43499403d2edeef03e34e7901677cb2a4f34b7c22a94df77dfe0f754d435528c

General

Target

ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe
Size

1.6MB
MD5

ec7efd00677a3910d0ae2e2db47d5f40
SHA1

79ef0f99f100cbca04e9f258d288ec31d951d9fb
SHA256

43499403d2edeef03e34e7901677cb2a4f34b7c22a94df77dfe0f754d435528c
SHA512

864e1cd9ec2432e73f4ef2682ccda1347d302c73bb7211365e99fb768c2838bda17225251d53f4f72a244eaf96d3adb88da657863c49503567a8f3f6f8c916ab
SSDEEP

24576:bCtEmZH+nLjsSv8DZHO2hf25CseGncZ4U7Pd8OB0O2SkKuyD:bCFNWjsO8B7hfaCYcL7V8IlkKd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1588	ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
1588	ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com
14	pastebin.com

Program crash 16 IoCs

pid	pid_target	Process	procid_target
1020	3192	WerFault.exe	81
1496	1588	WerFault.exe	89
4832	1588	WerFault.exe	89
5104	1588	WerFault.exe	89
5100	1588	WerFault.exe	89
1768	1588	WerFault.exe	89
4588	1588	WerFault.exe	89
1780	1588	WerFault.exe	89
1376	1588	WerFault.exe	89
4332	1588	WerFault.exe	89
1656	1588	WerFault.exe	89
1612	1588	WerFault.exe	89
3260	1588	WerFault.exe	89
2648	1588	WerFault.exe	89
4628	1588	WerFault.exe	89
4852	1588	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1588	ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe
1588	ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3192	ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1588	ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 1588	3192	ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe	89
PID 3192 wrote to memory of 1588	3192	ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe	89
PID 3192 wrote to memory of 1588	3192	ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 352
  2⤵
  - Program crash
  PID:1020
- C:\Users\Admin\AppData\Local\Temp\ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 344
    3⤵
    - Program crash
    PID:1496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 648
    3⤵
    - Program crash
    PID:4832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 684
    3⤵
    - Program crash
    PID:5104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 704
    3⤵
    - Program crash
    PID:5100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 724
    3⤵
    - Program crash
    PID:1768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 924
    3⤵
    - Program crash
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1212
    3⤵
    - Program crash
    PID:1780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1208
    3⤵
    - Program crash
    PID:1376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1664
    3⤵
    - Program crash
    PID:4332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1212
    3⤵
    - Program crash
    PID:1656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1432
    3⤵
    - Program crash
    PID:1612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1472
    3⤵
    - Program crash
    PID:3260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1208
    3⤵
    - Program crash
    PID:2648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1536
    3⤵
    - Program crash
    PID:4628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 652
    3⤵
    - Program crash
    PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3192 -ip 3192
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1588 -ip 1588
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1588 -ip 1588
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1588 -ip 1588
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1588 -ip 1588
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1588 -ip 1588
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1588 -ip 1588
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1588 -ip 1588
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1588 -ip 1588
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1588 -ip 1588
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1588 -ip 1588
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1588 -ip 1588
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1588 -ip 1588
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1588 -ip 1588
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1588 -ip 1588
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1588 -ip 1588
1⤵
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ec7efd00677a3910d0ae2e2db47d5f40_NeikiAnalytics.exe

Filesize
1.6MB

MD5
7eedcfb345c1493e4622840bf49e7cb1

SHA1
a46fd948c0e96619b722349cc638f1b0b0d44051

SHA256
d8890e175e438fef331c5dd0d1d94c1783b5aa1ab95bbdf52220c22353cbca0f

SHA512
53e4791a4e435d589a27f1efab15e932ef18cca0d7879d39162247bbdbafd288c8f5826add09e7458d27d6c2eccda65a5b7aaf8729265ce6ae6d7bd7261a2d72

Download Submit
memory/1588-7-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/1588-8-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1588-14-0x0000000005230000-0x00000000053CD000-memory.dmp

Filesize
1.6MB

Download
memory/1588-22-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1588-27-0x000000000BBE0000-0x000000000BD00000-memory.dmp

Filesize
1.1MB

Download
memory/3192-0-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/3192-6-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing