Analysis Overview
SHA256
ca8ba75a4d230be1962d338e1bf8af0450e9f0b4654691f17d3aa95a3ea498fe
Threat Level: Shows suspicious behavior
The file a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-03 13:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 13:24
Reported
2024-06-03 13:27
Platform
win7-20240221-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File created | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
Files
memory/2084-11-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 6e416b440ecec8ed685fb589da3b02b0 |
| SHA1 | 1fbc94cf2485e4e2f9c9e9e54cf4ee88e11281a5 |
| SHA256 | 7dce6d4d13c02f43483d382ee0e4ba44ecb2512808b010b03e81424cc09604df |
| SHA512 | 3f8f38184f3de425f46457f6b82ccd07051d0d80de8caefd4efcf03666e703311c259982b8b493050209c96591edb2393d247686d85bead6c0cb6b3ac3a2f72b |
memory/2812-8-0x00000000001B0000-0x00000000001DA000-memory.dmp
memory/2812-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2084-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\ewiuer2.exe
| MD5 | c133b07e8c5a6862e141bdc3c2a0492e |
| SHA1 | 1a380b2efcd872b15e71485ba1c231db8357585f |
| SHA256 | b53f7b30e6684ec44a11e7f858fdb241533476dcedec057d10d685a45bbc5fc5 |
| SHA512 | a79eef221d4dbbd72d2567e42e7be907a3ae8f5449a922373a453102bc0f49315e271e7b16595bcc5ba97190501d4f2597ba5e9abfa8879706c07e1daa51e167 |
memory/2084-17-0x00000000004B0000-0x00000000004DA000-memory.dmp
memory/2776-30-0x00000000001B0000-0x00000000001DA000-memory.dmp
memory/2084-24-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2776-29-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 22baa22fb2dc1600939b793612adc98c |
| SHA1 | dba20e5aa89b40040cc299577a0670b9065083d1 |
| SHA256 | 563c9cbb976ecf818ddd0846b54e227cc0cc1ff90f498d4f97c0ab8f2ce478e6 |
| SHA512 | deedf690e03d7044a8c6a1a9420cc4f7213ab37497a078cd1a981855d6fae3142e5d58c5aa82df9ccf32de77848f0fb9d39ad3ed1818f2ec0a1bd4867757fc1f |
memory/324-37-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\77Y2B2QA.txt
| MD5 | c170b08f9e069b63c55a58c5c31f16f3 |
| SHA1 | 8e17928f7eecb8f7960f3aeca1334fa861aa0a39 |
| SHA256 | ae49a30fc5010d5857ecf575db8f5903fe23b7616d9e299af627bd2f743f5f48 |
| SHA512 | f8d38b41d571a9ccfaf0dc1731cf71957f459d9b5ea837d7e9ddc40a25f914b0664db2fee5cd8990ba8c7b203124314bc06cce95478ae5d274c097444deb60a4 |
\Windows\SysWOW64\ewiuer2.exe
| MD5 | 24e80da598e4389efa99017feadb5bf6 |
| SHA1 | 12e8caacaf2c32f5b21a8c75b9fe21c8aa948a58 |
| SHA256 | db49ce11843b456856afe16700cf21d4610cd29e2e77c9a7b71b8cbef62f69ed |
| SHA512 | f42652300ec3dc3b9f8164fa3a75e935c4dc6bb375309f94afd5612949cca4604bcdb7eed63c1c9dbb6ef30736e089c117b7973b291e69580c5633446de01c6c |
memory/324-43-0x0000000002230000-0x000000000225A000-memory.dmp
memory/324-48-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 8e0a227d63cd8bca66fa17eaa43c1e52 |
| SHA1 | 59d30606ff8964c90b939ce65b035ecff653ce28 |
| SHA256 | 443adf970bee30d334167a1fe3bd961db97b289d83f15dfaecd3d12f67de5d6e |
| SHA512 | bf0f1b5f7aebd5f0335a16012b4c5f547af2d3043651a4f0e7dd5bc735a6b462f1b6e9f12b24dd8d4520c144453b13d1bc25b98c1bd399a9151315ee5ee841b5 |
memory/1928-58-0x0000000000400000-0x000000000042A000-memory.dmp
memory/956-60-0x0000000000400000-0x000000000042A000-memory.dmp
memory/956-62-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\J47M0J7Y.txt
| MD5 | 57c0ace28eabe941ed06cb8a7c0ff76f |
| SHA1 | dc8f5769f57f4cbf5140b0254f8c6194f157780b |
| SHA256 | 25094d1ef522cea52f3b84301cbf45aa79d9ed6c4680cd3a527202b9784725a8 |
| SHA512 | dc2a48e8573abc3fd59833349e4209381b84c626c742f33efaef5825e04e025e773931b203949ae326d5f41fa91242943afab8e5b8f8311af491dc9b53c04ba1 |
\Windows\SysWOW64\ewiuer2.exe
| MD5 | 0b15ac961754306b89304090864ada55 |
| SHA1 | d365851b43c08542d77a81c7bb4ff47c5a5a2645 |
| SHA256 | 2fdff959b0370bce182795ffd258ef293b3d7fc91de44a2ce31cb3fcf29332be |
| SHA512 | e6fc40489d51a432c5de441ed4c6fa1379d89d745dac3ae7b261f43331b3f5ed6afaba7a42cad06de54c8a28740318455c0a2f287dcb5a850e1a8b1a9b6050cf |
memory/956-67-0x0000000002690000-0x00000000026BA000-memory.dmp
memory/956-74-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | ab48b6ea5a64d9ad2ab90660a83c8638 |
| SHA1 | 98b8292517ee1a9bdfdf28f9a4856c61cab38b65 |
| SHA256 | d3602fc894e656847a6e8ed77ada37e99cab733dc7b622a1c33349c5e06c9a0a |
| SHA512 | b10d0ddbfa5c066a882ffbcc0c470b8cfae1145fc1c82e1190ba57d57521dd36ff6d23840073082501d78d33d82f23d0dff892174ed89327130dacf06eb5e842 |
memory/1844-84-0x0000000000220000-0x000000000024A000-memory.dmp
memory/1844-83-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 13:24
Reported
2024-06-03 13:27
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\viesazm.mpk | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| File created | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a4e237a5a1080b5b99eaa2c44d3bf7e0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/2440-3-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 6e416b440ecec8ed685fb589da3b02b0 |
| SHA1 | 1fbc94cf2485e4e2f9c9e9e54cf4ee88e11281a5 |
| SHA256 | 7dce6d4d13c02f43483d382ee0e4ba44ecb2512808b010b03e81424cc09604df |
| SHA512 | 3f8f38184f3de425f46457f6b82ccd07051d0d80de8caefd4efcf03666e703311c259982b8b493050209c96591edb2393d247686d85bead6c0cb6b3ac3a2f72b |
memory/3680-5-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3680-6-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\ewiuer2.exe
| MD5 | fa3a0b5147e9b669ed1f44ff1ad87262 |
| SHA1 | 374339433e99bef3ca75f99f3556a681d3119edb |
| SHA256 | e4531f7cca6227f9973d8f2a314955759469cd6a09ae0cfb6d96a5bb14778234 |
| SHA512 | 27ac924940cec1caca8c15d863305464c8cf1ea53f72ca77b9cd579b6bd7dc99f1e4b63f23bb95dd7929891012af57e9aad0de100f450e2c3066d8bbc4276b3a |
memory/3680-10-0x0000000000400000-0x000000000042A000-memory.dmp
memory/60-12-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | dd0a7ea75a9eb2e8a7279dd99a91fc7d |
| SHA1 | 02fb27c4d66e19e8d27b5cbbd5a717bd7c683e00 |
| SHA256 | 7b942635a73a4e5852736c41f4e39b394c54a34ed380b7ab7cfb9b90ef736436 |
| SHA512 | 6be74b3b90b1690d12d19873154bdd20a44098891396b3a17a352877fed8d57ab844cd9208a6d0294e0623a12660b7bbb107df123df8a55be140c0f36fcfc9e6 |
memory/60-16-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4436-17-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4436-19-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4436-23-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\ewiuer2.exe
| MD5 | 6a4806f7e8d82d7d5a2795e382c662bc |
| SHA1 | 08c1f4caa61e86e5283f9c4cedf6903f7b606887 |
| SHA256 | f736fead572ece200d5787e91670d520671b5ceb41b9fce5bcfb4b705b45b664 |
| SHA512 | a451b6f5edd1c0c414401919f7e904faaffe5a9ba3bc08cfc284a31608e67ca9130b72c7a511da6ea5be7d450bfd3fcb4fba727bd54b0a06e6ffc8dcdaad267b |
memory/2220-26-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2220-29-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 88fa05572e553be108898cbbfcca1e50 |
| SHA1 | 4a392964aaeb6f961b6a9c957ce80e2e8b8fd05c |
| SHA256 | 890c74aa67f22cdd6577e405cf6c6ce3e7604a54a4cc0d12dff3f126f00b2e60 |
| SHA512 | 357f93ed03676d9b11168512e870ef2778ae15fcf1c9cc0bf7a149fd9fa40644a0ab14b1ef88ca6fb5b852bee5c7670185de988f03218ef305fb1bba0d9f7c84 |
memory/2672-30-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2672-32-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\ewiuer2.exe
| MD5 | 75b1755ed8ff3bba763a7535cbbd3026 |
| SHA1 | b942c55d144e7a9f77288624843d80c926cfdd6c |
| SHA256 | 5675f4f9d70a1af604032cd714e1f92f926078b3a89e55da75a2d7f892a5224d |
| SHA512 | a987707946f388e218eff43216f9e76f4529d783681485758b5dfc65cfa91af0bfa9b45c6cfdf4dcfcf7324c434ed02ccca5ee6ce3451f03bbae27a518ab0fc4 |
memory/2672-36-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2368-38-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2368-39-0x0000000000400000-0x000000000042A000-memory.dmp