Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 23:06

General

  • Target

    4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe

  • Size

    61KB

  • MD5

    4b8a0dc43483bfebabde3a4d3bdc15d0

  • SHA1

    772a7380f9a064251910e8aaff0aeff9027c115a

  • SHA256

    73d3e046d17dec67bc49e69c9b8b50b37395e312fc8ca870bee6a3685acef721

  • SHA512

    3fcfa1399f8dc5c92b5faa04289f787f3c84ef8a60d155dfbbdaae10a7ab5379efaa154508ea27ef2e4182c3faa1766e87b11db2922545925155de9492ea2093

  • SSDEEP

    1536:1ttdse4OcUmWQIvEPZo6E5sEFd29NQgA2wwle5:ddse4OlQZo6EKEFdGM21le5

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 7 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3664
    • C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      C:\Users\Admin\AppData\Roaming\ewiuer2.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\ewiuer2.exe
        C:\Windows\System32\ewiuer2.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3844
        • C:\Users\Admin\AppData\Roaming\ewiuer2.exe
          C:\Users\Admin\AppData\Roaming\ewiuer2.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:4944
          • C:\Windows\SysWOW64\ewiuer2.exe
            C:\Windows\System32\ewiuer2.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1276
            • C:\Users\Admin\AppData\Roaming\ewiuer2.exe
              C:\Users\Admin\AppData\Roaming\ewiuer2.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:3128
              • C:\Windows\SysWOW64\ewiuer2.exe
                C:\Windows\System32\ewiuer2.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4736
                • C:\Users\Admin\AppData\Roaming\ewiuer2.exe
                  C:\Users\Admin\AppData\Roaming\ewiuer2.exe
                  8⤵
                  • Executes dropped EXE
                  PID:4664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ewiuer2.exe

    Filesize

    61KB

    MD5

    29f3e0e1931308bb79fc30ffa8e6a83b

    SHA1

    50e4f1e44dd09802e98cb0a8facaa51bb840e5e1

    SHA256

    1e9d1175f89f56b981ad8f30f4891ba37df170d55718771b7ddab4c970b703e6

    SHA512

    f96e6618c5d524d314a611855a1bb741a92240498d0f98fc0733c58ddf649f1dab38acaf14abcf8623406a654ee66a6eeb8a05bdf70112f5f08c926e604386de

  • C:\Users\Admin\AppData\Roaming\ewiuer2.exe

    Filesize

    61KB

    MD5

    35b75b7487d1030d2ea31938bfaa5b93

    SHA1

    e57a3e3283905d599b5d0f2bac698316c984dc41

    SHA256

    b33cf94a0a5f93f2ee37eca51cc3d84a51bf7a1adc970457f8d6c8fd895e6c8a

    SHA512

    59356ccf6bbe4443f091a2da66cfeb2dff275658bc94c7d7e144bad9479c31128f6e4b8a1259019d5a17a2dd83cb04ab4d5e440a623a581f621e0531543ce3b9

  • C:\Users\Admin\AppData\Roaming\ewiuer2.exe

    Filesize

    61KB

    MD5

    22790e710ffaacdbb4d93c39be3fa469

    SHA1

    bda9e966a1ae5ed36439df427cbd76da052e5621

    SHA256

    e220a057326b8751062e77614c76dd1cd28096ba705d19d590af472a1260786e

    SHA512

    387bc09fd165d594d96e80d20a5a8c38a573aad89ffd98cea4ebb2b651cb8a50ff5fc2af1782c5540c1afd69fa170de6c14396fe4db9539d0b9910f35e1bd71b

  • C:\Users\Admin\AppData\Roaming\ewiuer2.exe

    Filesize

    61KB

    MD5

    ce4ea61ef2653a6e44db184286ed6f6c

    SHA1

    044f6a2e932fb434941758139e88cc16c31e307c

    SHA256

    b9b0fdf6ef0cc27dc8115fc2075d61241595fb628091e0a13f096f344c640a54

    SHA512

    be61f0ea0360a44ea5f7d9384d2fa3b8b86b3b6e207cddc15545ba80ca5d169e2cf2a1470d1b307d14c1dc3eb295d80f60c4b41f1d543663956a40667d6d0d2c

  • C:\Windows\SysWOW64\ewiuer2.exe

    Filesize

    61KB

    MD5

    c3b16e5a0f84bb087debad7a7164c7ec

    SHA1

    b153f84259065bac4a9baa3a91d26e6794cc743b

    SHA256

    2b320d9365810cd20acd0c495e77b541c8cf6d94c0cb6221f44d3c2ce38d896f

    SHA512

    1d7309b36521752816c4fcf92c02478cf2d6c83d78c2834136e95df4309c47faaf7d11730ba466d8d7b6a0d50eed95f15a9edbf3c87b06666819f38387197905

  • C:\Windows\SysWOW64\ewiuer2.exe

    Filesize

    61KB

    MD5

    5ad59b342da23417497142b0d0f46ab6

    SHA1

    e216f35284c8cd06887ab312bdba54721af78e9b

    SHA256

    1afb309154ad17c12dae4748a9803b9c7f0595785ed941654ad47ae1db87647d

    SHA512

    2b39e309a90206e2e30678b8563f7cb9dd489c04b9d09d3117a29ff952c3802bd373364623b484cdcf799d5c6fe114f9c03245e1a73f66d07ed9275af8937db8

  • C:\Windows\SysWOW64\ewiuer2.exe

    Filesize

    61KB

    MD5

    fe5b25d07a525087c435d4c6d9548cf6

    SHA1

    2517aadb9e91c960645201ec3feb43d2d3284d06

    SHA256

    a67e63493fbbf1ac7f61b7be3614e15bcd2b6e3000df75ca658a6b5af7916280

    SHA512

    257b2db4d55cc42a37a358f8f6d13393aaa9965ca1e8631cb080bee55a11d0c6d9ed72913977756867c3307f6bd9a86276c37417768f09b4f1468eeb76f7d76d