Analysis Overview
SHA256
73d3e046d17dec67bc49e69c9b8b50b37395e312fc8ca870bee6a3685acef721
Threat Level: Shows suspicious behavior
The file 4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-12 23:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 23:06
Reported
2024-06-12 23:09
Platform
win7-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File created | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
Files
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | ce4ea61ef2653a6e44db184286ed6f6c |
| SHA1 | 044f6a2e932fb434941758139e88cc16c31e307c |
| SHA256 | b9b0fdf6ef0cc27dc8115fc2075d61241595fb628091e0a13f096f344c640a54 |
| SHA512 | be61f0ea0360a44ea5f7d9384d2fa3b8b86b3b6e207cddc15545ba80ca5d169e2cf2a1470d1b307d14c1dc3eb295d80f60c4b41f1d543663956a40667d6d0d2c |
\Windows\SysWOW64\ewiuer2.exe
| MD5 | 4dc4382862be77aaa74ec173573e9a39 |
| SHA1 | dea3b19cb474b13c7f4b877d4c4f528215b259f1 |
| SHA256 | 137c462ee4afa3fb7c905ff9e1fcb663c69a57a2d602ca274aca02af4a4a7e2f |
| SHA512 | 5d2c4134e4abe62955d1720183d4e3bfd5e71ed5ed1aefaf838d385e9bbe98cea2f5be538fb162b4c3e78d65057002a26ab7cff96a958de58ece9059c1eddeab |
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | a39f94bb7769887680b5492bf739bda0 |
| SHA1 | 4fd62580302c552380c3f351a8e071aaa116b3c4 |
| SHA256 | a1244d856dec6c188392f6f1be3df1fde421f6d2271be81dd2205ac68f1b09eb |
| SHA512 | 9b4fa7298887ce0b52db3344e77b7d16e9168ac78c1cd48a45c22afd8c96d4536fe8af41f5085a8629099810117df935bb858582cde2e54e84193fbb88afde94 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OD58KC4T.txt
| MD5 | fe17f44cb0d28f7e2be53848e35dec79 |
| SHA1 | ed132258fac67209da6030b55a9384a5309c05a7 |
| SHA256 | f96f3c421467a84340e5ef07550d8bd50aec0623450492025aedb1e9502b8220 |
| SHA512 | 8c622bbca6a4f22400f8e9c574d42643cc29668261294f7fb0bc32574ac30d1836b6fe5ea59102d173b050f7e41cda6d85b08d9679c96fb2c828553a67ff2f33 |
\Windows\SysWOW64\ewiuer2.exe
| MD5 | 728ff389c2b3aa19b6da2493e88bd0b7 |
| SHA1 | b254817d3ed340528a8b48c9a3f380d996b780c0 |
| SHA256 | 4ff8fa13f8d1fb1c7b416352954632e7d966b1ca28542b1d2f649f84ccd2d841 |
| SHA512 | 17d54b0e24fffda50f685750c071f66ff2656dc9d45b8cbbefdf73c8cfc1b4586343851c506b78f862963427245cd79d17efe618cc0569d1e07e84a2ec2338fb |
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 52b52e4fd075aa291e0910785d38a870 |
| SHA1 | 7a7dd811a7abd87259ca20db5ed2b09ccd8bc6f9 |
| SHA256 | d0a028ac535553a60fb99805df9f5e259ff6c00760b477ce2e11915f53b50f11 |
| SHA512 | a7e50f2e542326c4ea20e67a61f3f994b2cc3f1cddf175b23587547d4730634050b83bd3a35f6d5b866956873384ef21b7c6a6ceaa4221a4d4beb517eb0894a7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7482N43U.txt
| MD5 | 8da93f585220035932e5bb61252e3763 |
| SHA1 | e635555a94d5d1f3baf42f6f1867e560d11e2b4c |
| SHA256 | 8a277060790ab47f49cc8d3b5eb0aed22de06c06fab34e9620a7e3671849f98c |
| SHA512 | 3d76a5987e6165ade06100c8c89df26737c2833110b39797079a156ef3071a9bdcc00a23f09417f9908c4ff5e97fbc2365af0103fbb6d10963003836dfeca681 |
\Windows\SysWOW64\ewiuer2.exe
| MD5 | 502890c48d472b802b10765130f8f58b |
| SHA1 | b2270eb5b81e265ceb2f883460f98f49a69e3ce5 |
| SHA256 | f3cab21e3ae59b43bda229c456416d67f37be362adf2dc0aa3773067bfcc81e2 |
| SHA512 | 642a056db4bd71201d0cbea1f2d5629adf59e28d275a395c5eba8301e339a86fa898aa4d11f92b7ceeebc89a6a111da5960e5eadc87a56d06eb65fc4906d160c |
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | a58a3279f916d1338a2a9881c4941de8 |
| SHA1 | 6b1dd8b79ac1f304d82083f9963fd0a98e80ca78 |
| SHA256 | 12c9577c4e88470156600383d32473e833cec5fd82081e7d126ba40c70fc70c6 |
| SHA512 | b28429a0df7a712944fc63d861c416cf5d7f9531fbb2ee96c0d36ec8ea29a169496a266350232a33e66a5e1daa35d99d63d41c7f3f6d502ed91bd2af49fe0677 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 23:06
Reported
2024-06-12 23:09
Platform
win10v2004-20240611-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b8a0dc43483bfebabde3a4d3bdc15d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | ce4ea61ef2653a6e44db184286ed6f6c |
| SHA1 | 044f6a2e932fb434941758139e88cc16c31e307c |
| SHA256 | b9b0fdf6ef0cc27dc8115fc2075d61241595fb628091e0a13f096f344c640a54 |
| SHA512 | be61f0ea0360a44ea5f7d9384d2fa3b8b86b3b6e207cddc15545ba80ca5d169e2cf2a1470d1b307d14c1dc3eb295d80f60c4b41f1d543663956a40667d6d0d2c |
C:\Windows\SysWOW64\ewiuer2.exe
| MD5 | fe5b25d07a525087c435d4c6d9548cf6 |
| SHA1 | 2517aadb9e91c960645201ec3feb43d2d3284d06 |
| SHA256 | a67e63493fbbf1ac7f61b7be3614e15bcd2b6e3000df75ca658a6b5af7916280 |
| SHA512 | 257b2db4d55cc42a37a358f8f6d13393aaa9965ca1e8631cb080bee55a11d0c6d9ed72913977756867c3307f6bd9a86276c37417768f09b4f1468eeb76f7d76d |
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 29f3e0e1931308bb79fc30ffa8e6a83b |
| SHA1 | 50e4f1e44dd09802e98cb0a8facaa51bb840e5e1 |
| SHA256 | 1e9d1175f89f56b981ad8f30f4891ba37df170d55718771b7ddab4c970b703e6 |
| SHA512 | f96e6618c5d524d314a611855a1bb741a92240498d0f98fc0733c58ddf649f1dab38acaf14abcf8623406a654ee66a6eeb8a05bdf70112f5f08c926e604386de |
C:\Windows\SysWOW64\ewiuer2.exe
| MD5 | c3b16e5a0f84bb087debad7a7164c7ec |
| SHA1 | b153f84259065bac4a9baa3a91d26e6794cc743b |
| SHA256 | 2b320d9365810cd20acd0c495e77b541c8cf6d94c0cb6221f44d3c2ce38d896f |
| SHA512 | 1d7309b36521752816c4fcf92c02478cf2d6c83d78c2834136e95df4309c47faaf7d11730ba466d8d7b6a0d50eed95f15a9edbf3c87b06666819f38387197905 |
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 35b75b7487d1030d2ea31938bfaa5b93 |
| SHA1 | e57a3e3283905d599b5d0f2bac698316c984dc41 |
| SHA256 | b33cf94a0a5f93f2ee37eca51cc3d84a51bf7a1adc970457f8d6c8fd895e6c8a |
| SHA512 | 59356ccf6bbe4443f091a2da66cfeb2dff275658bc94c7d7e144bad9479c31128f6e4b8a1259019d5a17a2dd83cb04ab4d5e440a623a581f621e0531543ce3b9 |
C:\Windows\SysWOW64\ewiuer2.exe
| MD5 | 5ad59b342da23417497142b0d0f46ab6 |
| SHA1 | e216f35284c8cd06887ab312bdba54721af78e9b |
| SHA256 | 1afb309154ad17c12dae4748a9803b9c7f0595785ed941654ad47ae1db87647d |
| SHA512 | 2b39e309a90206e2e30678b8563f7cb9dd489c04b9d09d3117a29ff952c3802bd373364623b484cdcf799d5c6fe114f9c03245e1a73f66d07ed9275af8937db8 |
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 22790e710ffaacdbb4d93c39be3fa469 |
| SHA1 | bda9e966a1ae5ed36439df427cbd76da052e5621 |
| SHA256 | e220a057326b8751062e77614c76dd1cd28096ba705d19d590af472a1260786e |
| SHA512 | 387bc09fd165d594d96e80d20a5a8c38a573aad89ffd98cea4ebb2b651cb8a50ff5fc2af1782c5540c1afd69fa170de6c14396fe4db9539d0b9910f35e1bd71b |