Overview

overview

7

Static

static

3

34599eb6d1...cs.exe

windows7-x64

7

34599eb6d1...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/05/2024, 21:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34599eb6d188fe3d0c573bf9f1850750_NeikiAnalytics.exe

  • Size

    969KB

  • MD5

    34599eb6d188fe3d0c573bf9f1850750

  • SHA1

    1510281181378f6a5618aecf01e5f0ac82d574bb

  • SHA256

    32aef13fea77f78375b5ff11b7bd52cebb7a16fc62274b52964c145fc373f130

  • SHA512

    f547f19aa8f28ff108cd5b749d25b5e42d8a0fda8dce8b32212bafd2d140f96e35d2cda61c0e099fa58aa2d399ad192fba0b8d5e046bb7dab090c30c5b77f9f5

  • SSDEEP

    24576:w+sLLV06xhHC+Uq/V9DrhEEa/ZSsD0TCIOhPe6BWqLp:inVpxhi+V9XOEg3D0GIOhPe6BWep

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Program crash 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34599eb6d188fe3d0c573bf9f1850750_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\34599eb6d188fe3d0c573bf9f1850750_NeikiAnalytics.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 312
      2⤵
      • Program crash
      PID:2444
    • C:\Users\Admin\AppData\Local\Temp\34599eb6d188fe3d0c573bf9f1850750_NeikiAnalytics.exe
      C:\Users\Admin\AppData\Local\Temp\34599eb6d188fe3d0c573bf9f1850750_NeikiAnalytics.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:2000
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 344
        3⤵
        • Program crash
        PID:4872
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 628
        3⤵
        • Program crash
        PID:5036
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 636
        3⤵
        • Program crash
        PID:4176
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 636
        3⤵
        • Program crash
        PID:4940
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 692
        3⤵
        • Program crash
        PID:3280
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 964
        3⤵
        • Program crash
        PID:2912
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1400
        3⤵
        • Program crash
        PID:4136
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1500
        3⤵
        • Program crash
        PID:1748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1512
        3⤵
        • Program crash
        PID:5028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1652
        3⤵
        • Program crash
        PID:1460
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1528
        3⤵
        • Program crash
        PID:524
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1500
        3⤵
        • Program crash
        PID:972
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1400
        3⤵
        • Program crash
        PID:4216
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 652
        3⤵
        • Program crash
        PID:1660
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4820 -ip 4820
    1⤵
      PID:2112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2000 -ip 2000
      1⤵
        PID:2008
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2000 -ip 2000
        1⤵
          PID:648
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2000 -ip 2000
          1⤵
            PID:2916
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2000 -ip 2000
            1⤵
              PID:1060
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2000 -ip 2000
              1⤵
                PID:392
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2000 -ip 2000
                1⤵
                  PID:1768
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2000 -ip 2000
                  1⤵
                    PID:944
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2000 -ip 2000
                    1⤵
                      PID:4076
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2000 -ip 2000
                      1⤵
                        PID:4220
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2000 -ip 2000
                        1⤵
                          PID:4168
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2000 -ip 2000
                          1⤵
                            PID:1936
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2000 -ip 2000
                            1⤵
                              PID:2268
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2000 -ip 2000
                              1⤵
                                PID:3904
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2000 -ip 2000
                                1⤵
                                  PID:3032

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\34599eb6d188fe3d0c573bf9f1850750_NeikiAnalytics.exe
                                  Filesize

                                  969KB

                                  MD5

                                  49b15364b3ed3bf1ccb16143fd4d99b9

                                  SHA1

                                  2263bc7186a4318b86f11e00c13baca83ef2761a

                                  SHA256

                                  fe57169136a73a77c086971814e61d63802d9f09c1769f6686f3bc2d51116579

                                  SHA512

                                  221ac99509c2fabdb08d3bf5391b5f25bd270fb00801d6f8398bb24250ba4f81813c586a283998442de4c75b8e7084967fc6e39d5bb47d524b20c45cc676f1bf

                                  Download Submit

                                • memory/2000-7-0x0000000000400000-0x00000000004F2000-memory.dmp

                                  Filesize

                                  968KB

                                  Download

                                • memory/2000-9-0x0000000000400000-0x00000000004A3000-memory.dmp

                                  Filesize

                                  652KB

                                  Download

                                • memory/2000-14-0x0000000005040000-0x0000000005132000-memory.dmp

                                  Filesize

                                  968KB

                                  Download

                                • memory/2000-22-0x0000000000400000-0x0000000000443000-memory.dmp

                                  Filesize

                                  268KB

                                  Download

                                • memory/2000-27-0x000000000B9C0000-0x000000000BA63000-memory.dmp

                                  Filesize

                                  652KB

                                  Download

                                • memory/2000-28-0x0000000000400000-0x00000000004F2000-memory.dmp

                                  Filesize

                                  968KB

                                  Download

                                • memory/4820-0-0x0000000000400000-0x00000000004F2000-memory.dmp

                                  Filesize

                                  968KB

                                  Download

                                • memory/4820-6-0x0000000000400000-0x00000000004F2000-memory.dmp

                                  Filesize

                                  968KB

                                  Download