fd0ee43a46b3149b2424d973051707c678df347d6dca4d3320165a988485486e

General

Target

956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.exe
Size

6.5MB
MD5

956afc652c958f5a0a2a82d8ba99c890
SHA1

4bb3afc43328d05472e542a93e6efdc40588c10b
SHA256

fd0ee43a46b3149b2424d973051707c678df347d6dca4d3320165a988485486e
SHA512

7120752f149c7e42925840b12ac8630ee1c93e66d4be71886dc36744e9ba50be41687cd29151965ec587b29b7a9cc6df1492afc077e3bdbb645df9f7a5be1ef3
SSDEEP

98304:bZQHGOyT2XkDOIUyjYN3OCb/EE2NRnplxs9Fj41p1DGY1l5Gms+5:e3XdqsBb8rplxWk1pF1llsq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4448	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp
2452	mulloy32.exe

Loads dropped DLL 3 IoCs

pid	Process
4448	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp
4448	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp
4448	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 12 IoCs

pid	pid_target	Process	procid_target
432	2452	WerFault.exe	88
4908	2452	WerFault.exe	88
3408	2452	WerFault.exe	88
4388	2452	WerFault.exe	88
1716	2452	WerFault.exe	88
4852	2452	WerFault.exe	88
1588	2452	WerFault.exe	88
1960	2452	WerFault.exe	88
4936	2452	WerFault.exe	88
4952	2452	WerFault.exe	88
972	2452	WerFault.exe	88
3156	2452	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4448	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp
4448	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp
2452	mulloy32.exe
2452	mulloy32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4448	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4448	3968	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.exe	83
PID 3968 wrote to memory of 4448	3968	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.exe	83
PID 3968 wrote to memory of 4448	3968	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.exe	83
PID 4448 wrote to memory of 4992	4448	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp	86
PID 4448 wrote to memory of 4992	4448	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp	86
PID 4448 wrote to memory of 4992	4448	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp	86
PID 4448 wrote to memory of 2452	4448	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp	88
PID 4448 wrote to memory of 2452	4448	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp	88
PID 4448 wrote to memory of 2452	4448	956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp	88

C:\Users\Admin\AppData\Local\Temp\956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Local\Temp\is-G5DKV.tmp\956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-G5DKV.tmp\956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp" /SL5="$30236,6590368,56832,C:\Users\Admin\AppData\Local\Temp\956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "Mulloy_5112"
    3⤵
    PID:4992
- - C:\Users\Admin\AppData\Local\Mulloy\mulloy32.exe
    "C:\Users\Admin\AppData\Local\Mulloy\mulloy32.exe" 8f08737e5a360fe9676b4d61364b89e3
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1288
      4⤵
      Program crash
      PID:432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1296
      4⤵
      Program crash
      PID:4908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1284
      4⤵
      Program crash
      PID:3408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1308
      4⤵
      Program crash
      PID:4388
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1316
      4⤵
      Program crash
      PID:1716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1344
      4⤵
      Program crash
      PID:4852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1440
      4⤵
      Program crash
      PID:1588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1532
      4⤵
      Program crash
      PID:1960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 992
      4⤵
      Program crash
      PID:4936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 972
      4⤵
      Program crash
      PID:4952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 692
      4⤵
      Program crash
      PID:972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1556
      4⤵
      Program crash
      PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2452 -ip 2452
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2452 -ip 2452
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2452 -ip 2452
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2452 -ip 2452
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2452 -ip 2452
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2452 -ip 2452
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2452 -ip 2452
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2452 -ip 2452
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2452 -ip 2452
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2452 -ip 2452
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2452 -ip 2452
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2452 -ip 2452
1⤵
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mulloy\mulloy32.exe

Filesize
5.2MB

MD5
6ce020e896cf3a056e50f86d3b207ff7

SHA1
c212cadece78d13b1d730e60ccfdbc2cbe196b6f

SHA256
b3572b39b79bfa466ddb6fd3ad9069d6c63687f333c422a338abcadf074cfd31

SHA512
645fd9c781d6c5a19540c732777a14ee5ba085e9c135f3afe6bc8d6b931e2bb0af5cede76ba47a8aea7c64cd7fe4b0385041f3225015f0ec759cbbb808bfa4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G5DKV.tmp\956afc652c958f5a0a2a82d8ba99c890_NeikiAnalytics.tmp

Filesize
692KB

MD5
75952eac32e98935f3c04ea945803e56

SHA1
3d40b88ad72dab8d9d3f42636a1fe0ca4ff9de53

SHA256
7f7f45594cf16f029eb4be389e2ff7f948f2738ca52b1860c39546ed3672253a

SHA512
800818bf13a06b6eee1712eb2261e27afe2dbd00aeddfaf75571400b377f0f3f4d14f12e3a0ac54b4ec56e8b567dc112f388f7cc5a3313d7b56b01ca89bedf24

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TO60D.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TO60D.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
memory/2452-74-0x0000000000400000-0x0000000000D34000-memory.dmp

Filesize
9.2MB

Download
memory/2452-75-0x0000000000400000-0x0000000000D34000-memory.dmp

Filesize
9.2MB

Download
memory/2452-78-0x0000000000400000-0x0000000000D34000-memory.dmp

Filesize
9.2MB

Download
memory/3968-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3968-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3968-76-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4448-6-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4448-77-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing