0ef935d389d038b72112948b9cf06990579e5b894275451d2a65b9d4e2325140

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe
Size

184KB
MD5

12226b157da60b9a14d1ff309d6a81d0
SHA1

4dec7c6c86fe1f65949101e758656c34e5468eb9
SHA256

0ef935d389d038b72112948b9cf06990579e5b894275451d2a65b9d4e2325140
SHA512

212775d896b44f26fcc66690fac77cbc807a835f151419f596f33abb59741f0646e06bfbfce9ea121bf50877732052e67884741d85de99cd63b07121fea3f76c
SSDEEP

3072:Z+RgXmochP1td7wtWhS8ZAbUcvnqnmiFO:Z+PoO77w78ObUcPqnmiF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1984	Unicorn-17833.exe
3064	Unicorn-25591.exe
2468	Unicorn-64760.exe
2984	Unicorn-7282.exe
280	Unicorn-32939.exe
2056	Unicorn-63904.exe

Loads dropped DLL 37 IoCs

pid	Process
3024	12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe
3024	12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe
1984	Unicorn-17833.exe
1984	Unicorn-17833.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
3064	Unicorn-25591.exe
3064	Unicorn-25591.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2468	Unicorn-64760.exe
2468	Unicorn-64760.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2984	Unicorn-7282.exe
2984	Unicorn-7282.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
280	Unicorn-32939.exe
280	Unicorn-32939.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe
2788	WerFault.exe

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2620	3024	WerFault.exe	27
2868	1984	WerFault.exe	28
2476	3064	WerFault.exe	30
2392	2468	WerFault.exe	32
2820	2984	WerFault.exe	34
2788	280	WerFault.exe	36

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3024	12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe
1984	Unicorn-17833.exe
3064	Unicorn-25591.exe
2468	Unicorn-64760.exe
2984	Unicorn-7282.exe
280	Unicorn-32939.exe
2056	Unicorn-63904.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1984	3024	12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe	28
PID 3024 wrote to memory of 1984	3024	12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe	28
PID 3024 wrote to memory of 1984	3024	12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe	28
PID 3024 wrote to memory of 1984	3024	12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe	28
PID 3024 wrote to memory of 2620	3024	12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe	29
PID 3024 wrote to memory of 2620	3024	12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe	29
PID 3024 wrote to memory of 2620	3024	12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe	29
PID 3024 wrote to memory of 2620	3024	12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe	29
PID 1984 wrote to memory of 3064	1984	Unicorn-17833.exe	30
PID 1984 wrote to memory of 3064	1984	Unicorn-17833.exe	30
PID 1984 wrote to memory of 3064	1984	Unicorn-17833.exe	30
PID 1984 wrote to memory of 3064	1984	Unicorn-17833.exe	30
PID 1984 wrote to memory of 2868	1984	Unicorn-17833.exe	31
PID 1984 wrote to memory of 2868	1984	Unicorn-17833.exe	31
PID 1984 wrote to memory of 2868	1984	Unicorn-17833.exe	31
PID 1984 wrote to memory of 2868	1984	Unicorn-17833.exe	31
PID 3064 wrote to memory of 2468	3064	Unicorn-25591.exe	32
PID 3064 wrote to memory of 2468	3064	Unicorn-25591.exe	32
PID 3064 wrote to memory of 2468	3064	Unicorn-25591.exe	32
PID 3064 wrote to memory of 2468	3064	Unicorn-25591.exe	32
PID 3064 wrote to memory of 2476	3064	Unicorn-25591.exe	33
PID 3064 wrote to memory of 2476	3064	Unicorn-25591.exe	33
PID 3064 wrote to memory of 2476	3064	Unicorn-25591.exe	33
PID 3064 wrote to memory of 2476	3064	Unicorn-25591.exe	33
PID 2468 wrote to memory of 2984	2468	Unicorn-64760.exe	34
PID 2468 wrote to memory of 2984	2468	Unicorn-64760.exe	34
PID 2468 wrote to memory of 2984	2468	Unicorn-64760.exe	34
PID 2468 wrote to memory of 2984	2468	Unicorn-64760.exe	34
PID 2468 wrote to memory of 2392	2468	Unicorn-64760.exe	35
PID 2468 wrote to memory of 2392	2468	Unicorn-64760.exe	35
PID 2468 wrote to memory of 2392	2468	Unicorn-64760.exe	35
PID 2468 wrote to memory of 2392	2468	Unicorn-64760.exe	35
PID 2984 wrote to memory of 280	2984	Unicorn-7282.exe	36
PID 2984 wrote to memory of 280	2984	Unicorn-7282.exe	36
PID 2984 wrote to memory of 280	2984	Unicorn-7282.exe	36
PID 2984 wrote to memory of 280	2984	Unicorn-7282.exe	36
PID 2984 wrote to memory of 2820	2984	Unicorn-7282.exe	37
PID 2984 wrote to memory of 2820	2984	Unicorn-7282.exe	37
PID 2984 wrote to memory of 2820	2984	Unicorn-7282.exe	37
PID 2984 wrote to memory of 2820	2984	Unicorn-7282.exe	37
PID 280 wrote to memory of 2056	280	Unicorn-32939.exe	38
PID 280 wrote to memory of 2056	280	Unicorn-32939.exe	38
PID 280 wrote to memory of 2056	280	Unicorn-32939.exe	38
PID 280 wrote to memory of 2056	280	Unicorn-32939.exe	38
PID 280 wrote to memory of 2788	280	Unicorn-32939.exe	39
PID 280 wrote to memory of 2788	280	Unicorn-32939.exe	39
PID 280 wrote to memory of 2788	280	Unicorn-32939.exe	39
PID 280 wrote to memory of 2788	280	Unicorn-32939.exe	39

C:\Users\Admin\AppData\Local\Temp\12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\12226b157da60b9a14d1ff309d6a81d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\Unicorn-17833.exe
  C:\Users\Admin\AppData\Local\Temp\Unicorn-17833.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\Unicorn-25591.exe
    C:\Users\Admin\AppData\Local\Temp\Unicorn-25591.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\Unicorn-64760.exe
      C:\Users\Admin\AppData\Local\Temp\Unicorn-64760.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Users\Admin\AppData\Local\Temp\Unicorn-7282.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-7282.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Users\Admin\AppData\Local\Temp\Unicorn-32939.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-32939.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63904.exe
        
        C:\Users\Admin\AppData\Local\Temp\Unicorn-63904.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 236
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 236
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 236
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 236
      4⤵
      Loads dropped DLL
      Program crash
      PID:2476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 236
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 236
  2⤵
  - Program crash
  PID:2620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Unicorn-17833.exe

Filesize
184KB

MD5
c137919600fcca93c28642087109bfc5

SHA1
3d87ae62d98b55345420048af3c33e61c530106c

SHA256
218ad90448fcf4eaebd2854cf78d3f1449f628f3c291726579846cef7f01cee4

SHA512
f333b8e62675d8a110b655d85b108c59e5248b717e922a48a188bb1e449d97f4fef10118e80980ad3cd9202b201c4af989246e18dec6e633a825652d909ac036

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-25591.exe

Filesize
184KB

MD5
571665822ce6ee1b7b519a0882918c6e

SHA1
8c674b7f3c90e04bb90790ed811b14d7c8e922a2

SHA256
bd111ab22a08b2c9bb8a0b0e271aae5322d547444aa441f6a68a54a818081d0a

SHA512
dafa2c688ad6feb85f8532ef95f6c37bc23c794009a6ea0abfc98e3f991fcd078c3f943071767b0251db14f09981e523504730fca33e671a36585ac14835073f

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-32939.exe

Filesize
184KB

MD5
7908637e02439ade044050b502dbec8c

SHA1
4f6f1bf8f2678d64c42e3ee77b48232b419a0f31

SHA256
d1d817ae7e814e3e97431e77ceeb140bcbd2a7fa0ad1e8616d3564ee79453fe2

SHA512
5c952b668fefabef87d7a511e83531b77269e5941f819c71c1f0438343e1fd97d19fd0121937e81591c70426203538435d61f9cac673abf414174b0307ede4ef

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-63904.exe

Filesize
184KB

MD5
ca1f675e0cf088ddf72f5145cdcdc661

SHA1
cbdf6ac9310266b17d4f2a038ad81de2b9215d1a

SHA256
f0ec60c33014e772481ad2ac9b09e363ad7ce64ec091dbc02c2fb2946db73f73

SHA512
e6ea4721b93ae13e1898d2cf4b7fb65a8081e472cda74d111ed28e7aecdb886a1586710d9cded3efc69a1f3b8430b6a4c5bfb1281d503cd1c82bc12c9e2ba6cd

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-64760.exe

Filesize
184KB

MD5
9a4c40149e0e417620fe95bc09a884c5

SHA1
ea76d63dbe6712e2dc2be868fc747db7cbd39b98

SHA256
33ef6ff893cc61fdd78a52ee9038c5dc9660b5bb057a6f61952e9e1033ddc265

SHA512
8dfb5d074f4b76d89528970ab890cec799e11f8f3ac809d5ead6ea9bbebb5be5ba5b0bcc2eef5cdba6fa3e836b6cecfd8a6602d8aaaeb6bfdbd43072066dbcce

Download Submit
\Users\Admin\AppData\Local\Temp\Unicorn-7282.exe

Filesize
184KB

MD5
003ffa6d512d838f8ddab95b660d3eb3

SHA1
735cd4218b82539b2d9251aeca68025647971cfd

SHA256
005d7cbba8d1f4b246f3e151900adf6adf5e5021a332b11011d9a3fc6cf9df40

SHA512
ffedd77cfe15983a0e32dd264a9e113c39ce2a6959122cfa7303ffbe9d2c2d79806764774df3a478af04b8a8f139cd511b741c4f8b8609f6148abfccc93a6ffa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads