e76f4529d783681485758b5dfc65cfa91af0bfa9b45c6cfdf4dcfcf7324c434ed02ccca5ee6ce3451f03bbae27a518ab0fc4
-
Filesize
65KB
MD5fa3a0b5147e9b669ed1f44ff1ad87262
SHA1374339433e99bef3ca75f99f3556a681d3119edb
SHA256e4531f7cca6227f9973d8f2a314955759469cd6a09ae0cfb6d96a5bb14778234
SHA51227ac924940cec1caca8c15d863305464c8cf1ea53f72ca77b9cd579b6bd7dc99f1e4b63f23bb95dd7929891012af57e9aad0de100f450e2c3066d8bbc4276b3a