4f7d81c669e35e1c12005016f8a0067758818a41f93f9167afeb2d1e99ba31f0

General

Target

6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe
Size

2.0MB
MD5

6420533631e7e98d14140269c9d28920
SHA1

d9b5fef039545f5b97f59383cedef69380a3dff5
SHA256

4f7d81c669e35e1c12005016f8a0067758818a41f93f9167afeb2d1e99ba31f0
SHA512

688b3bc4aadcd6b85793bd219714285377b0e5d6f3783b11a4d08d28656e0001aebae074b50b0b59f83ca6dc6634a1bb4e33a2d961b065d1b6f22d0e19d44dc2
SSDEEP

49152:rcl6dwq1aRgigZ6W5LXP63KNUR9IETjALJr87gigh:glq1ZXy3M

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1980	6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
1980	6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	pastebin.com
19	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
4324	2324	WerFault.exe	81
2140	1980	WerFault.exe	89
2028	1980	WerFault.exe	89
4940	1980	WerFault.exe	89
744	1980	WerFault.exe	89
4880	1980	WerFault.exe	89
1100	1980	WerFault.exe	89
64	1980	WerFault.exe	89
3148	1980	WerFault.exe	89
4872	1980	WerFault.exe	89
3916	1980	WerFault.exe	89
4224	1980	WerFault.exe	89
1528	1980	WerFault.exe	89
3656	1980	WerFault.exe	89
400	1980	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1980	6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe
1980	6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2324	6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1980	6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1980	2324	6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe	89
PID 2324 wrote to memory of 1980	2324	6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe	89
PID 2324 wrote to memory of 1980	2324	6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 344
  2⤵
  - Program crash
  PID:4324
- C:\Users\Admin\AppData\Local\Temp\6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 344
    3⤵
    - Program crash
    PID:2140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 628
    3⤵
    - Program crash
    PID:2028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 628
    3⤵
    - Program crash
    PID:4940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 696
    3⤵
    - Program crash
    PID:744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 736
    3⤵
    - Program crash
    PID:4880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 892
    3⤵
    - Program crash
    PID:1100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1396
    3⤵
    - Program crash
    PID:64
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1396
    3⤵
    - Program crash
    PID:3148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1468
    3⤵
    - Program crash
    PID:4872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1456
    3⤵
    - Program crash
    PID:3916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1484
    3⤵
    - Program crash
    PID:4224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1536
    3⤵
    - Program crash
    PID:1528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1540
    3⤵
    - Program crash
    PID:3656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 632
    3⤵
    - Program crash
    PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2324 -ip 2324
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1980 -ip 1980
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1980 -ip 1980
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1980 -ip 1980
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1980 -ip 1980
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1980 -ip 1980
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1980 -ip 1980
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1980 -ip 1980
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1980 -ip 1980
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1980 -ip 1980
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1980 -ip 1980
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1980 -ip 1980
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1980 -ip 1980
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1980 -ip 1980
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1980 -ip 1980
1⤵
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6420533631e7e98d14140269c9d28920_NeikiAnalytics.exe

Filesize
2.0MB

MD5
0524a54448acf0586ad34d95073f03f5

SHA1
fa817c090bae4dfbbf8a56eafe6b3d8b40df3309

SHA256
0c5ee9448eddde6f5048095dcfb6daa18d85d4543b351dc1e2658e5118b15225

SHA512
300a0a087ad203123a4db3e9222b7caccdd18edd852cbf0a50383e52833899214a4203463c2c0f853f5aee67292f9ba88fecad4453ad42270a11eca1922ec76a

Download Submit
memory/1980-8-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1980-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1980-15-0x00000000050A0000-0x00000000051AD000-memory.dmp

Filesize
1.1MB

Download
memory/1980-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1980-28-0x000000000B9D0000-0x000000000BA73000-memory.dmp

Filesize
652KB

Download
memory/2324-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2324-7-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing