5870a469b0af9c6144d262ce78a1ab5293ad66c11510058ce12cfa296cfc6cd6

General

Target

941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe
Size

3.4MB
MD5

941a42f6b8c997962779afaa07ff77b0
SHA1

a0aee8b63743533aaf23d80315805f094200a31f
SHA256

5870a469b0af9c6144d262ce78a1ab5293ad66c11510058ce12cfa296cfc6cd6
SHA512

a50d6f6dc74e59c4270051813a9d5ff0a284c0e9997997aa4d2c262c3eb9aa652b18a2f035036ad21e20d16ad8e93b5a69ea47394716315892c0c063438d70c8
SSDEEP

49152:R5qwqr0Ig7grNZbNsm+kwjI4TT86lorVlyR0WsgygRbNsm+kwjFvy:Hpq5NZZshK4n86WrWD3Zshfvy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3440	941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
3440	941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	pastebin.com
19	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
3772	5040	WerFault.exe	82
2148	3440	WerFault.exe	90
2288	3440	WerFault.exe	90
2580	3440	WerFault.exe	90
3028	3440	WerFault.exe	90
2984	3440	WerFault.exe	90
1056	3440	WerFault.exe	90
736	3440	WerFault.exe	90
1364	3440	WerFault.exe	90
3764	3440	WerFault.exe	90
4660	3440	WerFault.exe	90
3600	3440	WerFault.exe	90
2028	3440	WerFault.exe	90
3028	3440	WerFault.exe	90
1188	3440	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3440	941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe
3440	941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5040	941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3440	941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3440	5040	941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe	90
PID 5040 wrote to memory of 3440	5040	941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe	90
PID 5040 wrote to memory of 3440	5040	941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 352
  2⤵
  - Program crash
  PID:3772
- C:\Users\Admin\AppData\Local\Temp\941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:3440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 344
    3⤵
    - Program crash
    PID:2148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 628
    3⤵
    - Program crash
    PID:2288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 648
    3⤵
    - Program crash
    PID:2580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 672
    3⤵
    - Program crash
    PID:3028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 720
    3⤵
    - Program crash
    PID:2984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 920
    3⤵
    - Program crash
    PID:1056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1432
    3⤵
    - Program crash
    PID:736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1464
    3⤵
    - Program crash
    PID:1364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1444
    3⤵
    - Program crash
    PID:3764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1464
    3⤵
    - Program crash
    PID:4660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1508
    3⤵
    - Program crash
    PID:3600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1464
    3⤵
    - Program crash
    PID:2028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1416
    3⤵
    - Program crash
    PID:3028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 632
    3⤵
    - Program crash
    PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3440 -ip 3440
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3440 -ip 3440
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3440 -ip 3440
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3440 -ip 3440
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3440 -ip 3440
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3440 -ip 3440
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3440 -ip 3440
1⤵
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3440 -ip 3440
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3440 -ip 3440
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3440 -ip 3440
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3440 -ip 3440
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3440 -ip 3440
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3440 -ip 3440
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3440 -ip 3440
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\941a42f6b8c997962779afaa07ff77b0_NeikiAnalytics.exe

Filesize
3.4MB

MD5
7e07ec120437a025ec9a00939fbde346

SHA1
849fdefbc3817553541e7b6ef2705f6a79293977

SHA256
41ca40240b81a4b24f92bbf9c813e3ab3116b2e600e66cfea88240cf7d1e44cd

SHA512
ad185dfd20a2cd9975c65ddd3e3115109fe636bab3cce609bbc4ba83bc20d6851c9841f0bd0ecaefe1c7c7633e50bf4fefed2662d043b268eb3d02870997f9f0

Download Submit
memory/3440-7-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3440-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3440-14-0x0000000005140000-0x0000000005257000-memory.dmp

Filesize
1.1MB

Download
memory/3440-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3440-27-0x000000000B9E0000-0x000000000BA83000-memory.dmp

Filesize
652KB

Download
memory/5040-0-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/5040-6-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing