c3ac07758bc05673007a38cadda3367ee867245de5bd7191ef17b37704f1a7be

General

Target

5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe
Size

2.7MB
MD5

5f6cc86bf094b06bcf18964695d63eb0
SHA1

5a6f4b250689f7d1e4bc09f5d0dfb8167a6c13f4
SHA256

c3ac07758bc05673007a38cadda3367ee867245de5bd7191ef17b37704f1a7be
SHA512

debf702871e99e481941c1a580edf6132243e53b39d2c31de1438fd2033d9eb7da9c6f1fd61a3ec3fd8f4b0b0885920dc022cb82d39515c64b4aea5793bda793
SSDEEP

49152:90yT+P66XbOP/ZzA2DItg1Hoaz6wecYfFkURwlhyAuLjf/IVgs5+xP:RTE66yXZ02DwUHoazRofxIhELjf/IVgs

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2468 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Cassi Ashlen.exe

pid process

2636 Cassi Ashlen.exe
Loads dropped DLL 6 IoCs

Processes:

5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exeWerFault.exe

pid process

2044 5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe
2996 WerFault.exe
2996 WerFault.exe
2996 WerFault.exe
2996 WerFault.exe
2996 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2996 2636 WerFault.exe Cassi Ashlen.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2880 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exeCassi Ashlen.exe

pid process

2044 5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe
2044 5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe
2636 Cassi Ashlen.exe

pid	process
2468	cmd.exe

pid	process
2636	Cassi Ashlen.exe

pid	process
2044	5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe

pid	pid_target	process	target process
2996	2636	WerFault.exe	Cassi Ashlen.exe

pid	process
2880	PING.EXE

pid	process
2044	5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe
2044	5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe
2636	Cassi Ashlen.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exeCassi Ashlen.exe

description	pid	process
Token: SeDebugPrivilege	2044	5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2044	5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2636	Cassi Ashlen.exe
Token: SeIncBasePriorityPrivilege	2636	Cassi Ashlen.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.execmd.exeCassi Ashlen.exe

description	pid	process	target process
PID 2044 wrote to memory of 2636	2044	5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe	Cassi Ashlen.exe
PID 2044 wrote to memory of 2636	2044	5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe	Cassi Ashlen.exe
PID 2044 wrote to memory of 2636	2044	5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe	Cassi Ashlen.exe
PID 2044 wrote to memory of 2636	2044	5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe	Cassi Ashlen.exe
PID 2044 wrote to memory of 2468	2044	5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe	cmd.exe
PID 2044 wrote to memory of 2468	2044	5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe	cmd.exe
PID 2044 wrote to memory of 2468	2044	5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe	cmd.exe
PID 2044 wrote to memory of 2468	2044	5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe	cmd.exe
PID 2468 wrote to memory of 2880	2468	cmd.exe	PING.EXE
PID 2468 wrote to memory of 2880	2468	cmd.exe	PING.EXE
PID 2468 wrote to memory of 2880	2468	cmd.exe	PING.EXE
PID 2468 wrote to memory of 2880	2468	cmd.exe	PING.EXE
PID 2636 wrote to memory of 2996	2636	Cassi Ashlen.exe	WerFault.exe
PID 2636 wrote to memory of 2996	2636	Cassi Ashlen.exe	WerFault.exe
PID 2636 wrote to memory of 2996	2636	Cassi Ashlen.exe	WerFault.exe
PID 2636 wrote to memory of 2996	2636	Cassi Ashlen.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\Cassi Ashlen.exe
  "C:\Users\Admin\AppData\Local\Temp\Cassi Ashlen.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 832
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\5f6cc86bf094b06bcf18964695d63eb0_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cassi Ashlen.exe

Filesize
2.7MB

MD5
9473e388c0f9cdbf01857bc4126a6ed5

SHA1
1b3597e09e4d4b79554a1e4a05ff596332958aed

SHA256
051ffa9dff293b70a33df4bc6064d1b470d9bb78cb443794c28231c4423f0e77

SHA512
a520fcdd9590dd6efa2e48ec2ff4c8de3ffcb5794d2178ee574a59db4ebac14b9bbdaa94cd82337ebfbd08760dc42ca8df020e4102f54d70286098a6741e8316

Download Submit
\Users\Admin\AppData\Local\Temp\Cassi Ashlen.exe

Filesize
2.7MB

MD5
202b77c0b84fa370bf0742ed9706b7cd

SHA1
cb855a626c719d79be23914396f97440581e9f85

SHA256
3f8d17064fd748abbebcaec5c907643bd45fc157aa9c237de5ae6bfacfd877b6

SHA512
6c2507b2bdd8a662ac69e901a41c9a9b5c97744db636acb754addb025ba04bca19b03bf414c5b1d3daa8102ed21854ea0f185b8972a8af3a0342cb9fac8b1c5f

Download Submit
memory/2044-0-0x000000007409E000-0x000000007409F000-memory.dmp

Filesize
4KB

Download
memory/2044-1-0x0000000001160000-0x0000000001422000-memory.dmp

Filesize
2.8MB

Download
memory/2044-2-0x0000000007230000-0x0000000007454000-memory.dmp

Filesize
2.1MB

Download
memory/2044-3-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-4-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-5-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-30-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-29-0x0000000001010000-0x00000000012D2000-memory.dmp

Filesize
2.8MB

Download
memory/2636-31-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-37-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing