5007866c177cda4149bf5d25f2f5925d154952426458b82799bcba2d10591756

General

Target

949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe
Size

1.0MB
MD5

949c828d8b1f17a913ff7b8649c30910
SHA1

0837c63ee34e4929549b60cf75f240b4b42f9dcd
SHA256

5007866c177cda4149bf5d25f2f5925d154952426458b82799bcba2d10591756
SHA512

ee0daa3a89d39c81c98df73f27506b72b9957683b61cf2eaec8bcb3ba9a13a7be6e2bfe424ff9fe0a93f500604244d038894ee366b3b0f70cc194932a5541b07
SSDEEP

24576:wyVBoonDym54o9P3jLWl6XnTt5VAfQ8a/ZSbH77Lv+f6T8f:wyPbt3vWk5yQ8g4Hbg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2956	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
2956	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	pastebin.com
23	pastebin.com

Program crash 16 IoCs

pid	pid_target	Process	procid_target
3432	4800	WerFault.exe	82
1980	2956	WerFault.exe	89
3816	2956	WerFault.exe	89
2944	2956	WerFault.exe	89
4212	2956	WerFault.exe	89
552	2956	WerFault.exe	89
888	2956	WerFault.exe	89
2972	2956	WerFault.exe	89
1584	2956	WerFault.exe	89
2548	2956	WerFault.exe	89
4872	2956	WerFault.exe	89
2404	2956	WerFault.exe	89
1572	2956	WerFault.exe	89
4356	2956	WerFault.exe	89
752	2956	WerFault.exe	89
404	2956	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2956	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe
2956	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4800	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2956	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2956	4800	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe	89
PID 4800 wrote to memory of 2956	4800	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe	89
PID 4800 wrote to memory of 2956	4800	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 344
  2⤵
  - Program crash
  PID:3432
- C:\Users\Admin\AppData\Local\Temp\949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 352
    3⤵
    - Program crash
    PID:1980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 628
    3⤵
    - Program crash
    PID:3816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 660
    3⤵
    - Program crash
    PID:2944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 660
    3⤵
    - Program crash
    PID:4212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 760
    3⤵
    - Program crash
    PID:552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 892
    3⤵
    - Program crash
    PID:888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1396
    3⤵
    - Program crash
    PID:2972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1464
    3⤵
    - Program crash
    PID:1584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1648
    3⤵
    - Program crash
    PID:2548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1448
    3⤵
    - Program crash
    PID:4872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1412
    3⤵
    - Program crash
    PID:2404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1460
    3⤵
    - Program crash
    PID:1572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1664
    3⤵
    - Program crash
    PID:4356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1508
    3⤵
    - Program crash
    PID:752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 652
    3⤵
    - Program crash
    PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4800 -ip 4800
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2956 -ip 2956
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2956 -ip 2956
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2956 -ip 2956
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2956 -ip 2956
1⤵
PID:592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2956 -ip 2956
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2956 -ip 2956
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2956 -ip 2956
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2956 -ip 2956
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2956 -ip 2956
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2956 -ip 2956
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2956 -ip 2956
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2956 -ip 2956
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2956 -ip 2956
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2956 -ip 2956
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2956 -ip 2956
1⤵
PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe

Filesize
1.0MB

MD5
c71e8bd00d01b64e61bc795052dee431

SHA1
f7de4e1211dfbbf0294939b2ae5a78b10490027f

SHA256
54b94f17cffee6e442dffbb0185385ebde96906fc7f09c3bbe3b2afb1f2aabaa

SHA512
fdc7b075c4a49dad58955e5031a320adece3cb68069fb84122bf34929b1c408fbb0f9f67942bbc6e85c139a6a98bcfd196123b30e0ed3ec01120d55d618d1038

Download Submit
memory/2956-7-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2956-14-0x00000000050A0000-0x000000000518D000-memory.dmp

Filesize
948KB

Download
memory/2956-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2956-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2956-27-0x000000000B9B0000-0x000000000BA53000-memory.dmp

Filesize
652KB

Download
memory/4800-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4800-6-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download

Analysis

Sharing