0d5b87c7c67ba8d886ece7df744e1a8d012345e1e336192e8c95b545dcf54292

General

Target

1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe
Size

1.4MB
MD5

1b373b9e57b64217b23b7ed9b20bac60
SHA1

5d14a3abfa7809a449e9b271719fb503372561ad
SHA256

0d5b87c7c67ba8d886ece7df744e1a8d012345e1e336192e8c95b545dcf54292
SHA512

e48a82ac97973cfdfe517428f4df33ae7e8033a690363a4ea284efa04f4fa31c8bac47b743765fc5432f1552b8961f1a3f408a9ba354d0ce2d06a67e35cf0e8a
SSDEEP

24576:IydQ4iVx98cD6TB+1a/ZSa77sFZTDleyJohauNb0XGjm:IOpIec+F+1gFghcyJokuN4XGjm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
544	1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
544	1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	pastebin.com
9	pastebin.com

Program crash 16 IoCs

pid	pid_target	Process	procid_target
4288	2088	WerFault.exe	87
4552	544	WerFault.exe	95
2840	544	WerFault.exe	95
3524	544	WerFault.exe	95
3092	544	WerFault.exe	95
4816	544	WerFault.exe	95
5096	544	WerFault.exe	95
3628	544	WerFault.exe	95
1244	544	WerFault.exe	95
4424	544	WerFault.exe	95
4656	544	WerFault.exe	95
3660	544	WerFault.exe	95
2216	544	WerFault.exe	95
376	544	WerFault.exe	95
1220	544	WerFault.exe	95
4264	544	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
544	1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe
544	1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2088	1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
544	1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 544	2088	1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe	95
PID 2088 wrote to memory of 544	2088	1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe	95
PID 2088 wrote to memory of 544	2088	1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe	95

C:\Users\Admin\AppData\Local\Temp\1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 340
  2⤵
  - Program crash
  PID:4288
- C:\Users\Admin\AppData\Local\Temp\1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 344
    3⤵
    - Program crash
    PID:4552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 628
    3⤵
    - Program crash
    PID:2840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 628
    3⤵
    - Program crash
    PID:3524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 680
    3⤵
    - Program crash
    PID:3092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 720
    3⤵
    - Program crash
    PID:4816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 896
    3⤵
    - Program crash
    PID:5096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1396
    3⤵
    - Program crash
    PID:3628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1448
    3⤵
    - Program crash
    PID:1244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1492
    3⤵
    - Program crash
    PID:4424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1640
    3⤵
    - Program crash
    PID:4656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1448
    3⤵
    - Program crash
    PID:3660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1528
    3⤵
    - Program crash
    PID:2216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1672
    3⤵
    - Program crash
    PID:376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1532
    3⤵
    - Program crash
    PID:1220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 632
    3⤵
    - Program crash
    PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2088 -ip 2088
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 544 -ip 544
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 544 -ip 544
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 544 -ip 544
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 544 -ip 544
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 544 -ip 544
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 544 -ip 544
1⤵
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 544 -ip 544
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 544 -ip 544
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 544 -ip 544
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 544 -ip 544
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 544 -ip 544
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 544 -ip 544
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 544 -ip 544
1⤵
PID:3380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4444,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:8
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 544 -ip 544
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 544 -ip 544
1⤵
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1b373b9e57b64217b23b7ed9b20bac60_NeikiAnalytics.exe

Filesize
1.4MB

MD5
917a9cced316a1240bfe44c8f9c7b460

SHA1
5ee643a30ddd21592144a0281da598aae286bc42

SHA256
2282174135dd613d459065b7e8893ce93d5fc4e123db553b933a2f95fae5f75f

SHA512
e641c05af4d18ae1f777c1a009df831b6f9b18153bf8dffaed749828dd3f1ab85ca604b757dcc39935093b15f3d139c909ea4bd1182e10465a7b912bd4c8f349

Download Submit
memory/544-7-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/544-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/544-14-0x0000000005060000-0x000000000514C000-memory.dmp

Filesize
944KB

Download
memory/544-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/544-27-0x000000000B9C0000-0x000000000BA63000-memory.dmp

Filesize
652KB

Download
memory/2088-0-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2088-6-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download

Analysis

Sharing