Malware Analysis Report

2025-01-18 02:02

Sample ID 240613-jmdynstepk
Target 6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe
SHA256 6811e5666368ffe7ad71d8a43260f117b776b3b151c8ae882494a260771aab72
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6811e5666368ffe7ad71d8a43260f117b776b3b151c8ae882494a260771aab72

Threat Level: Shows suspicious behavior

The file 6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:46

Reported

2024-06-13 07:49

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ewiuer2.exe N/A
N/A N/A C:\Windows\SysWOW64\ewiuer2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ewiuer2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ewiuer2.exe C:\Users\Admin\AppData\Roaming\ewiuer2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\ewiuer2.exe
PID 1916 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\ewiuer2.exe
PID 1916 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\ewiuer2.exe
PID 1916 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\ewiuer2.exe
PID 2224 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Roaming\ewiuer2.exe C:\Windows\SysWOW64\ewiuer2.exe
PID 2224 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Roaming\ewiuer2.exe C:\Windows\SysWOW64\ewiuer2.exe
PID 2224 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Roaming\ewiuer2.exe C:\Windows\SysWOW64\ewiuer2.exe
PID 2224 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Roaming\ewiuer2.exe C:\Windows\SysWOW64\ewiuer2.exe
PID 1628 wrote to memory of 1528 N/A C:\Windows\SysWOW64\ewiuer2.exe C:\Users\Admin\AppData\Roaming\ewiuer2.exe
PID 1628 wrote to memory of 1528 N/A C:\Windows\SysWOW64\ewiuer2.exe C:\Users\Admin\AppData\Roaming\ewiuer2.exe
PID 1628 wrote to memory of 1528 N/A C:\Windows\SysWOW64\ewiuer2.exe C:\Users\Admin\AppData\Roaming\ewiuer2.exe
PID 1628 wrote to memory of 1528 N/A C:\Windows\SysWOW64\ewiuer2.exe C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

C:\Windows\SysWOW64\ewiuer2.exe

C:\Windows\System32\ewiuer2.exe

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 podayl.net udp
US 8.8.8.8:53 podayl.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 podayl.net udp
US 8.8.8.8:53 podayl.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

\Users\Admin\AppData\Roaming\ewiuer2.exe

MD5 76ea546bfaeadb375d983011b6d9ca41
SHA1 5b3a2082a589d119c952d1b5836d71a185095999
SHA256 879f7edb9e688c4bf1e081518e8af65e5348e8ce7a22bde3c31edbe504415550
SHA512 91218d43afba3b5a8ff51dec5f5d55f6ae7920afc432868f13867bdb4d23a28d5f61942a341f7b05082a3b11e6adf4ec251a77c44fe80dfa63f9360db6f9b7cd

\Windows\SysWOW64\ewiuer2.exe

MD5 a34b0f19033059418d642a2e732ede61
SHA1 0452e6422187867cb0e2dce19f8ad24b90eff688
SHA256 a200daf9cfcec90ad8f91b8229a925ac5403134564663d0c7e948ef59e92105e
SHA512 3564f0df71f85b535140d82a413fcd94d36b3cd39f94c5f66ff827ad8158054a2a39f05fd92ecf46527926c88b3d23dca6558195c8490ca05f1a77efcd88d78a

\Users\Admin\AppData\Roaming\ewiuer2.exe

MD5 78df0a9cd50addb9c6cb68b4c945a8d5
SHA1 21bb03b9752451be3025624cb3d36712d2040a99
SHA256 81f4ce0ddc3759ef2c25861d100b852acd9602264e7488ee9796e1a3f82667e2
SHA512 119c443614e0322a6a586aa8a872aba65d7d2624b79b19c0f207a69dcae5d13cfa8f61e91b98a8975c9521d899555ea579359b6283e37bb806ce9734083fc6c9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:46

Reported

2024-06-13 07:49

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ewiuer2.exe N/A
N/A N/A C:\Windows\SysWOW64\ewiuer2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ewiuer2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ewiuer2.exe C:\Users\Admin\AppData\Roaming\ewiuer2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

C:\Windows\SysWOW64\ewiuer2.exe

C:\Windows\System32\ewiuer2.exe

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 podayl.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 podayl.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 podayl.net udp
US 8.8.8.8:53 podayl.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

MD5 76ea546bfaeadb375d983011b6d9ca41
SHA1 5b3a2082a589d119c952d1b5836d71a185095999
SHA256 879f7edb9e688c4bf1e081518e8af65e5348e8ce7a22bde3c31edbe504415550
SHA512 91218d43afba3b5a8ff51dec5f5d55f6ae7920afc432868f13867bdb4d23a28d5f61942a341f7b05082a3b11e6adf4ec251a77c44fe80dfa63f9360db6f9b7cd

C:\Windows\SysWOW64\ewiuer2.exe

MD5 26eb5a550597b21b7ab15451c1ac368d
SHA1 7e487fd125678061cf02a830d0c8da320ab824cf
SHA256 576fa1bc43323ab37f1fc0a6bb2de21fcbb7bab9e222f9a75b1458e2c5a59c5e
SHA512 09ba4567bde5f545687e60a75c40b70fffcb49ce5b274e21fe868c73a55b91260e1c37af066bea1d55e7689859369fff79fff501dd72220c23e08fc472860036

C:\Users\Admin\AppData\Roaming\ewiuer2.exe

MD5 14632be43a340e0609f74cdc565e2194
SHA1 bdd5c506173237d1af311ae0f0b6edee538a77c0
SHA256 e5125c7b48711b2f31789a202fb3b5634caef681c02607075f2265f00c274c6f
SHA512 b802c8cc7f5520cb7a5250084abe726b11f8f928c669ee863c4e152b3d714ce93dc44a4f8b3cb4a4057703c48b0e67b0d5456df51a47c7be4ab42e755d0cebea