Analysis Overview
SHA256
6811e5666368ffe7ad71d8a43260f117b776b3b151c8ae882494a260771aab72
Threat Level: Shows suspicious behavior
The file 6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-13 07:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 07:46
Reported
2024-06-13 07:49
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 76ea546bfaeadb375d983011b6d9ca41 |
| SHA1 | 5b3a2082a589d119c952d1b5836d71a185095999 |
| SHA256 | 879f7edb9e688c4bf1e081518e8af65e5348e8ce7a22bde3c31edbe504415550 |
| SHA512 | 91218d43afba3b5a8ff51dec5f5d55f6ae7920afc432868f13867bdb4d23a28d5f61942a341f7b05082a3b11e6adf4ec251a77c44fe80dfa63f9360db6f9b7cd |
\Windows\SysWOW64\ewiuer2.exe
| MD5 | a34b0f19033059418d642a2e732ede61 |
| SHA1 | 0452e6422187867cb0e2dce19f8ad24b90eff688 |
| SHA256 | a200daf9cfcec90ad8f91b8229a925ac5403134564663d0c7e948ef59e92105e |
| SHA512 | 3564f0df71f85b535140d82a413fcd94d36b3cd39f94c5f66ff827ad8158054a2a39f05fd92ecf46527926c88b3d23dca6558195c8490ca05f1a77efcd88d78a |
\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 78df0a9cd50addb9c6cb68b4c945a8d5 |
| SHA1 | 21bb03b9752451be3025624cb3d36712d2040a99 |
| SHA256 | 81f4ce0ddc3759ef2c25861d100b852acd9602264e7488ee9796e1a3f82667e2 |
| SHA512 | 119c443614e0322a6a586aa8a872aba65d7d2624b79b19c0f207a69dcae5d13cfa8f61e91b98a8975c9521d899555ea579359b6283e37bb806ce9734083fc6c9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 07:46
Reported
2024-06-13 07:49
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
139s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ewiuer2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ewiuer2.exe | C:\Users\Admin\AppData\Roaming\ewiuer2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6a36638650b9106593bed786aa9b1340_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Windows\SysWOW64\ewiuer2.exe
C:\Windows\System32\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | podayl.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 76ea546bfaeadb375d983011b6d9ca41 |
| SHA1 | 5b3a2082a589d119c952d1b5836d71a185095999 |
| SHA256 | 879f7edb9e688c4bf1e081518e8af65e5348e8ce7a22bde3c31edbe504415550 |
| SHA512 | 91218d43afba3b5a8ff51dec5f5d55f6ae7920afc432868f13867bdb4d23a28d5f61942a341f7b05082a3b11e6adf4ec251a77c44fe80dfa63f9360db6f9b7cd |
C:\Windows\SysWOW64\ewiuer2.exe
| MD5 | 26eb5a550597b21b7ab15451c1ac368d |
| SHA1 | 7e487fd125678061cf02a830d0c8da320ab824cf |
| SHA256 | 576fa1bc43323ab37f1fc0a6bb2de21fcbb7bab9e222f9a75b1458e2c5a59c5e |
| SHA512 | 09ba4567bde5f545687e60a75c40b70fffcb49ce5b274e21fe868c73a55b91260e1c37af066bea1d55e7689859369fff79fff501dd72220c23e08fc472860036 |
C:\Users\Admin\AppData\Roaming\ewiuer2.exe
| MD5 | 14632be43a340e0609f74cdc565e2194 |
| SHA1 | bdd5c506173237d1af311ae0f0b6edee538a77c0 |
| SHA256 | e5125c7b48711b2f31789a202fb3b5634caef681c02607075f2265f00c274c6f |
| SHA512 | b802c8cc7f5520cb7a5250084abe726b11f8f928c669ee863c4e152b3d714ce93dc44a4f8b3cb4a4057703c48b0e67b0d5456df51a47c7be4ab42e755d0cebea |