70ce6494b55f9e53cf91c48487f3570751ada0ff678f268b7911f98ce48a56c7

General

Target

f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe
Size

2.0MB
MD5

f654b2a009f08b2f661e267168d19330
SHA1

6162439074297539d701883add1abaa051e0b821
SHA256

70ce6494b55f9e53cf91c48487f3570751ada0ff678f268b7911f98ce48a56c7
SHA512

a3ca69f6a19464ea4073218e3c8349e93c7caa8973d6aa8508bb8213ce220c46aedd4c8ccdda22a2da82f2406913753f8c6f04ab2074deca42366bd51ef92c26
SSDEEP

49152:UOz59dcfPQgzy/8g4HbExL5ISJSK6naPsD0gKQZ:h9cfPIYHQQSJSKPF7i

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2844	f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
12	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
3448	1612	WerFault.exe	84
1500	2844	WerFault.exe	90
3304	2844	WerFault.exe	90
3464	2844	WerFault.exe	90
2228	2844	WerFault.exe	90
4924	2844	WerFault.exe	90
4064	2844	WerFault.exe	90
2540	2844	WerFault.exe	90
2880	2844	WerFault.exe	90
3956	2844	WerFault.exe	90
3096	2844	WerFault.exe	90
3488	2844	WerFault.exe	90
1236	2844	WerFault.exe	90
4064	2844	WerFault.exe	90
4360	2844	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2844	f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe
2844	f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1612	f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2844	f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2844	1612	f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe	90
PID 1612 wrote to memory of 2844	1612	f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe	90
PID 1612 wrote to memory of 2844	1612	f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 344
  2⤵
  - Program crash
  PID:3448
- C:\Users\Admin\AppData\Local\Temp\f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 344
    3⤵
    - Program crash
    PID:1500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 628
    3⤵
    - Program crash
    PID:3304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 636
    3⤵
    - Program crash
    PID:3464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 688
    3⤵
    - Program crash
    PID:2228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 708
    3⤵
    - Program crash
    PID:4924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 928
    3⤵
    - Program crash
    PID:4064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1420
    3⤵
    - Program crash
    PID:2540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1492
    3⤵
    - Program crash
    PID:2880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1508
    3⤵
    - Program crash
    PID:3956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1660
    3⤵
    - Program crash
    PID:3096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1672
    3⤵
    - Program crash
    PID:3488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1676
    3⤵
    - Program crash
    PID:1236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1544
    3⤵
    - Program crash
    PID:4064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1140
    3⤵
    - Program crash
    PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1612 -ip 1612
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2844 -ip 2844
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2844 -ip 2844
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2844 -ip 2844
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2844 -ip 2844
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2844 -ip 2844
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2844 -ip 2844
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2844 -ip 2844
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2844 -ip 2844
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2844 -ip 2844
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2844 -ip 2844
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2844 -ip 2844
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2844 -ip 2844
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2844 -ip 2844
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2844 -ip 2844
1⤵
PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f654b2a009f08b2f661e267168d19330_NeikiAnalytics.exe

Filesize
2.0MB

MD5
36104db22d3ab1bd580052ab8ce30790

SHA1
2538def2e860dcb543882e087a13b9e2cae643f3

SHA256
5ed861e0f3a7341470de55c375dbcf3a7eab6f27eb4b32918cae80c4f7cb5bfe

SHA512
533c56925e9108b9ca0026483c723ee0de0411af86ae688aa4b4ad0bf2bc323180013b911912cc97df5aa820f5311d51c409335850c24158ccf3da49e541eeff

Download Submit
memory/1612-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1612-6-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2844-7-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2844-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2844-14-0x0000000004E20000-0x0000000004F0D000-memory.dmp

Filesize
948KB

Download
memory/2844-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-27-0x000000000B9B0000-0x000000000BA53000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing