078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46

General

Target

078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe
Size

50KB
MD5

b43ad751ddcfd26e4ed736f990cda6c0
SHA1

daef7cd4d493c30c4468bc70df1e5eb3fb35cb7a
SHA256

078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46
SHA512

5ecb853e684b133faf871c318c011c1b429a2367e9cd542a11a368b2713924df1196fcd10d64e9b6d3b9088bb007b0d59061d49e46d845a8786fc679b52d7186
SSDEEP

768:zlwOcWnZjJ8rj0KRidj+LeOKmTKKUNy3pfF1eOB8NPCjgoiHsz:zJPnZWrBeOKmTeNy3pfLc8esz

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe

description	pid	process	target process
PID 1004 set thread context of 1720	1004	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1864 2372 WerFault.exe winver.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

winver.exe

pid process

2372 winver.exe
2372 winver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Explorer.EXE

description pid process

Token: SeShutdownPrivilege 3492 Explorer.EXE
Token: SeCreatePagefilePrivilege 3492 Explorer.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winver.exe

pid process

2372 winver.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe

pid process

1004 078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe

pid	pid_target	process	target process
1864	2372	WerFault.exe	winver.exe

pid	process
2372	winver.exe
2372	winver.exe

description	pid	process
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE

pid	process
2372	winver.exe

pid	process
1004	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exewinver.exe

description	pid	process	target process
PID 1004 wrote to memory of 1720	1004	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe
PID 1004 wrote to memory of 1720	1004	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe
PID 1004 wrote to memory of 1720	1004	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe
PID 1004 wrote to memory of 1720	1004	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe
PID 1004 wrote to memory of 1720	1004	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe
PID 1004 wrote to memory of 1720	1004	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe
PID 1720 wrote to memory of 2372	1720	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe	winver.exe
PID 1720 wrote to memory of 2372	1720	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe	winver.exe
PID 1720 wrote to memory of 2372	1720	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe	winver.exe
PID 1720 wrote to memory of 2372	1720	078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe	winver.exe
PID 2372 wrote to memory of 3492	2372	winver.exe	Explorer.EXE
PID 2372 wrote to memory of 2552	2372	winver.exe	sihost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2552

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Users\Admin\AppData\Local\Temp\078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Local\Temp\078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\078c77324aa511bb9e8b772f9a0d72f166779313fabc4c06cfbd14e7529abc46_NeikiAnalytics.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\winver.exe
winver
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 388
5⤵
- Program crash
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2372 -ip 2372
1⤵
PID:4908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-2-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2372-4-0x0000000002CE0000-0x0000000002CE6000-memory.dmp

Filesize
24KB

Download
memory/2372-8-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/2372-7-0x0000000000761000-0x0000000000762000-memory.dmp

Filesize
4KB

Download
memory/2372-14-0x0000000002CE0000-0x0000000002CE6000-memory.dmp

Filesize
24KB

Download
memory/2552-12-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

Filesize
24KB

Download
memory/2552-13-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

Filesize
24KB

Download
memory/3492-6-0x00000000026F0000-0x00000000026F6000-memory.dmp

Filesize
24KB

Download
memory/3492-3-0x00000000026F0000-0x00000000026F6000-memory.dmp

Filesize
24KB

Download
memory/3492-9-0x00007FFD24C2D000-0x00007FFD24C2E000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing