04b72be64d76f7117951916ac24f7ff70ae13572569210c56043ab7a12504629

General

Target

57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe
Size

1.2MB
MD5

57cc92e54fd8520c6c2f19ada8ee88b0
SHA1

ddb2d0b5890afba481e6deb4f5937b63f6a7a11f
SHA256

04b72be64d76f7117951916ac24f7ff70ae13572569210c56043ab7a12504629
SHA512

8a33c6d20d8882b8f7524cf9ddc9061ced7a93ef64df5142578a78ccb6d1f40c3282a73b3ea15aa1779acc56a9f9874950a63462a1075c71100acfd8b855ef00
SSDEEP

24576:DPTjwnkBkWosTY2wlrM5lsoa/ZS2Grh77Lv+f6T8QnskbdW:DPTjiW/oAHvsogFGrhbq4dW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4824	57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
4824	57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	pastebin.com
16	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2404	4632	WerFault.exe	82
4088	4824	WerFault.exe	90
384	4824	WerFault.exe	90
2820	4824	WerFault.exe	90
4756	4824	WerFault.exe	90
2716	4824	WerFault.exe	90
1892	4824	WerFault.exe	90
4604	4824	WerFault.exe	90
4172	4824	WerFault.exe	90
5084	4824	WerFault.exe	90
1956	4824	WerFault.exe	90
3056	4824	WerFault.exe	90
4116	4824	WerFault.exe	90
2096	4824	WerFault.exe	90
3760	4824	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4824	57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe
4824	57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4632	57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4824	57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 4824	4632	57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe	90
PID 4632 wrote to memory of 4824	4632	57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe	90
PID 4632 wrote to memory of 4824	4632	57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 344
  2⤵
  - Program crash
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 352
    3⤵
    - Program crash
    PID:4088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 628
    3⤵
    - Program crash
    PID:384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 636
    3⤵
    - Program crash
    PID:2820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 692
    3⤵
    - Program crash
    PID:4756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 724
    3⤵
    - Program crash
    PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 936
    3⤵
    - Program crash
    PID:1892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1404
    3⤵
    - Program crash
    PID:4604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1412
    3⤵
    - Program crash
    PID:4172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1496
    3⤵
    - Program crash
    PID:5084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1424
    3⤵
    - Program crash
    PID:1956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1652
    3⤵
    - Program crash
    PID:3056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1512
    3⤵
    - Program crash
    PID:4116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1532
    3⤵
    - Program crash
    PID:2096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 652
    3⤵
    - Program crash
    PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4632 -ip 4632
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4824 -ip 4824
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4824 -ip 4824
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4824 -ip 4824
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4824 -ip 4824
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4824 -ip 4824
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4824 -ip 4824
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4824 -ip 4824
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4824 -ip 4824
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4824 -ip 4824
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4824 -ip 4824
1⤵
PID:588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4824 -ip 4824
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4824 -ip 4824
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4824 -ip 4824
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4824 -ip 4824
1⤵
PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\57cc92e54fd8520c6c2f19ada8ee88b0_NeikiAnalytics.exe

Filesize
1.2MB

MD5
d74e0d7bc5e5a167727ea5f5d845b799

SHA1
b6148ad3b4798e3868cd175e57465b6385ebe527

SHA256
e6c6963e89968e9c7c6b6b25e0e7761bbce55ee4caa8f36738192cf8dacc4882

SHA512
9164830357974f5b7942aeb1aafe2b488880231ad5bf7cab0594c4d5d4c545a0251e70324f8d7204d83c1e6c725154c6f2424ed72944f0e770c4a6638b65b8a8

Download Submit
memory/4632-0-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4632-6-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4824-7-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4824-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4824-14-0x0000000004FC0000-0x00000000050B1000-memory.dmp

Filesize
964KB

Download
memory/4824-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4824-27-0x000000000B9C0000-0x000000000BA63000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing