53b84989e9478e90960e8aa69127f56cce6fcbfc5406a008ae42471c949c614d

General

Target

1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe
Size

928KB
MD5

1ad098ff180cdec1ef320c666c931650
SHA1

93fb520b4fa31783699e8035efeac920306b9d60
SHA256

53b84989e9478e90960e8aa69127f56cce6fcbfc5406a008ae42471c949c614d
SHA512

edee9f2a2c420b9485064e2ff4bcdc884bf7aebc0f9cd512f4ae6825f067630dc70ef217fe7fddc07b2abb5b200b7132cfa200318885fa3a6dfc4d3a943b3c0f
SSDEEP

24576:UdlsaUea64xHvqh5AZo8UUMpvATxCPV8DXTFDSAdEELdDDDCDaD3fXN0VI5sPSTd:Udlva64xHSh5AZo8UUM5MxCPVuXTFDSu

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2196	1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
2196	1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	pastebin.com
24	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
1068	2104	WerFault.exe	89
3440	2196	WerFault.exe	94
1604	2196	WerFault.exe	94
3284	2196	WerFault.exe	94
1016	2196	WerFault.exe	94
4352	2196	WerFault.exe	94
3144	2196	WerFault.exe	94
3252	2196	WerFault.exe	94
4420	2196	WerFault.exe	94
3964	2196	WerFault.exe	94
2656	2196	WerFault.exe	94
1216	2196	WerFault.exe	94
4000	2196	WerFault.exe	94
4092	2196	WerFault.exe	94
4540	2196	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2196	1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe
2196	1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2104	1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2196	1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2196	2104	1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe	94
PID 2104 wrote to memory of 2196	2104	1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe	94
PID 2104 wrote to memory of 2196	2104	1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe	94

C:\Users\Admin\AppData\Local\Temp\1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 344
  2⤵
  - Program crash
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 344
    3⤵
    - Program crash
    PID:3440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 636
    3⤵
    - Program crash
    PID:1604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 628
    3⤵
    - Program crash
    PID:3284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 668
    3⤵
    - Program crash
    PID:1016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 736
    3⤵
    - Program crash
    PID:4352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 916
    3⤵
    - Program crash
    PID:3144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1404
    3⤵
    - Program crash
    PID:3252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1464
    3⤵
    - Program crash
    PID:4420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1492
    3⤵
    - Program crash
    PID:3964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1500
    3⤵
    - Program crash
    PID:2656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1496
    3⤵
    - Program crash
    PID:1216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1696
    3⤵
    - Program crash
    PID:4000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1452
    3⤵
    - Program crash
    PID:4092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 640
    3⤵
    - Program crash
    PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2104 -ip 2104
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2196 -ip 2196
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2196 -ip 2196
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2196 -ip 2196
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2196 -ip 2196
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2196 -ip 2196
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2196 -ip 2196
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2196 -ip 2196
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2196 -ip 2196
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2196 -ip 2196
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2196 -ip 2196
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2196 -ip 2196
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2196 -ip 2196
1⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2196 -ip 2196
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2196 -ip 2196
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1ad098ff180cdec1ef320c666c931650_NeikiAnalytics.exe

Filesize
928KB

MD5
574cd31c485bef6ec42be28d8ce8ede1

SHA1
7a47acfcbcef153d51370c891da55af545f863df

SHA256
ebf5f5c361fb6a5a678003cdd32fd341968c129d177a4669af5cea17b9566c0f

SHA512
60f72fec604acde621ac8b090ff66a8716403e0874a06432146c4e58b4a0efed01ffa552f3641c9b6ffdd7b7e096a4ee712b97b7cba38b5f97de18d2350b36a1

Download Submit
memory/2104-0-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2104-6-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2196-7-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2196-8-0x00007FFE7F410000-0x00007FFE7F605000-memory.dmp

Filesize
2.0MB

Download
memory/2196-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2196-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing