1fe5564bec9137822736dd74df249ea923817cf2f6a514b3ba5f9405c48ea7c1

General

Target

30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe
Size

5.0MB
MD5

30c96aa8b1fd104a86120b6c77acf810
SHA1

ecb6e779626f42c37de7532752b30378bb24624f
SHA256

1fe5564bec9137822736dd74df249ea923817cf2f6a514b3ba5f9405c48ea7c1
SHA512

1d0711b9d2b345c452acd970569efe826af93baaaac652845f23eeed8f879d294db79eed17946fa3b7b9ebf9be2a1ee06b3741a6705e3eb7e62ed60a10347bc5
SSDEEP

98304:77/VoFtaEkQQQAEXytvZi8eue8RQQW1SjPI5VZhQQAEXytvZi8eue8:77/VoFtaEkQpOfpPChpO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe

Executes dropped EXE 1 IoCs

pid	Process
2608	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	pastebin.com
21	pastebin.com

Program crash 16 IoCs

pid	pid_target	Process	procid_target
1096	4408	WerFault.exe	84
1344	2608	WerFault.exe	92
4016	2608	WerFault.exe	92
60	2608	WerFault.exe	92
3624	2608	WerFault.exe	92
820	2608	WerFault.exe	92
3604	2608	WerFault.exe	92
1724	2608	WerFault.exe	92
3504	2608	WerFault.exe	92
1480	2608	WerFault.exe	92
2688	2608	WerFault.exe	92
4120	2608	WerFault.exe	92
3328	2608	WerFault.exe	92
1788	2608	WerFault.exe	92
1600	2608	WerFault.exe	92
432	2608	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2608	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe
2608	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4408	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2608	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 2608	4408	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe	92
PID 4408 wrote to memory of 2608	4408	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe	92
PID 4408 wrote to memory of 2608	4408	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe	92

C:\Users\Admin\AppData\Local\Temp\30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 200
  2⤵
  - Program crash
  PID:1096
- C:\Users\Admin\AppData\Local\Temp\30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe
  C:\Users\Admin\AppData\Local\Temp\30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 344
    3⤵
    - Program crash
    PID:1344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 628
    3⤵
    - Program crash
    PID:4016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 672
    3⤵
    - Program crash
    PID:60
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 696
    3⤵
    - Program crash
    PID:3624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 760
    3⤵
    - Program crash
    PID:820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 884
    3⤵
    - Program crash
    PID:3604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1396
    3⤵
    - Program crash
    PID:1724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1412
    3⤵
    - Program crash
    PID:3504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1444
    3⤵
    - Program crash
    PID:1480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1544
    3⤵
    - Program crash
    PID:2688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1536
    3⤵
    - Program crash
    PID:4120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1504
    3⤵
    - Program crash
    PID:3328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1544
    3⤵
    - Program crash
    PID:1788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1516
    3⤵
    - Program crash
    PID:1600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 680
    3⤵
    - Program crash
    PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4408 -ip 4408
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2608 -ip 2608
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2608 -ip 2608
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2608 -ip 2608
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2608 -ip 2608
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2608 -ip 2608
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2608 -ip 2608
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2608 -ip 2608
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2608 -ip 2608
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2608 -ip 2608
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2608 -ip 2608
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2608 -ip 2608
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2608 -ip 2608
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2608 -ip 2608
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2608 -ip 2608
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2608 -ip 2608
1⤵
PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe

Filesize
5.0MB

MD5
f1d2d08dcb6c0c6c4cccf90695d88194

SHA1
db507ffde1b97b07af0628bf993f6fcf566f98c3

SHA256
5865cdce5d17300a9dbaab86e055422f42168a1831cde5dbe3ebff0e44b09b63

SHA512
edfc1e0c1dcc196cf1d325d1d64024c57d90fe8414b33f8fe8bc0d7b5c01c37a088f16fb74c0dd51f5fddf478addfa1ba6e79b9e39fc1ee6d96e1401c3704b1a

Download Submit
memory/2608-7-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2608-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2608-14-0x0000000004FC0000-0x00000000050B1000-memory.dmp

Filesize
964KB

Download
memory/2608-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2608-27-0x000000000DA80000-0x000000000DB23000-memory.dmp

Filesize
652KB

Download
memory/4408-0-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4408-6-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download

Analysis

Sharing