6b865d831e6e811505b2ab527a7b4065f73a92d182f59d4cba6aa2ce44da358d

General

Target

41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe
Size

6.1MB
MD5

41b2a40d9f7b00f0987eacc512a88150
SHA1

882c3f743acafbd937d6538b37964ba33fd85d28
SHA256

6b865d831e6e811505b2ab527a7b4065f73a92d182f59d4cba6aa2ce44da358d
SHA512

de5451fb23996e63c2928661e759c1e0d4e9fd9e0548992e3801a8219067fb01e9fd0683d9c5f6474d2a85f44c13b09b13706e1014d8cfc6eb0c8a60f6e4f6e8
SSDEEP

98304:Ba6FZc94EQKEB3IjLFkjBimdcQ01pjFZ7KYh2oLAx97+VNM+EJ75eP6JrOb:vc9jtOjAmd+1Rv7j2owB2M+B

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2336	wmpscfgs.exe
2668	wmpscfgs.exe

Loads dropped DLL 12 IoCs

pid	Process
3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe
3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe
3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe
3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe
2504	WerFault.exe
2504	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2504	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2504	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2740	2336	WerFault.exe	28
2504	2668	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe
3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe
2668	wmpscfgs.exe
2336	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2336	3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2336	3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2336	3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2336	3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2668	3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe	29
PID 3020 wrote to memory of 2668	3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe	29
PID 3020 wrote to memory of 2668	3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe	29
PID 3020 wrote to memory of 2668	3020	41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe	29
PID 2668 wrote to memory of 2504	2668	wmpscfgs.exe	30
PID 2668 wrote to memory of 2504	2668	wmpscfgs.exe	30
PID 2668 wrote to memory of 2504	2668	wmpscfgs.exe	30
PID 2668 wrote to memory of 2504	2668	wmpscfgs.exe	30
PID 2336 wrote to memory of 2740	2336	wmpscfgs.exe	31
PID 2336 wrote to memory of 2740	2336	wmpscfgs.exe	31
PID 2336 wrote to memory of 2740	2336	wmpscfgs.exe	31
PID 2336 wrote to memory of 2740	2336	wmpscfgs.exe	31

C:\Users\Admin\AppData\Local\Temp\41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\41b2a40d9f7b00f0987eacc512a88150_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2740
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
6.1MB

MD5
f75189accdc685f3714faaa1a601835f

SHA1
5569105ebc87bbaf7351fe24e0f51d74f5bea46f

SHA256
d30e99f2ca421c2b6a50556b33d5053afd20ed098ec881d5be3263971c4a8b5c

SHA512
410115fe420601ed863c6cf18d97114271c843a4ee474e347ecebee01badc61c1b0ea5d588ea0d29aed6ce1f742cf3773b8bf04f55b95915497346a4c6d2690f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
6.1MB

MD5
34f1c7f25cd8484986e7bc06628c6d8d

SHA1
fa70a02b711e46e468ebbfc3733e30e49d028d40

SHA256
1fd5351ee3a44865ce4197899690790e3481538d4fc2cceb372aeb365b41e5f4

SHA512
1b5ee40d63dfb087f358c1ec325edf982173a1b21f59f0c0b45061d6b720c71e0ae5299d81e75756c85921efb5c68cce30cd418545e5b5c7475174dc7769178a

Download Submit
memory/2336-47-0x0000000000400000-0x0000000000CB5000-memory.dmp

Filesize
8.7MB

Download
memory/2336-61-0x0000000000400000-0x0000000000CB5000-memory.dmp

Filesize
8.7MB

Download
memory/2336-51-0x0000000000400000-0x0000000000CB5000-memory.dmp

Filesize
8.7MB

Download
memory/2668-40-0x0000000000400000-0x0000000000CB5000-memory.dmp

Filesize
8.7MB

Download
memory/2668-60-0x0000000000400000-0x0000000000CB5000-memory.dmp

Filesize
8.7MB

Download
memory/2668-50-0x0000000000400000-0x0000000000CB5000-memory.dmp

Filesize
8.7MB

Download
memory/2668-49-0x0000000000400000-0x0000000000CB5000-memory.dmp

Filesize
8.7MB

Download
memory/3020-33-0x0000000000400000-0x0000000000CB5000-memory.dmp

Filesize
8.7MB

Download
memory/3020-31-0x0000000000421000-0x0000000000726000-memory.dmp

Filesize
3.0MB

Download
memory/3020-6-0x0000000000400000-0x0000000000CB5000-memory.dmp

Filesize
8.7MB

Download
memory/3020-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3020-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3020-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3020-9-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3020-8-0x0000000000400000-0x0000000000CB5000-memory.dmp

Filesize
8.7MB

Download
memory/3020-7-0x0000000000421000-0x0000000000726000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads