Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 23:06
Static task
static1
Behavioral task
behavioral1
Sample
4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe
-
Size
61KB
-
MD5
4b8a0dc43483bfebabde3a4d3bdc15d0
-
SHA1
772a7380f9a064251910e8aaff0aeff9027c115a
-
SHA256
73d3e046d17dec67bc49e69c9b8b50b37395e312fc8ca870bee6a3685acef721
-
SHA512
3fcfa1399f8dc5c92b5faa04289f787f3c84ef8a60d155dfbbdaae10a7ab5379efaa154508ea27ef2e4182c3faa1766e87b11db2922545925155de9492ea2093
-
SSDEEP
1536:1ttdse4OcUmWQIvEPZo6E5sEFd29NQgA2wwle5:ddse4OlQZo6EKEFdGM21le5
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 2060 ewiuer2.exe 2668 ewiuer2.exe 2520 ewiuer2.exe 316 ewiuer2.exe 1420 ewiuer2.exe 1944 ewiuer2.exe 448 ewiuer2.exe -
Loads dropped DLL 14 IoCs
pid Process 2068 4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe 2068 4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe 2060 ewiuer2.exe 2060 ewiuer2.exe 2668 ewiuer2.exe 2668 ewiuer2.exe 2520 ewiuer2.exe 2520 ewiuer2.exe 316 ewiuer2.exe 316 ewiuer2.exe 1420 ewiuer2.exe 1420 ewiuer2.exe 1944 ewiuer2.exe 1944 ewiuer2.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe File opened for modification C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe File created C:\Windows\SysWOW64\ewiuer2.exe ewiuer2.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2060 2068 4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe 28 PID 2068 wrote to memory of 2060 2068 4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe 28 PID 2068 wrote to memory of 2060 2068 4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe 28 PID 2068 wrote to memory of 2060 2068 4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe 28 PID 2060 wrote to memory of 2668 2060 ewiuer2.exe 32 PID 2060 wrote to memory of 2668 2060 ewiuer2.exe 32 PID 2060 wrote to memory of 2668 2060 ewiuer2.exe 32 PID 2060 wrote to memory of 2668 2060 ewiuer2.exe 32 PID 2668 wrote to memory of 2520 2668 ewiuer2.exe 33 PID 2668 wrote to memory of 2520 2668 ewiuer2.exe 33 PID 2668 wrote to memory of 2520 2668 ewiuer2.exe 33 PID 2668 wrote to memory of 2520 2668 ewiuer2.exe 33 PID 2520 wrote to memory of 316 2520 ewiuer2.exe 35 PID 2520 wrote to memory of 316 2520 ewiuer2.exe 35 PID 2520 wrote to memory of 316 2520 ewiuer2.exe 35 PID 2520 wrote to memory of 316 2520 ewiuer2.exe 35 PID 316 wrote to memory of 1420 316 ewiuer2.exe 36 PID 316 wrote to memory of 1420 316 ewiuer2.exe 36 PID 316 wrote to memory of 1420 316 ewiuer2.exe 36 PID 316 wrote to memory of 1420 316 ewiuer2.exe 36 PID 1420 wrote to memory of 1944 1420 ewiuer2.exe 38 PID 1420 wrote to memory of 1944 1420 ewiuer2.exe 38 PID 1420 wrote to memory of 1944 1420 ewiuer2.exe 38 PID 1420 wrote to memory of 1944 1420 ewiuer2.exe 38 PID 1944 wrote to memory of 448 1944 ewiuer2.exe 39 PID 1944 wrote to memory of 448 1944 ewiuer2.exe 39 PID 1944 wrote to memory of 448 1944 ewiuer2.exe 39 PID 1944 wrote to memory of 448 1944 ewiuer2.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\ewiuer2.exeC:\Windows\System32\ewiuer2.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Roaming\ewiuer2.exeC:\Users\Admin\AppData\Roaming\ewiuer2.exe8⤵
- Executes dropped EXE
PID:448
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230B
MD58da93f585220035932e5bb61252e3763
SHA1e635555a94d5d1f3baf42f6f1867e560d11e2b4c
SHA2568a277060790ab47f49cc8d3b5eb0aed22de06c06fab34e9620a7e3671849f98c
SHA5123d76a5987e6165ade06100c8c89df26737c2833110b39797079a156ef3071a9bdcc00a23f09417f9908c4ff5e97fbc2365af0103fbb6d10963003836dfeca681
-
Filesize
229B
MD5fe17f44cb0d28f7e2be53848e35dec79
SHA1ed132258fac67209da6030b55a9384a5309c05a7
SHA256f96f3c421467a84340e5ef07550d8bd50aec0623450492025aedb1e9502b8220
SHA5128c622bbca6a4f22400f8e9c574d42643cc29668261294f7fb0bc32574ac30d1836b6fe5ea59102d173b050f7e41cda6d85b08d9679c96fb2c828553a67ff2f33
-
Filesize
61KB
MD5ce4ea61ef2653a6e44db184286ed6f6c
SHA1044f6a2e932fb434941758139e88cc16c31e307c
SHA256b9b0fdf6ef0cc27dc8115fc2075d61241595fb628091e0a13f096f344c640a54
SHA512be61f0ea0360a44ea5f7d9384d2fa3b8b86b3b6e207cddc15545ba80ca5d169e2cf2a1470d1b307d14c1dc3eb295d80f60c4b41f1d543663956a40667d6d0d2c
-
Filesize
61KB
MD5a39f94bb7769887680b5492bf739bda0
SHA14fd62580302c552380c3f351a8e071aaa116b3c4
SHA256a1244d856dec6c188392f6f1be3df1fde421f6d2271be81dd2205ac68f1b09eb
SHA5129b4fa7298887ce0b52db3344e77b7d16e9168ac78c1cd48a45c22afd8c96d4536fe8af41f5085a8629099810117df935bb858582cde2e54e84193fbb88afde94
-
Filesize
61KB
MD552b52e4fd075aa291e0910785d38a870
SHA17a7dd811a7abd87259ca20db5ed2b09ccd8bc6f9
SHA256d0a028ac535553a60fb99805df9f5e259ff6c00760b477ce2e11915f53b50f11
SHA512a7e50f2e542326c4ea20e67a61f3f994b2cc3f1cddf175b23587547d4730634050b83bd3a35f6d5b866956873384ef21b7c6a6ceaa4221a4d4beb517eb0894a7
-
Filesize
61KB
MD5a58a3279f916d1338a2a9881c4941de8
SHA16b1dd8b79ac1f304d82083f9963fd0a98e80ca78
SHA25612c9577c4e88470156600383d32473e833cec5fd82081e7d126ba40c70fc70c6
SHA512b28429a0df7a712944fc63d861c416cf5d7f9531fbb2ee96c0d36ec8ea29a169496a266350232a33e66a5e1daa35d99d63d41c7f3f6d502ed91bd2af49fe0677
-
Filesize
61KB
MD54dc4382862be77aaa74ec173573e9a39
SHA1dea3b19cb474b13c7f4b877d4c4f528215b259f1
SHA256137c462ee4afa3fb7c905ff9e1fcb663c69a57a2d602ca274aca02af4a4a7e2f
SHA5125d2c4134e4abe62955d1720183d4e3bfd5e71ed5ed1aefaf838d385e9bbe98cea2f5be538fb162b4c3e78d65057002a26ab7cff96a958de58ece9059c1eddeab
-
Filesize
61KB
MD5728ff389c2b3aa19b6da2493e88bd0b7
SHA1b254817d3ed340528a8b48c9a3f380d996b780c0
SHA2564ff8fa13f8d1fb1c7b416352954632e7d966b1ca28542b1d2f649f84ccd2d841
SHA51217d54b0e24fffda50f685750c071f66ff2656dc9d45b8cbbefdf73c8cfc1b4586343851c506b78f862963427245cd79d17efe618cc0569d1e07e84a2ec2338fb
-
Filesize
61KB
MD5502890c48d472b802b10765130f8f58b
SHA1b2270eb5b81e265ceb2f883460f98f49a69e3ce5
SHA256f3cab21e3ae59b43bda229c456416d67f37be362adf2dc0aa3773067bfcc81e2
SHA512642a056db4bd71201d0cbea1f2d5629adf59e28d275a395c5eba8301e339a86fa898aa4d11f92b7ceeebc89a6a111da5960e5eadc87a56d06eb65fc4906d160c