939b169c15fee5b794daaf91b050371712c6b6160f75e71a05c4ac9f0c0d96dd

General

Target

76eed18bfd7644c6430096c648ee8a70_NEIKI.exe
Size

960KB
MD5

76eed18bfd7644c6430096c648ee8a70
SHA1

45e333c5015d2e99ae2a5aa5dc07ed4cd7e06b76
SHA256

939b169c15fee5b794daaf91b050371712c6b6160f75e71a05c4ac9f0c0d96dd
SHA512

fbb7d3d007e1ec27eab295cf1f8e890a7341c8fb16ab23f3957042a6d4795fc6f7f580c4fd5bb42bb2c29a67dfd5fd18504ed8dffa5837ccd0a39e0c561223c3
SSDEEP

24576:59S5eyTJXcg2dftoQMKgHCKSY8a/ZSbH77Lh:m5DKg24Fj8g4Hbh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1256	76eed18bfd7644c6430096c648ee8a70_NEIKI.exe

Executes dropped EXE 1 IoCs

pid	Process
1256	76eed18bfd7644c6430096c648ee8a70_NEIKI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	pastebin.com
17	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
1252	4656	WerFault.exe	83
2496	1256	WerFault.exe	91
516	1256	WerFault.exe	91
4076	1256	WerFault.exe	91
1684	1256	WerFault.exe	91
1448	1256	WerFault.exe	91
3548	1256	WerFault.exe	91
4004	1256	WerFault.exe	91
3664	1256	WerFault.exe	91
4064	1256	WerFault.exe	91
1996	1256	WerFault.exe	91
5052	1256	WerFault.exe	91
404	1256	WerFault.exe	91
1920	1256	WerFault.exe	91
1512	1256	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1256	76eed18bfd7644c6430096c648ee8a70_NEIKI.exe
1256	76eed18bfd7644c6430096c648ee8a70_NEIKI.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4656	76eed18bfd7644c6430096c648ee8a70_NEIKI.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1256	76eed18bfd7644c6430096c648ee8a70_NEIKI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 1256	4656	76eed18bfd7644c6430096c648ee8a70_NEIKI.exe	91
PID 4656 wrote to memory of 1256	4656	76eed18bfd7644c6430096c648ee8a70_NEIKI.exe	91
PID 4656 wrote to memory of 1256	4656	76eed18bfd7644c6430096c648ee8a70_NEIKI.exe	91

C:\Users\Admin\AppData\Local\Temp\76eed18bfd7644c6430096c648ee8a70_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\76eed18bfd7644c6430096c648ee8a70_NEIKI.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 344
  2⤵
  - Program crash
  PID:1252
- C:\Users\Admin\AppData\Local\Temp\76eed18bfd7644c6430096c648ee8a70_NEIKI.exe
  C:\Users\Admin\AppData\Local\Temp\76eed18bfd7644c6430096c648ee8a70_NEIKI.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 344
    3⤵
    - Program crash
    PID:2496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 628
    3⤵
    - Program crash
    PID:516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 636
    3⤵
    - Program crash
    PID:4076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 672
    3⤵
    - Program crash
    PID:1684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 748
    3⤵
    - Program crash
    PID:1448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 928
    3⤵
    - Program crash
    PID:3548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1436
    3⤵
    - Program crash
    PID:4004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1432
    3⤵
    - Program crash
    PID:3664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1500
    3⤵
    - Program crash
    PID:4064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1444
    3⤵
    - Program crash
    PID:1996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1524
    3⤵
    - Program crash
    PID:5052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1464
    3⤵
    - Program crash
    PID:404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1508
    3⤵
    - Program crash
    PID:1920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 652
    3⤵
    - Program crash
    PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4656 -ip 4656
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1256 -ip 1256
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1256 -ip 1256
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1256 -ip 1256
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1256 -ip 1256
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1256 -ip 1256
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1256 -ip 1256
1⤵
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1256 -ip 1256
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1256 -ip 1256
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1256 -ip 1256
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1256 -ip 1256
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1256 -ip 1256
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1256 -ip 1256
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1256 -ip 1256
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1256 -ip 1256
1⤵
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\76eed18bfd7644c6430096c648ee8a70_NEIKI.exe

Filesize
960KB

MD5
59ead18b6ddde5703b8d0da5addeadfe

SHA1
7adcd847dfdf2ccaa7bb58fa626f178ea20b41b1

SHA256
f372ace66c25f4de0400ef6d2627ee536cb893b66109c864759bafe24a5f8e98

SHA512
747c19ab88d8ae0ec5615f8ee7d32acac5682dd3ffe77039c88f154f169e2d7123f64d92a841c5f1e9f7361ba3190232234d9f39f72d4c826de5fa264b2a27e7

Download Submit
memory/1256-7-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1256-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1256-14-0x0000000005050000-0x000000000513D000-memory.dmp

Filesize
948KB

Download
memory/1256-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1256-27-0x000000000B9E0000-0x000000000BA83000-memory.dmp

Filesize
652KB

Download
memory/4656-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4656-6-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download

Analysis

Sharing