a3cda0bf8766732690af2cc98b3933858d74a48bcd62a053d66a180df9005316

General

Target

01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.exe
Size

5.9MB
MD5

01b827d71aef7d291a6f49ccee673780
SHA1

0172a20b3b6ea35841801954aa0311a74013044d
SHA256

a3cda0bf8766732690af2cc98b3933858d74a48bcd62a053d66a180df9005316
SHA512

ed89349e82216ab51e0439518c1fb48dc490c2a222c8ea0adecc0d0d050de1f97082264a90344104ac95a12889ea7e571b59f55ceb26c15c07c231db37c6de82
SSDEEP

98304:kNYvy8h1+bpiU6rwb7DoPTXfXZ8TohuFFzgk/2ARV71PDl7x3UxjfI3YSxv:Pqg+bpiNrgDoPTvZ8To4S5ARVpDHSCh

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3348	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp
2584	exactaudiocopy.exe

Loads dropped DLL 3 IoCs

pid	Process
3348	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp
3348	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp
3348	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 14 IoCs

pid	pid_target	Process	procid_target
2900	2584	WerFault.exe	87
1148	2584	WerFault.exe	87
1964	2584	WerFault.exe	87
3708	2584	WerFault.exe	87
3932	2584	WerFault.exe	87
4628	2584	WerFault.exe	87
2596	2584	WerFault.exe	87
3968	2584	WerFault.exe	87
1792	2584	WerFault.exe	87
3320	2584	WerFault.exe	87
4908	2584	WerFault.exe	87
4356	2584	WerFault.exe	87
4044	2584	WerFault.exe	87
440	2584	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3348	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp
3348	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp
2584	exactaudiocopy.exe
2584	exactaudiocopy.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3348	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 3348	840	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.exe	82
PID 840 wrote to memory of 3348	840	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.exe	82
PID 840 wrote to memory of 3348	840	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.exe	82
PID 3348 wrote to memory of 4860	3348	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp	85
PID 3348 wrote to memory of 4860	3348	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp	85
PID 3348 wrote to memory of 4860	3348	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp	85
PID 3348 wrote to memory of 2584	3348	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp	87
PID 3348 wrote to memory of 2584	3348	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp	87
PID 3348 wrote to memory of 2584	3348	01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp	87

C:\Users\Admin\AppData\Local\Temp\01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\is-AD5LI.tmp\01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AD5LI.tmp\01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp" /SL5="$E0058,5894757,56832,C:\Users\Admin\AppData\Local\Temp\01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "Exact_Audio_Copy_4281"
    3⤵
    PID:4860
- - C:\Users\Admin\AppData\Local\Exact Audio Copy\exactaudiocopy.exe
    "C:\Users\Admin\AppData\Local\Exact Audio Copy\exactaudiocopy.exe" 63587ba2a8b5ead8ebb250894bb64c56
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 856
      4⤵
      Program crash
      PID:2900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 872
      4⤵
      Program crash
      PID:1148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 920
      4⤵
      Program crash
      PID:1964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1056
      4⤵
      Program crash
      PID:3708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1076
      4⤵
      Program crash
      PID:3932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1076
      4⤵
      Program crash
      PID:4628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1088
      4⤵
      Program crash
      PID:2596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1140
      4⤵
      Program crash
      PID:3968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1124
      4⤵
      Program crash
      PID:1792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 972
      4⤵
      Program crash
      PID:3320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 940
      4⤵
      Program crash
      PID:4908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1268
      4⤵
      Program crash
      PID:4356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1084
      4⤵
      Program crash
      PID:4044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 972
      4⤵
      Program crash
      PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2584 -ip 2584
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2584 -ip 2584
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2584 -ip 2584
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2584 -ip 2584
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2584 -ip 2584
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2584 -ip 2584
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2584 -ip 2584
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2584 -ip 2584
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2584 -ip 2584
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2584 -ip 2584
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2584 -ip 2584
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2584 -ip 2584
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2584 -ip 2584
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2584 -ip 2584
1⤵
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Exact Audio Copy\exactaudiocopy.exe

Filesize
3.7MB

MD5
7ba4823f0515280d042f084909faac67

SHA1
4a8c7dbae4a60e79f4f104553d55569f88277b09

SHA256
27ffa894bcd1740e58db622d2a2ab0eeb8cb4dfe3d62ec2fe2c6b5b76b9156f8

SHA512
bf724354462d0f8910a42568d8451b07aa3e83904e7e8dbb92dfd4e0e1a59665dbf56237a86fb0a4e4e97cf794b6b7ece1e84aca44527f71cdead65025681776

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AD5LI.tmp\01b827d71aef7d291a6f49ccee673780_NeikiAnalytics.tmp

Filesize
692KB

MD5
cbb73e84717fa38c0f5ef0d38b63c277

SHA1
a7206dd099243a918109014d01cccd99bc0d6380

SHA256
ce1d9a585dc621d8f6acb867316b40b57a690c70daf505bd1fd14de659839050

SHA512
8dc0310f2a29269ec60ec8aac4119c81eecbd82e14abf11ef6d16d43eb3028b150ce6e1919655a36bee16854110aeb40db3d4a5615f38b63df5529f32d528d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M860I.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M860I.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
memory/840-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/840-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/840-78-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2584-76-0x0000000000400000-0x0000000000BA9000-memory.dmp

Filesize
7.7MB

Download
memory/2584-75-0x0000000000400000-0x0000000000BA9000-memory.dmp

Filesize
7.7MB

Download
memory/2584-74-0x0000000000400000-0x0000000000BA9000-memory.dmp

Filesize
7.7MB

Download
memory/2584-77-0x0000000000400000-0x0000000000BA9000-memory.dmp

Filesize
7.7MB

Download
memory/2584-80-0x0000000000400000-0x0000000000BA9000-memory.dmp

Filesize
7.7MB

Download
memory/3348-79-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3348-6-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing